Limit Enterprise App API permissions

Joe H 96 Reputation points
2024-07-01T17:51:29.32+00:00

I have a third party requesting some pretty high level Power BI API permissions for an Entra ID Enterprise Application. The most concerning are the "Read and write all" for datasets, workspaces, etc. (see screenshot). Can these permissions be limited to a specific workspace? The way I'm reading them it will give the app access to every Power BI workspace, dataset, and dashboard in our Power BI tenant.

pbi

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,370 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. akinbade abiola 7,430 Reputation points
    2024-07-01T23:42:48.07+00:00

    Hello Joe H,

    Thanks for your question.

    Yes, you can limit Power BI API permissions by workspace using a service principal.

    1. Register your application in Entra ID to obtain a client ID and client secret.
    2. Use Power BI Service to assign it to workspaces with appropriate roles. https://video2.skills-academy.com/en-us/power-bi/developer/embedded/embed-service-principal#register-an-application-in-azure-ad
    3. Assign Service Principal to Workspaces using Add-PowerBIWorkspaceUser
    4. Use Power BI REST API to Manage Workspace-Specific Permissions

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola

    0 comments
  2. Vasil Michev 99,431 Reputation points MVP
    2024-07-02T06:31:15.47+00:00

    If those are application permissions, the app will indeed get access to any and all workspaces, datasets and dashboards within your tenant, there is no way to limit that currently. If the app is requesting delegate permissions instead, its access will be limited to the specific workspaces (groups) to which the corresponding user is added (as in the delegate permissions model the effective permissions are the cross-section of the permissions granted to the app and that of the user).

    0 comments
  3. Navya 6,200 Reputation points Microsoft Vendor
    2024-07-02T09:07:36.8666667+00:00

    Hi @Joe H

    Thank you for posting this in Microsoft Q&A.

    They are two types of permissions Delegated and Application permissions. Delegated permission requires a user to sign in and needs consent from the user while the Application permission uses its own application identity (Application ID and credential certificate or client secrets) to authenticate against the Entra Id without require a user’s consent.

    Can these permissions be limited to a specific workspace?

    These permissions should not be limited to a specific workspace. The permissions you mentioned are delegated, which means they grant access to all datasets, workspaces, and reports that the signed-in user has permissions for.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.