Service principal doesn't respect delegated permissions

Frithjof Aarrestad Vassbø 20 Reputation points
2024-09-05T04:24:35.43+00:00

Hi,

When a user uses a service principal to call the Power BI Rest API, why does it retrieve more data than the user themself has access to?

Background:

In order to use the Power BI Rest API, we need to create an app registration and give the app registration Delegated permissions to use the API.

https://video2.skills-academy.com/en-us/rest/api/power-bi/#scopes

Delegated permissions means an application can access resources on behalf of the user, but it can only access resources which the user has access to.

https://video2.skills-academy.com/en-us/entra/identity-platform/permissions-consent-overview#delegated-acc...

Now let's say we use the app registration's service principal to authenticate to the Power BI Rest API.

Let's say we add the service principal to some workspaces in Power BI. We add the service principal to more workspaces than the user is added to.

When the user then calls the Power BI Rest API by using the service principal, the user can retrieve more data than the user themself has access to.

Does the service principal not respect the "delegated permissions" setting on the App registration?

How does this work?

Is there a conceptual difference between authenticating through an app registration vs. authenticating by using the service principal?

I'm new to the concept of app registration and service principal, and trying to understand how it works. Hope someone can explain why the service principal returns more data than the user themself has access to, even if we applied "delegated permissions" .

I want to use a service principal in order to authenticate to the Power BI Rest API.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,374 questions
Accepted answer
  1. Vasil Michev 103.9K Reputation points MVP
    2024-09-05T07:54:07.7566667+00:00

    A service principal object is the local-tenant representation of an Azure AD application (app registration). For the purposes of this discussion, you can think of them as the same thing. The difference in permissions is a direct result of the authentication method used.

    If the app/service principal is authenticating via the so-called client credentials flow (via client secret or certificate), it runs without an associated user and effectively gets unrestricted access to all resources in your tenant, subject to the granted permissions of course. This seems to be what the PowerBI folks refer to as "service principal" scenario.

    If the app/service principal authenticates via the so-called public client flow, there is always a user element involved, and the resulting permissions are the subset of permissions granted to the user and the app itself. Thus in this scenario, the app will never be able to access anything the user does not have access to.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.