Rye bread
Rye bread

Reputation: 1821

Power BI REST API - 401 Authorization error when using app secret/service principal

I have a console app that uses the REST API to get a dataset (and later add rows to it). This works when I supply my own user/password credentials.

The app has been given the following delegated permissions:

Read and write all Datasets

View all Datasets

Now I have registered the app as a Web/API app in order to use an app key/secret instead. I can get a token, but when I make the same REST call I get 401 Unauthorized, still using the same permissions.

So I have tried giving the app the following Application permissions in Power BI Service, because the docs say these apply to a daemon app:

https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-permissions-and-consent#types-of-permissions

Read and write all content in tenant 

View all content in tenant

These permissions have been granted by an Azure Administrator.

As part of debugging, I have decoded the two tokens.

The token for app key autentication contains this:

"roles": [
"Tenant.ReadWrite.All",
"Tenant.Read.All"
],

while the token for user based authentication contains this:

"scp": "Dataset.ReadWrite.All Workspace.ReadWrite.All",

I have also looked into assigning the app/service principal a Contributor role, but I am unsure on which level (Subscription/Resource group/Resource).

What am I missing..?

Upvotes: 1

Views: 2278

Answers (2)

mkstr
mkstr

Reputation: 153

First of all, i think using service principals was not possible at the time of original question since couple of months ago I didn't find any useful information implementing it. However afterwards I bumped into this article which briefly explains how to get it to work so I was able to change usage of "service account" to service principal approach.

So, basically granting permissions to Azure AD App is not enough. You also have to add security group, add your app to that security group, enable usage of service principals in Power BI Admin Portal and then add your security group to workspace. After that it should work.

Upvotes: 2

Rye bread
Rye bread

Reputation: 1821

I don't believe it is possible to use this method with Power BI REST API.

So I have created a special user ("Power BI master account") instead.

Upvotes: 0

Related Questions