0

I am trying to get non-admin metadata from PowerBI using ADF.

I have already managed to download admin metadata using ADF, but with non-admin I have troubles.

What I have done so far:

  1. Created a security group and added the service principal of the ADF
  2. Created a registered app, and added the app to the security group. The registered app has the following privileges: Report.Read.All, Dataset.Read.All, Workspace.Read.All - admin consent granted.
  3. In Power BI I have enabled both "Service principals can use Fabric APIs" and "Allow service principals to access read-only admin APIs" and applied to the security group
  4. In Power BI in workspaces, I added as members both - security group and the registered app.

As stated before, admin metadata I can download, I use the security group with Service Principal of the ADF for this purpose. Non-admin metadata I want to download using registered app.

In ADF pipeline I created two web activities

  1. Get Bearer Token: URL- https://login.microsoftonline.com//oauth2/v2.0/token Method- POST Body-

    grant_type=client_credentials &client_id=<Client_ID> &client_secret= &scope=https://analysis.windows.net/powerbi/api/.default Headers- content-type:application/x-www-form-urlencoded

  2. Call PowerBI API: URL- https://api.powerbi.com/v1.0/myorg/reports/ Method- GET Authentication- None Headers- Authorization: @concat(activity('Request Bearer Token').output.token_type, ' ', string(activity('Request Bearer Token').output.access_token))

The first activity to get Token is successful, the second activity is not. I get the following error: "Message":"API is not accessible for application".

I tried in Postman and I get error: 403 forbidden.

If I use www.learn.microsoft.com to request for API, so using my personal account with the Token generated by ADF - I call API successfully.

So it seems there is some permission issue? Although, at this moment I think I have checked everything and I am out of ideas... Perhaps, somebody has the same problem?

Improve this question
1
  • Note that, service principal authentication is not supported for accessing My workspace (myorg). With client credentials flow token, you cannot call /myorg/ endpoint. To resolve this, you need to change your authentication flow to delegated where user interaction is required. Refer this stackoverflow.com/questions/77867783/… Commented Jan 10 at 12:39

1 Answer 1

Reset to default
0

The key is to add Workspace ID to the URL. So, in the second WEB activity where the Bearer Token is passed, instead of the following URL:

https://api.powerbi.com/v1.0/myorg/reports/

Add Workspace ID, like this:

https://api.powerbi.com/v1.0/myorg/groups/{Workspace ID}/reports
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.