Share via

We use a 'service' account to call the Microsoft Power BI API. What permissions are required today to call the API?

Woods, Timothy 0 Reputation points
2025-05-06T14:27:37.09+00:00

It seems the permissions for reading audit logs has changed. Our report displays data on (reports run, workspaces, Semantic Models, etc.).

The code does a few things:

  1. Get Token,
  2. Run various queries for data. Workspaces, Datasets, etc.

I have checked the token in Postman so the token has/is not expired.

I found online this permission is required today to call the MS Graph API for PBI ->
Power BI Service Administrator role via Entra (not Fabric admin UI):
Can this role be validated from MS?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,598 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. PRATIK JADHAV 80 Reputation points Microsoft External Staff Moderator
    2025-05-15T12:37:02.64+00:00

    Hello @Woods, Timothy,

    To read Power BI audit logs you should have at least Fabric Administrator role is assigned to user.

    To read the audit logs using Power BI REST API, Using Service Principal you don't require Fabric Administrator role assign to Service Principal, but it should be assigned to User.

    Initially I registered Single Tenant Microsoft Entra ID Application and Added delegated type Tenant.Read.All API permission from Power BI Services and Granted admin Consent like below:

    User's image

    Using delegated type, authorization_code flow which requires user-interaction. To get code, I ran below authorization request in browser: 

    
https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize?  

client_id=<application-id of your registered application> 

&response_type=code  

&redirect_uri=https://jwt.ms

&response_mode=query  

&scope=https://analysis.windows.net/powerbi/api/Tenant.Read.All

&state=12345

    enter image description here

    After successfully creating authorization_code, Generated access token using below parameters:

    
GET https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

Content-Type: application/x-www-form-urlencoded

client_id: <application-id>

client_secret: <client-secret>

scope: https://analysis.windows.net/powerbi/api/Tenant.Read.All

grant_type: authorization_code

code: <authorization_code generated from browser>

redirect_uri: <REDIRECT_URI

    Response:

    User's image In Power BI Admin Portal, you need to enable the below option:

    enter image description here

    Note: To access Tenant settings in PowerBI Admin Portal then the user must have Fabric Administrator/Global Administrator.

    Use the same generated access token, to fetch the Power BI activity logs contains complete copy of the Power BI activities. 

    
GET https://api.powerbi.com/v1.0/myorg/admin/activityevents?startDateTime='2025-05-13T00:00:00.000Z'&endDateTime='2025-05-13T23:59:59.000Z'

    User's image

    If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

    User's image

    If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.