Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article shows how to enable service principal authentication for Power BI read-only admin APIs and Microsoft Fabric update admin APIs.
Service principal is an authentication method that can be used to let a Microsoft Entra application access Microsoft Fabric content and APIs.
When you create a Microsoft Entra app, a service principal object is created. The service principal object, also known simply as the service principal, allows Microsoft Entra ID to authenticate your app. Once authenticated, the app can access Microsoft Entra tenant resources.
Enable service principal authentication
To enable service principal authentication for Fabric APIs, follow these steps:
Create a Microsoft Entra app. You can skip this step if you already have a Microsoft Entra app you want to use. Take note of the app ID, which you need in later steps.
Important
Make sure the app you use doesn't have any admin-consent required permissions for Fabric set on it in the Azure portal. See how to check whether your app has any such permissions.
Create a new Microsoft Entra Security Group and make sure to select Security as the Group type. You can skip this step if you already have a Microsoft Entra security group you'd like to use.
Add your app ID as a member of the security group you created. To do so:
Navigate to Azure portal > Microsoft Entra ID > Groups, and choose the security group you created in Step 2.
- Select Add Members.
Enable the Fabric admin settings:
Sign in to the Fabric admin portal. You need to be a Fabric admin to see the tenant settings page.
Under Admin API settings, select the switch for the type of admin APIs you want to enable:
- Service principals can access read-only admin APIs (see supported Power BI admin APIs)
- Service principals can access admin APIs used for updates (see supported Fabric admin APIs)
Set the toggle to Enabled.
Select the Specific security groups radio button. In the text field that appears below it, add the security group you created in Step 2.
Select Apply.
Supported Power BI admin APIs for read-only
The following read-only admin APIs support service principal authentication. This list may not be exhaustive; for the latest information about APIs not listed here, refer to the Power BI REST API documentation.
- Apps GetAppsAsAdmin
- Apps GetAppUsersAsAdmin
- Dashboards GetDashboardsAsAdmin
- Dashboards GetDashboardsInGroupAsAdmin
- Dashboards GetDashboardSubscriptionsAsAdmin
- Dashboards GetDashboardUsersAsAdmin
- Dashboards GetTilesAsAdmin
- Dataflows ExportDataflowAsAdmin
- Dataflows GetDataflowDatasourcesAsAdmin
- Dataflows GetDataflowsAsAdmin
- Dataflows GetDataflowsInGroupAsAdmin
- Dataflows GetDataflowUsersAsAdmin
- Dataflows GetUpstreamDataflowsInGroupAsAdmin
- Datasets GetDatasetsAsAdmin
- Datasets GetDatasetsInGroupAsAdmin
- Datasets GetDatasetToDataflowsLinksInGroupAsAdmin
- Datasets GetDatasetUsersAsAdmin
- Datasets GetDatasourcesAsAdmin
- Get Activity Events
- Get Capacities As Admin
- Get Power BI Encryption Keys
- Get Refreshable For Capacity
- Get Refreshables For Capacity
- Get Refreshables
- Groups GetGroupAsAdmin
- Groups GetGroupsAsAdmin
- Groups GetGroupUsersAsAdmin
- Groups GetUnusedArtifactsAsAdmin
- Imports GetImportsAsAdmin
- Pipelines GetPipelinesAsAdmin
- Pipelines GetPipelineUsersAsAdmin
- Profiles GetProfilesAsAdmin
- Reports GetReportsAsAdmin
- Reports GetReportsInGroupAsAdmin
- Reports GetReportSubscriptionsAsAdmin
- Reports GetReportUsersAsAdmin
- Users GetUserArtifactAccessAsAdmin
- Users GetUserSubscriptionsAsAdmin
- WidelySharedArtifacts LinksSharedToWholeOrganization
- WidelySharedArtifacts PublishedToWeb
- WorkspaceInfo GetModifiedWorkspaces
- WorkspaceInfo GetScanResult
- WorkspaceInfo GetScanStatus
- WorkspaceInfo PostWorkspaceInfo
How to check if your app has admin-consent required permissions
An app using service principal authentication that calls read-only admin APIs must not have any admin-consent required permissions for Power BI set on it in the Azure portal. To check the assigned permissions:
Sign into the Azure portal.
Select Microsoft Entra ID, then Enterprise applications.
Select the application you want to grant access to Power BI.
Select Permissions. There must be no admin-consent required permissions of type Application registered for the app.
Supported Fabric admin APIs for updates
The Service principals can access admin APIs used for updates setting applies to Fabric admin APIs, such as the Workspaces - Restore Workspace API.
To find out if a specific Fabric admin API supports service principal authentication, check the API's documentation in the Fabric REST API reference. Look for the "Microsoft Entra supported identities" section, which indicates whether service principal authentication is supported.
Considerations and limitations
The service principal can make rest API calls, but you can't open Fabric with service principal credentials.
Fabric admin rights are required to enable service principal in the Admin API settings in the Fabric admin portal.