Power BI Rest API Requests Not Authorizing as expected

Question

I have built a Python application to access read only Power BI Rest API’s. I am automating the collection of tenant activity. However despite configuring my Azure App and using the service principal to generate an access token, the response I receive from the API request is one of an unauthorised response:

{"error": {"code": "PowerBINotAuthorizedException", "pbi.error": {"code": 
"PowerBINotAuthorizedException", "parameters": {}, "details": [], "exceptionCulprit": 1}}}

I have found a number of similar issues posted online, however feel that I have done everything that is suggested but am still not able to get it working. I would appreciate any guidance.

The steps that I have taken are:

1. Configured an Azure App, adding the Application Permission for Power Bi Service-Tenant.Read.All

   

2. Requested my access token based upon the Client Credentials Flow using my app's client_ID and client_Secret as documented in the below link:
   https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

I successfully receive a token using the script below:

import requests

azureTenantID = "xxxxxxxxxxxxxxxxx"
azureClientId = "xxxxxxxxxxxxxxxxx"
azureClientSecret = "xxxxxxxxxxxxxxxxxx"

url = f"https://login.microsoftonline.com/{azureTenantID}/oauth2/v2.0/token"

payload = {
        "grant_type": "client_credentials",
        "client_id": azureClientId, 
        "client_secret": azureClientSecret,
        "scope": "https://analysis.windows.net/powerbi/api/.default"            
}
# Header HAS to be x-www-form-urlencoded for MS to accept it.
headers = {'Content-Type': 'application/x-www-form-urlencoded'}

# Return POST content as JSON.
r = requests.post(url, data=payload, headers=headers).json()

# Grab the access token.
response = r.get("access_token")

# Concatenate with Bearer string
access_token = "Bearer {r['access_token']}"  

3. Configured my Power BI Tenant Settings to enable Service Principals to use API's.
   Screenshot of Admin API Setting
   Screenshot of Developer API Setting
   Note that I added the Service Principal as a member of the Security Group for which both of these settings are enabled

4. Execute my Get request to the API

The followings script returns a good response when I take an access token from the Power BI REST API Documentation's 'Try it out' feature, but not when I generate the token as above.

import requests

# Initialise parameters.
url = "https://api.powerbi.com/v1.0/myorg/admin/groups?$top=1000&$expand=datasets,dataflows,reports,users,dashboards"
headers = {'Authorization': get_access_token2()}

# Get response.
response = requests.get(url, headers=headers)
response = response.json()

Any assistance would be appreciated !

Answer 1

I just went through this exact scenario that you described, and in the end we had to engage Microsoft support to solve it.

Although extremely counter intuitive, if the app that you create for your service principal authentication has any Power BI permissions assigned to it then the access token that is generated (when passed to Power BI REST Admin API) will return an error response that reports PowerBINotAuthorizedException.

To be even more specific, if the access token that you pass to the Power BI API has a roles key/value pair, then you will get a PowerBINotAuthorizedException.

In your case, the issue is easier because you have listed out what permissions you granted. You mentioned that you Configured an Azure App, adding the Application Permission for Power Bi Service-Tenant.Read.All. In order to resolve this issue, you will need to remove that permission.

For future readers, you can troubleshoot this by decoding your access token using a JWT token decoder like one found at jstoolset.com. If your app has permissions allocated to the scope that you have requested (https://analysis.windows.net/powerbi/api/.default is the typical Power BI scope that you request in your authorization) and you decode your JWT token then you will see a roles key/value pair. The presence of this roles is essentially the issue. It does not matter that the values there might match up to the Required Scope in the Power BI REST Admin API documentation. It was described to us as if there is a roles value in your access token then when the token is presented to the Power BI API the roles that are granted are attempted to be used, which ultimately results in a PowerBINotAuthorizedException because service principals are not allowed to use a certain role.

If you have an app that you have removed all permissions from, but still has a value coming through in your access token for the roles key/value pair, then I would suggest starting with a new app with no permissions allocated to it, and simply add the new app to the existing security group that you originally created. This is how we realized that this truly was the issue, and were then able to reconcile from there.

EDIT: Microsoft has now updated their API documentation on the relevant endpoints to reflect this information. For example, in Admin - Groups GetGroupUsersAsAdmin the Required Scope now reads:

Tenant.Read.All or Tenant.ReadWrite.All

Relevant only when authenticating via a standard delegated admin access token. Must not be present when authentication via a service principal is used.