Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more.
Get startedGrow your Fabric skills and prepare for the DP-600 certification exam by completing the latest Microsoft Fabric challenge.
I recently migrated a model from AAS to a PPU workspace. Now I am trying to automate the refresh of this migrated model in PPu via datafactory pipeline that calls the Power BI Refresh API. But I am getting the below error:
Invoking endpoint failed with HttpStatusCode - '401 : Unauthorized', message - 'Client request has not been completed because it lacks valid authentication credentials for the requested endpoint(url).'
I am using 'System Assigned Managed Identity' for authentication in pipeline. I have a azure security group with that System Managed Identity as a member and I have added that security group to 'Allow service principals to use Power BI APIs' setting in Power BI.
Has anyone tried doing this before? Migrate a AAS model to PPU and then automate the refresh of migrated semantic model using any method?
Any pointer will be of help!
Hi @Essjay
Our set up is slightly different - we have Premium Capacity instead of PPU. A Synapse Pipeline kicks off Power BI semantic models by calling the Power BI API using an Entra (Azure Active Directory) Security Group of which the Synapse Managed Identity is a member.
I found this microsoft blog helpful. It refers to both ADF as well as Synapse - but ensure when granting the permissions at Power BI Workspace level that the Entra Security Group the managed identity is in has been granted at least the member or admin role (not contributor as stated in the blog).
https://microsoft-bitools.blogspot.com/2022/04/refresh-power-bi-datasets-with-adf-or.html
@JaneLHunt at PPU workspace level I tried by giving both priveliges (admin and member) to the group of which managed identity is a memeber but still getting the same error! Do you think the error could be becuase of 'Premium Per User' workspace? Since people using models in premium capacity never seem to have faced this issue!
Hi @Essjay
What I have found that works is to actually add the specific service principle account into. the workspace settings as an admin user As far as I am aware, system managed identity users do not work within the Power BI service.
A potential work around is to use power automate to refresh your power BI data set and then you can use the HTTPS function portrait then be called from your data pipeline.
I think so too! I added the service principal as a admin to my PPU workspace! But got the same error! I guess the catch here is 'PPU' workspace. Is it possible @GilbertQ that because it is a PPU workspace and not in premium capacity, the service principal/identity trying to access content on PPU workspace needs a PPU license? How do people automate refreshes for semantic models on PPU workspaces? any pointers will help! TIA!
Hi @Essjay
This certainly works with PPU I am doing it for multiple clients.
Can you make sure that you have followed the steps below for enabling your Service Principal.
Using the Power BI Scanner API to Manage Tenant's Entire Metadata -
And specifically the section "Pre-Requisites Before Use"
@GilbertQ I have tried everything. Instead of API, I am trying to leverage Analysis-Services/AsPartitionProcessing/Automated Partition Management for Analysis Services Tabular... to process partitions for my semantic model on PPU workspace. We have a code set up for above in Azure function which used to process partitions for models on our AAS server. I have made the necessary changes like adding the model details, PPU server details, etc in the required configuration tables.
On power bi service, the Service principal is a member of the PPU workspace. But still getting the error. I did a little digging in log table that caputes related logs for our code and could find a more detailed error messade as below:
Inner exception message: AADSTS700016: Application with identifier 'xxxxxxx-xxxx-4c9b-8cd8-xxxxxx was not found in the directory 'Microsoft Services'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
It looks like from Azure Function the authentication is getting blocked for PPU workspace via the said Service principal. Is there something I am missing? Like I know for APIs we need to configure 'Power BI Services' APIs in Azure apps , is something similar needs to be done for XMLA end point?
Join the community in Stockholm for expert Microsoft Fabric learning including a very exciting keynote from Arun Ulag, Corporate Vice President, Azure Data.
Ask questions in Eventhouse and KQL, Eventstream, and Reflex.