Adding user in Power BI workspace using Power BI Admin API returning unauthorized

Question

I'm trying to use this API call: https://learn.microsoft.com/en-us/rest/api/power-bi/admin/groups-add-user-as-admin.

I'm authenticating with a Service Principal which has tenant.ReadWrite.All and Fabric Administrator role (previously Power BI Service Administrator).

With the token generated with the Service Principal, I'm able to run other Admin APIs like https://learn.microsoft.com/en-us/rest/api/power-bi/admin/groups-get-group-as-admin.

However, when running Add user as admin, I'm getting 401 unauthorized.

I'm runnning it with Python

group_id = '<workspace_id>'
aad_group_object_id = '<servicePrincipal_cliend_id>'
new_permission = 'Contributor'

url = f'https://api.powerbi.com/v1.0/myorg/admin/groups/{group_id}/users'
headers = {
    'Authorization': f'Bearer {token}',
    'Content-Type': 'application/json'
}
data = {
    'principalType': 'App',
    'identifier': aad_group_object_id,
    'groupUserAccessRight': new_permission
}

response = requests.post(url, headers=headers, json=data)

I cannot see how there's an authorization issue, any ideas?

Answer 1

When I ran same code by passing service principal clientID for identity parameter and token generated with client credentials flow, I too got same error as below:

token='<client_credentials_token>'
group_id = '<workspace_id>'
aad_group_object_id = '<servicePrincipal_client_id>'
new_permission = 'Contributor'

url = f'https://api.powerbi.com/v1.0/myorg/admin/groups/{group_id}/users'
headers = {
    'Authorization': f'Bearer {token}',
    'Content-Type': 'application/json'
}
data = {
    'principalType': 'App',
    'identifier': aad_group_object_id,
    'groupUserAccessRight': new_permission
}

response = requests.post(url, headers=headers, json=data)
if response.status_code == 200:
    print("Added successfully")
else:
    print('Error:', response.status_code, response.reason)

Response:

To resolve the error, make sure to pass service principal objectID for identity parameter that can be found in Enterprise applications tab with same name:

In my case, I generated token using username password flow by granting Tenant.ReadWrite.All Delegated permission via Postman like this:

POST https://login.microsoftonline.com/tenantId/oauth2/v2.0/token
grant_type:password
client_id:<appId>
client_secret:<secret> 
scope: https://analysis.windows.net/powerbi/api/.default
username: [email protected]
password: xxxxxxxx

Response:

When I ran same code by passing above token and service principal objectID for identity parameter, I got response successfully like this:

token = '<above_token>'
group_id = '<workspace_id>'
aad_group_object_id = '<servicePrincipal_object_id>'
new_permission = 'Contributor'

url = f'https://api.powerbi.com/v1.0/myorg/admin/groups/{group_id}/users'
headers = {
    'Authorization': f'Bearer {token}',
    'Content-Type': 'application/json'
}
data = {
    'principalType': 'App',
    'identifier': aad_group_object_id,
    'groupUserAccessRight': new_permission
}

response = requests.post(url, headers=headers, json=data)
if response.status_code == 200:
    print("Added successfully")
else:
    print('Error:', response.status_code, response.reason)

Response:

To confirm that, I checked the same in Power Bi portal where service principal added with Contributor role like this: