Unable to Retrieve Microsoft 365 Copilot Usage Data Using Graph API with Service Principal Account

Question

Unable to Retrieve Microsoft 365 Copilot Usage Data Using Graph API with Service Principal Account

Bumb, Pooja 25

Hello,

I am trying to retrieve Microsoft 365 Copilot usage data using the Microsoft Graph API with a service principal account. Below are the API permissions set.

User's image

However, I am encountering issues with permissions and receiving the following error message. Could someone please help me verify the correct API permissions required to access Microsoft 365 Copilot usage data using a service principal account? Any guidance on resolving this issue would be greatly appreciated. If it's necessary to know, I'm using Certificate to authenticate.

{
  "error": {
    "code": "UnknownError",
    "message": "{\"error\":{\"code\":\"S2SUnauthorized\",\"message\":\"Invalid permission.\"}}",
    "innerError": {
      "date": "2025-02-24T18:11:04",
      "request-id": "d8ee10da-ffd4-4f8a-a87b-b6672f72b285",
      "client-request-id": "d8ee10da-ffd4-4f8a-a87b-b6672f72b285"
    }
  }
}

brian dewyer 0 Reputation points

2025-03-19T01:39:44.16+00:00

Microsoft 365 Copilot Usage Data Using Graph API - using application permission as below based on API, receive same error as above. Normal client credentials flow. ?

Ignore, I had the wrong permission! Need Reports.Read.All app permission

Accepted answer

0 additional answers

Your answer

brian dewyer 0 Reputation points

2025-03-19T01:39:44.16+00:00

Microsoft 365 Copilot Usage Data Using Graph API - using application permission as below based on API, receive same error as above. Normal client credentials flow. ?

Ignore, I had the wrong permission! Need Reports.Read.All app permission

Answer 1

Vasil Michev 119.6K MVP Volunteer Moderator

You have added Delegate permissions, which means the application must run in the context of a user, and the resulting set of permissions are the cross-section between the permissions granted on the app/SP, and the ones granted on the user. If you intend to run this in the delegate context (as a user), make sure the user has been assigned the Report Reader role in Entra/M365. If you need an automated solution instead (running without a signed in user), you need to grant Application permissions to your app, not delegate ones.

Bumb, Pooja 25 Reputation points

2025-02-28T19:33:57.6233333+00:00

Thank you for your response. I do have a Report Reader role in Entra/M365. Could you please suggest the best way to proceed? Should I use Delegated or Application permissions? I need to run a Power BI report on the cloud with a scheduled refresh daily to get the usage data using the Graph API.
Raja Pothuraju 23,715 Reputation points Microsoft External Staff Moderator

2025-02-28T20:20:21.6833333+00:00

Hello @Bumb, Pooja,

Thank you for posting your query on Microsoft Q&A.

Based on the screenshot you shared, I see that you have added delegated Reports.Read.All API permissions to your registered app. However, this permission is only applicable when generating a token through user-based sign-in.

Since you mentioned that you are using a service principal to generate a token without user sign-in, you need to add Application permissions for Reports.Read.All API instead. Please add Application permission like below screenshot and test the behavior.

According to the Microsoft documentation, Reports.Read.All supports application permissions, making it the correct approach for your use case.

This error typically occurs when the token generated by your application does not have the necessary permissions to access the API or resource in Entra ID.

The choice between delegated and application permissions depends on how you are generating the access token for that resource.

For more details, refer to:

Application and delegated permissions for access tokens in the Microsoft identity platform

Let me know if you need further clarification. If needed, we take this discussion offline as well.
Andy David - MVP 157.7K Reputation points MVP Volunteer Moderator

2025-02-28T20:36:24.39+00:00

Why repeat the same answer as Vasil?
Raja Pothuraju 23,715 Reputation points Microsoft External Staff Moderator

2025-02-28T20:48:36.2066667+00:00

Apologies @Andy David - MVP, as pooja is looking for confirmation to use delegated or application permission. I posted it as Answer for better visibility.
Vasil Michev 119.6K Reputation points MVP Volunteer Moderator

2025-02-28T20:56:34.4933333+00:00

Both methods will do, but delegate scenarios usually require interactive authentication. From your initial reply, you mention you're using certificate to authenticate, aka the client credentials flow. For that to work, you must assign Application permissions, not Delegate ones. So update the permissions on your app, and don't forget to also grant admin consent.
Bumb, Pooja 25 Reputation points

2025-02-28T20:58:58.84+00:00

Thank you, Raja, for clarifying this for me. I appreciate your detailed explanation.

Share via

Unable to Retrieve Microsoft 365 Copilot Usage Data Using Graph API with Service Principal Account

Ignore, I had the wrong permission! Need Reports.Read.All app permission

0 additional answers

Your answer