'Can a service principal Access admin Portal settings in PowerBi service?

I cannot assign a capacity Id to a workspace via Powershell commands, logged in with a service principal.

$workspace = Get-PowerBIWorkspace -name 'XXX-XX-XXXX-XXX'
$workspaceId = $workspace.Id
echo $workspaceId
Set-PowerBIWorkspace -Id $workspaceId -Scope "Organization" -CapacityId "XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX"

error message:

Set-PowerBIWorkspace: Operation returned an invalid status code 'Unauthorized'

I have taken the following steps: I have created a service principal and assigned it to a security group in Azure AD. I Manually added this security group in the admin Portal in PowerBi service to allow service principals to interact with service (under developer settings). I have been able to (using PowerShell) login with the service principal and create a workspace.I can get all workspaces etc... However, when I try to set a workspace capacity Id (assign it to a premium capacity) I get an unauthorized error. I suspect I cannot do this because to perform this action, I have to go under Admin Portal Settings > Workspaces (I need Admin Rights to PowerBi service), hence I'm trying to find a way to grant these admin permissions to the service principal. Besides this, I have:

  1. Assigned that same service principal in the security group to be workspace admin
  2. Assign PowerBi administrator role in AAD to that service principal

But nothing worked.

Is there a way to perform these actions? Or is it a limitation of Service Principals? Thank you, Joao

powershellpowerbiunauthorizedservice-principal


Solution 1:[1]

The admin APIs in general cannot be used when authenticating with service principal. Recently, they made it possible to use some of them, but not all. For example take a look at Announcing new Admin APIs and Service Principal authentication to make for better tenant metadata scanning and Enable service principal authentication for read-only admin APIs, where you can see the list of supported APIs.

To assign a capacity to a workspace, UpdateGroupsAsAdmin API is used, which is currently not listed as a supported API, and is documented only for "normal" authentication:

Permissions

The user must have administrator rights (such as Office 365 Global Administrator or Power BI Service Administrator).

while for other APIs (GetGroupsAsAdmin, PostWorkspaceInfo) is explicitly documented that they can be used with a service principal:

Permissions

The user must have administrator rights (such as Microsoft 365 Global Administrator or Power BI Service Administrator) or authenticate using a service principal.

So either you have to wait for Microsoft to implement authentication with service principal (and there is no guarantee they will do that), or you will have to change the authentication (to use AAD account).

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Andrey Nikolov

Related Questions

Creating/Duplicating a Certificate Template with Powershell

Creating/Duplicating a Certificate Template with Powershell

Creating/Duplicating a Certificate Template with Powershell

New-ExoPSSession: Index was out of range

PowerShell Cannot dot-source this command because it was defined in a different language mode

How do I get only directories using Get-ChildItem?

Powershell - windows hard-disk health status is giving inconsistent results

The term 'AzCopy' is not recognized as a name of a cmdlet, function, script file

check if an string exists in a list of strings, using powershell

Can Powershell Run Commands in Parallel?

How can ensure that a function only accepts a positive integer?

Powershell: Two dimension arrays

PowerShell and process exit codes

PowerShell Script to set the size of pagefile.sys

Trying to install Angular 2 Material from npm - unrecognized token in source text