Unable to access admin API using service principal authentication

[ishan1510]

What are you trying to achieve?
I am working with semantic-link-labs library to get audit log and some other info like list of reports, workspaces, users, capacities etc. Its working when I'm signed in using the power BI admin account but want to get it work using the service principal.

What have you tried so far?
Based on the guidelines and documentation given by MS I have given all necessary permission and role but its not working. I'm unable to find what else is missing.

Here's what I have done -

• Created a service principal.
  Assigned it fabric administrator role.
  Added following API permissions -
  Microsoft Graph - Directory.Read.All, User.Read.All (application)
  Power BI service - Tenant.ReadWrite.All (Application) & Delegated permission on Capacity, Item, Lakehouse, OneLake, Report, Semantic Model, Tenant, Warehouse etc.
• Create a security group and added this service principal into it as a member.
• Power BI Admin portal -
  Developer Settings
  Enable all service principal related options and added the security group into it.
  Admin API settings
  Enabled "Service principal can access read-only admin API's" & "Service principal can access admin API's used for updates.

Code
import sempy_labs as labs
from sempy_labs import admin, graph
from sempy_labs.tom import connect_semantic_model

with labs.service_principal_authentication(
key_vault_uri = 'https://ishankeyvault01.vault.azure.net/',
key_vault_tenant_id = 'TenantID',
key_vault_client_id = 'ClientID',
key_vault_client_secret = 'ClientSecret'):

df1 = admin.list_capacities()
display(df1)

Error Message
FabricHTTPException: 401 Unauthorized for url: https://api.fabric.microsoft.com//v1.0/myorg/admin/capacities
Error: {"error":{"code":"PowerBINotAuthorizedException","pbi.error":{"code":"PowerBINotAuthorizedException","parameters":{},"details":[],"exceptionCulprit":1}}}
Headers: {'Cache-Control': 'no-store, must-revalidate, no-cache', 'Pragma': 'no-cache', 'Transfer-Encoding': 'chunked', 'Content-Type': 'application/json; charset=utf-8', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'X-Frame-Options': 'deny', 'X-Content-Type-Options': 'nosniff', 'RequestId': 'ab4476dc-6858-4c80-bc3c-bb78d9787d5c', 'Access-Control-Expose-Headers': 'RequestId', 'request-redirected': 'true', 'home-cluster-uri': 'https://wabi-india-central-a-primary-redirect.analysis.windows.net/', 'Date': 'Fri, 08 Aug 2025 06:37:39 GMT'}

[m-kovalsky]

I think if you add the Tenant.ReadWrite.All API permission then you need to remove all the other pbi API permissions.

[ishan1510]

Updated the API permissions and tried again after few min but still getting the error

Error
FabricHTTPException: 401 Unauthorized for url: https://api.fabric.microsoft.com//v1.0/myorg/admin/capacities
Error: {"error":{"code":"PowerBINotAuthorizedException","pbi.error":{"code":"PowerBINotAuthorizedException","parameters":{},"details":[],"exceptionCulprit":1}}}
Headers: {'Cache-Control': 'no-store, must-revalidate, no-cache', 'Pragma': 'no-cache', 'Transfer-Encoding': 'chunked', 'Content-Type': 'application/json; charset=utf-8', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'X-Frame-Options': 'deny', 'X-Content-Type-Options': 'nosniff', 'RequestId': 'ebeebdec-2abd-4b07-b35d-1120293a1569', 'Access-Control-Expose-Headers': 'RequestId', 'request-redirected': 'true', 'home-cluster-uri': 'https://wabi-india-central-a-primary-redirect.analysis.windows.net/', 'Date': 'Fri, 08 Aug 2025 06:53:26 GMT'}

[ishan1510]

Let me know if any additional information is required

[MitchSS]

I had the same issue and was able to resolve it by removing the Tenant.ReadWrite.All permission too (as per the docs).

When using service principal authentication for Power BI/Fabric Admin APIs, access is controlled by tenant settings in the Fabric Admin Portal, not by Azure AD application permissions.

Old approach: Adding Power BI Application permissions like Tenant.ReadWrite.All was common for delegated or older flows.
Current model:

• Admin API access for SPNs is granted via tenant settings:

  • Service principals can access read-only admin APIs
  • Service principals can use Fabric APIs
  • These settings are scoped to security groups that include your SPN.

• If the app has any Power BI Application permissions, the token includes roles claims (e.g., Tenant.ReadWrite.All), and the API rejects the call with PowerBINotAuthorizedException (401).

In short: Remove all Power BI Application permissions from the app. Control access through tenant settings and security groups.

Docs:
Enable service principal authentication for admin APIs

[ishan1510]

Tried removing the power bi service permission but still getting the same error