Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Anonymous
Not applicable

Service Principal Admin API

‎06-25-2021 05:20 AM

Hello All,

 

Has anyone tried out the new feature "Service Principal with Admin API access" ? https://docs.microsoft.com/en-us/power-bi/admin/read-only-apis-service-principal-authentication

 

I have followed the steps as per the article but i get the error message 

 

The remote server returned an error: (401) Unauthorized.

 

i suspect that the issue is related to this step [which is not clear to me]

 

Select Add Members. Note: Make sure the app you use does not have any Power BI admin roles set on it in Azure portal. To check this:

 

Can someone explain what permissions the service principal should have ? FYI we tried to use the service principal i while back to automate data collection via Power BI REST API's and currently these are the permissions assigned to the service principal

nithysh_0-1624623502133.png

 

 

Labels:
Message 1 of 10
1,838 Views
0
9 REPLIES 9
pvuppala
Advocate II
Advocate II

‎09-08-2022 07:52 AM

Hi there, I found this post looking to use Service Principal to run Admin API.  I get the same 401 (Unauthorized) error.

when I try to call this 

$headers = Get-PowerBIAccessToken
Invoke-RestMethod -Headers $headers -Uri 'https://api.powerbi.com/v1.0/myorg/admin/capacities/AssignWorkspaces' -body $bodyStr -Method Post

Please confirm if Service PRincipal is intended to those read-only APIs ?

Message 10 of 10
921 Views
0
v-kkf-msft
Community Support
Community Support

‎06-27-2021 11:53 PM

Hi @Anonymous ,

 

Based on my understanding, I think this is more likely to be related to the authentication access token. REST API needs authentication, did you send authentication credentials along with your request? 

 

To get the token, please refer to Get an authentication access token .

 

 

If the problem is still not resolved, please provide detailed error information or the expected result you expect. Let me know immediately, looking forward to your reply.

Best Regards,
Winniz

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 10
1,780 Views
0
Anonymous
Not applicable
In response to v-kkf-msft

‎06-28-2021 12:37 AM

Hello,

 

Yes, i am passing/using the authentication token when i execute the REST API.

 

When i execute the non-admin API like this request "

https://api.powerbi.com/v1.0/myorg/groups"  i get results

 

When i execute the admin API like this request "

https://api.powerbi.com/v1.0/myorg/admin/groups?%24top=5000" i get the error message

 

The remote server returned an error: (401) Unauthorized.

 

Do you need any other information ?

 

Thanks for your help!

Message 3 of 10
1,760 Views
0
v-kkf-msft
Community Support
Community Support
In response to Anonymous

‎06-28-2021 02:16 AM

Hi @Anonymous ,

 

The permissions required by these two APIs are different. When you execute Admin - Groups GetGroupsAsAdmin API, you must have administrator rights (such as Office 365 Global Administrator or Power BI Service Administrator) to call this API or authenticate via service principal.

 

 

If the problem is still not resolved, please provide detailed error information or the expected result you expect. Let me know immediately, looking forward to your reply.

Best Regards,
Winniz

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 4 of 10
1,728 Views
0
Anonymous
Not applicable
In response to v-kkf-msft

‎06-28-2021 02:27 AM

Hello,

 

Please check again, your last comment conflicts with what is written in microsoft's documentation.

 

I am referring to this link

 

https://docs.microsoft.com/en-us/power-bi/admin/read-only-apis-service-principal-authentication

 

In this link it states the following.

 

nithysh_0-1624872030929.png

 

According to your last post, the service principal needs Power BI Service Administrator role, how do we assign this to a Service Principal ?

 

Looking forward to your response

Message 5 of 10
1,716 Views
0
v-kkf-msft
Community Support
Community Support
In response to Anonymous

‎06-29-2021 12:26 AM

Hi @Anonymous ,

 

I don't mean to assign the administrator role to the service principal. I think the administrator role required by the API refers to the PowerBI account you use when calling the API.

 

You can test with different PowerBI accounts on Admin - Groups GetGroupsAsAdmin , like this:

 

image.png

 

This is the test result when I use a normal user (no administrator privileges), it returns 401 errors.

 

image.png

 

If the problem is still not resolved, please provide detailed error information or the expected result you expect. Let me know immediately, looking forward to your reply.

Best Regards,
Winniz

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 6 of 10
1,690 Views
0
Anonymous
Not applicable
In response to v-kkf-msft

‎06-29-2021 12:34 AM

Hello,

 

I am interested in executing the Admin API's[that only read data out of power bi ] via a service principal and not via a user account that has administrator rights.

 

According to this link it should now be possible [from december 2020] 

https://docs.microsoft.com/en-us/power-bi/admin/read-only-apis-service-principal-authentication

 

Am i mistaken ?

 

Thanks!

Message 7 of 10
1,677 Views
0
v-kkf-msft
Community Support
Community Support
In response to Anonymous

‎07-02-2021 01:04 AM

Hi @Anonymous ,

 

Sorry for the late reply.

 

After I searched some related documents for testing, I found that we can't actually use the service principal authentication for read-only admin APIs to call the API "https://api.powerbi.com/v1.0/myorg/groups".

vkkfmsft_2-1625213019592.png

 

But we can call the API "https://api.powerbi.com/v1.0/myorg/admin/groups?%24top=5000".


The follow should be noted:

1. you do not need to give PowerBI Service permission to your application.

 

vkkfmsft_0-1625212437736.png

2. In the Admin Portal, you only need to add the security group to the second option "Allow service principal to use read-only Power BI admin APIs".

 

vkkfmsft_1-1625212511799.png

 

This is screenshot of my test:

 

image.png

 

If the problem is still not resolved, please provide detailed error information or the expected result you expect. Let me know immediately, looking forward to your reply.

Best Regards,
Winniz

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 8 of 10
1,632 Views
0
Anonymous
Not applicable
In response to v-kkf-msft

‎07-02-2021 01:32 AM

Hello,

 

Thanks. i believe what i need to do is adjust the permissions assigned to the service principal since the one i am using has more permissions currently assigned.

 

I will make the changes ASAP, test and reply back to this post if your suggestion works.

 

Thanks!

Message 9 of 10
1,628 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All