Cpcrook
commented
1 year ago In retrospect, this is probably a larger consideration of groups vs. workspaces, which seems pretty blurred right now in documentation / the state of the API, though I do think the behavior is unexpected.
I noticed unexpected behavior between the Get and Set commands PowerBI workspaces:
Connect-PowerBIServiceAccountusing ClientSecret & ClientID credentialsGet-PowerBIWorkspace(should successfully show a list of workspaces to which the SP has access)Set-PowerBIWorkspace -WorkspaceId $workspaceId -CapacityId $capacityId -Scope OrganizationThis doesn't appear to be a permissions issue as making a REST call via
Invoke-PowerBIRestMethodto thehttps://api.powerbi.com/v1.0/myorg/groups/$GroupId/AssignToCapacityendpoint works fine (the SP is a capacity admin). Additionally, the error is a 401 not a 403 so it appears to be authentication related rather than authorizationAfter sniffing traffic with Fiddler, it appears this command is calling the
https://api.powerbi.com/v1.0/myorg/admin/capacities/AssignWorkspacesendpoint which does not appear in the API documentation for capacity.Documentation does appear for this endpoint regarding the Power BI Admin REST API. However, since this commandlet is part of
MicrosoftPowerBIMgmt.Workspacesrather thanMicrosoftPowerBIMgmt.AdminI would expect it to use non-admin endpoints like the one referenced above such that it can accomplish the same task with more limited permissions, as well as keeping these commandlets in line with the principle of least-surprise for other devs.TLDR: Workspace-level capacity setting functionality should not unnecessarily rely on admin endpoints when group/workspace-specific capacity assignment endpoints exists, unless I'm missing something.