2

Our goal is to query a dataset that is published to PowerBI via the REST APIs ( https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/execute-queries ). I'm not talking about the metadata of the dataset, I mean the row-level data contained within the tables in the dataset.

We are going to write a service (probably on prem) that will need to query this data, format it, and push it to another system. From what we understood, we could use a service principal as the identity to query the PowerBI API and retrieve the data.

The very important factor in this, is the service principal should not have access to the row level data of any other dataset. If we have to separate the datasets in a different workspace, that is workable, but not preferred.

Mark Rullo
  • 119
  • 10

1 Answers1

1

Service Principal can be used to access that PBI API. It will have access to the data only if it has authorization on that workspace. So you need to separate workspace in order to manage the access of the dataset.

Sample in postman

From my experience, PowerBI execute DAX query can be quite slow. So do keep that in mind if your integration will require a quick response of PBI API.

TANAKO
  • 11
  • 2
  • Thank you for this. We did end up reaching out to Microsoft and were told by them that if you give a Service Principal access to the REST APIs, then it would have access to all data in the entire tenant. That was really counter-intuitive for us, as why would one full access to everything for one account? – Mark Rullo Feb 09 '23 at 14:35
  • Hmm that sound a bit weird. The only thing that supposed to be on the tenant level is PowerBI API permission but that is just allow service principal to access API which essentially mean it can call API but does not mean it will be authorized to anything. Service principal will need be add into workspace (group) so it can get authorization. This is the sample when I use service principal to call Exec DAX query PowerBI API on dataset that service principal does not access to that workspace. `{ "error": { "code": "PowerBIFolderNotFound",` – TANAKO Feb 21 '23 at 08:07
  • @TANKO that's really helpful, thank you. I fully agree that it sounds weird. Unfortunately I can't enable the setting to test this if Microsoft directly told us that it would give access to all of our sensitive data. To me, having authentication and authorization completely separate just makes sense. I'll try and revive this with them and report back. – Mark Rullo Feb 22 '23 at 13:49