Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
dibaSFP
Advocate I
Advocate I

App Service Principals vs Admin API Service Principals

Hi everyone,

there are two ways to access the Power BI REST APIs using Service Principals. Basically, I have not yet understood, why.

 

Especially in a Power BI Embedded scenario you need the information about workspaces, reports, datasets etc. At the same time you need to create an access token to embed a report or do other stuff (like trigger a dataset refresh).

 

Creating a report access token requires knowledge, if the related dataset uses RLS and if you have to provide an account and role or not (if not needed you get an error, if you still provide an account and role, while the API may just ignore it) - so, we use a short request to get the current information from the dataset, before asking for the access token. To do this - and in general for our PBI Embed solution -  we are using a "Service Principal with App Secret" as described here:

https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal

 

If I want to use the way more efficient Power Admin APIs to get workspace/report/dataset information, then I have to enable "Service Principal Authentication for Admin APIs" as described here: https://docs.microsoft.com/en-us/power-bi/admin/read-only-apis-service-principal-authentication

 

For both ways there are two different settings in the Power BI Service admin portal, for the first it is "Allow service principals to use Power BI APIs". For the second it is "Allow service principals to use read-only Power BI admin APIs".

 

A round-trip with the support reveiled, that you actually cannot use both with the same service principals. You have to disable the first option, to use the read-only Admin APIs while you then cannot use the "common" APIs and vice versa.

dibaSFP_0-1618249459390.png

 

We have now created two apps to get two service principal accounts. One, to embed our reports and do other stuff and the second, to use the admin APIs (also used to embed the reports).

 

Can someone provide an explanation, why this has rather complex setup has been chosen (and guess, why we cannot use both world with one account)?

 

Regards,

DibaSFP

 

2 REPLIES 2
v-kkf-msft
Community Support
Community Support

Hi @dibaSFP ,

 

Service Principal authentication for scanner Admin APIs will enable Azure AD applications to access Power BI APIs, without the need for admins to maintain a service account with an admin role. Only approval through tenant settings configurations will need to be granted to allow this action to be performed.

 

You can learn more about the difference between read-only Power BI admin APIs and Power BI APIs by Announcing new Admin APIs and Service Principal authentication to make for better tenant metadata sc... 

 

If the problem is still not resolved, please provide detailed error information or the expected result you expect. Let me know immediately, looking forward to your reply.

Best Regards,
Winniz

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Dear Winniz,

 

thank you for the explanation. The main question is, why the "App Service Principals" cannot get the permission to access the read-only APIs as well (e.g. by assigning them the Tenant.ReadAll permission). The other way around is understandable.

 

The (way more efficient) read-only Admin APIs have been added, e.g. to avoid reading all workspace, reports and dataset data by looping through each and every workspace and scan on changes (which - according to some blog entries - may have needed more than 24 hours for some customers).

 

You have the same requirement in your own Power BI Embedded solution, e.g. to add a new report automatically to your own app, if it has been added to a PBI service workspace. To recognize that, you have to check the workspaces frequently - which would be way more efficient, if just the read-only APIs could also be accessed by the App Service Principal as well (as there are APIs which return a list of changed workspaces and all the details by only sending two requests).

 

Regards,

DibaSFP

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors
Top Kudoed Authors