PowerBI API error updating Dataset using Service Principal

Question

Requirement: Update PowerBI dataset schedule using Powershell script via a Service Principal. PowerBI API used. Refer: MicrosoftDocs

Error Message: "Message":"API is not accessible for application"

What I did:

1. Provided PowerBI application API permissions in Azure AD. Admin access given to Service Principal in PowerBI workspaces.

   

2. Put the SP in a AD Group. MAde this AD Group the Admin of the Power BI Workspace and Dataset (under Power BI Admin Settings)

3. Used access token generated using Service Principal. Invoke-RestMethod for API request.

   $SecPasswd = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
   $ClientCred = New-Object System.Management.Automation.PSCredential($ClientId,$SecPasswd)
   
   Connect-PowerBIServiceAccount -Tenant $tenantId -ServicePrincipal -Credential $ClientCred
   $accessToken = Get-PowerBIAccessToken
   $authHeader = @{'Content-Type'='application/json','Authorization'= $accessToken.Authorization}
   $uri="https://api.powerbi.com/v1.0/myorg/datasets/$datasetId/refreshSchedule"
   Invoke-RestMethod -Uri $uri –Headers $authHeader –Method Patch -Body ($jsonBase | ConvertTo-Json) -ContentType "application/json"
   

Observations:

Used datasetId of my workspace and run the script. 2 Scenarios:

1. Using Service Principal access token in Authorization header. Got - Forbidden 403 Error. "Message":"API is not accessible for application.
2. When using access token generated with my user credentials in the Authorization header the script runs successfully.
3. Tried various datasets in other workspaces

What permissions am I missing to update the datasets schedule using Service Principal?

Answer 1

The URL in the Microsoft API documentation is wrong for service principals.

You need to also include the workspace ID in the URL, see below

https://api.powerbi.com/v1.0/myorg/groups/{WorkspaceID}/datasets/{DatasetId}refreshes

Answer 2

Service principal is not supported for accessing My Workspace:

Considerations and limitations

• Service principal only works with new workspaces.
• My Workspace isn't supported when using service principal.
• A capacity is required when moving to production.
• You can't sign into the Power BI portal using service principal.
• Power BI admin rights are required to enable service principal in developer settings within the Power BI admin portal.
• Embed for your organization applications can't use service principal.
• Dataflows management is not supported.
• Service principal only supports some read-only admin APIs. To enable service principal support for read-only admin APIs, you have to enable the Power BI service admin settings in your tenant. For more information, see Enable service principal authentication for read-only admin APIs.
• When using service principal with an Azure Analysis Services data source, the service principal itself must have an Azure Analysis Services instance permissions. Using a security group that contains the service principal for this purpose, doesn't work.

You should either move your dataset to a new workspace, or change the authentication method.