Accessing the Power BI REST API with an application is crucial for efficiently managing and monitoring your Power BI environment. This guide will walk you through using the Power BI REST API with an app as an admin.
By leveraging a service principal, your app can seamlessly authenticate and interact with Power BI resources. This allows our app to read Power BI workspaces and usage data automated to streamlines administrative tasks in Power BI. A Service Principal Name (SPN) is an authentication method that enables a Microsoft Entra application to access Microsoft Fabric content and APIs. When you create a Microsoft Entra app, a service principal object is automatically generated. This object, commonly referred to as the Service Principal, allows Microsoft Entra ID to authenticate your app. Once authenticated, the app can access resources within the Microsoft Entra tenant. See more at Service principals can access read-only admin APIs. and Tenant settings index.
Get the requirements ready and give it a try as outlined in step 1 to step 5 here.
Step 1 – Create an app
Perform the following steps as a Global Admin or Power BI Admin. You can use Privileged Identity Management (PIM) as well. Perform these steps after registration.
First, create a new app in Entra ID. Open the Azure portal, and navigate to Microsoft Azure / Microsoft Entra ID / App registrations - or click directly on the link Microsoft Azure - Microsoft Entra ID - App registrations. Click on New registration. Enter a name for the app, such as "Power BI App". Confirm by clicking on Register, as here.
Write down the app data, such as the app name, and the Application (client) ID.
Note: The Microsoft documentation informs to make sure the app does NOT have any admin-consent required permissions for Power BI set on it in the Azure portal. Leave the app permissions as it is. The service principal can make REST API calls, but you can't open Fabric with service principal credentials.
If you want to directly access the REST API with PowerShell, or another programing language, create an app secret as well (see step 4 below). You can find the documentation at Register a Microsoft Entra app and create a service principal and at Create a new client secret.
Step 2 – Create a Security Group and add the app as member
In the Azure portal, open the Entra ID menu, navigate to Manage / Groups, and create a new security group, e.g. "Power BI Admins" and assign (users if needed and) the SPN that shall be able to use the direct access to the Power BI REST API. Make sure to select Security as the group type.
Add the "Power BI API App" as member to the group, as here.
Save the group. You´re done in the Azure portal.
Step 3 – Allow app permissions in Power BI
As Administrator, you must enable the Admin API settings. You can do this in the Power BI Admin Portal, or with PowerShell. For using PowerShell, install the MicrosoftPowerBIMgmt module, connect to Power BI, and activate the tenant settings. Find out more here.
Open the Power BI Admin Portal and sign in. In the (renamed) Microsoft Fabric Admin portal, open the Tenant settings.
Search for the "Admin API settings" section. Enable the Admin API settings, and select the security group (in our sample "Power BI Admins") as shown here.
Click on Apply. Note that it can take about 15 minutes for the settings to take effect.
This setting allows Service Principals to authenticate and to have read-only access through the Power BI Admin API´s. You can also follow the steps described at Enable service principal authentication for read-only admin APIs in the Microsoft Fabric documentation.
Now we can test it.
Step 4 – Test the API with the app
To test accessing the Power BI admin interface with PowerShell, you need to add a secret to the app we previously created. When this is done, modify your tenant and app settings, and use this script. You can also download the script from here.
# Test-PowerBI-API-As-Admin.ps1
# atwork.at, Toni Pohl, 01.10.2024
# Fill in your app data
$tenantId = "<your-tenant-id>"
$clientId = "<your-app-id>"
$clientSecret = "<your-app-secret>"
# Create a token for this resource
$scope = "https://analysis.windows.net/powerbi/api/.default"
$authority = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
# Request an access token with this data
$body = @{
client_id = $clientId
scope = $scope
client_secret = $clientSecret
grant_type = "client_credentials"
}
$response = Invoke-RestMethod -Method Post -Uri $authority -ContentType "application/x-www-form-urlencoded" -Body $body
$accessToken = $response.access_token
# Use the access token to call the Power BI REST API
$headers = @{
Authorization = "Bearer $accessToken"
}
# Continue getting data with the access token $headers
$apiUrl = "https://api.powerbi.com/v1.0/myorg/admin/groups?%24top=10&%24skip=0"
# Note:
# If this error occurs: "Response status code does not indicate success: 404 (Not Found) OR "This API expects $top query option to be provided."
# This is the solution: Use %24 instead of $ in the query string as above.
# See https://stackoverflow.com/questions/75857169/powerbi-rest-api-request-getgroupsasadmin-returns-aggregateexception-an-attempt
$response = Invoke-RestMethod -Method Get -Uri $apiUrl -Headers $headers
# Show result
$response.value | ft
The result of $result can look as here:
Step 5 – Supported API endpoints
As application with access to the Power BI admin API, you can use the following endpoints as documented at Supported APIs.
Continue to adapt as needed.
Summary
I hope this guide has provided you with a solid foundation for using the Power BI REST API as an admin. Once the necessary permissions are configured, you can begin making requests to the admin API to process data.
Keep in mind that the Power BI APIs implement throttling, which may limit their use for processing large volumes of data. To handle large amounts of data more efficiently and simplify the use of Power BI data for visualization and business processes, consider using our Governance Toolkit 365 SaaS application!
Categories: Azure, Cloud, English, GT365, Compliance, Entra, Microsoft365, Office365, Power BI, Tools, Security, atwork
Source: https://blog.atwork.at/post/Grant-permissions-to-PowerBI-REST-API-as-Admin