What Minimum Azure Permissions Are Required to Publish a Power BI Report Using 'App Owns the Data'?

Below is a summary of what you need to ask for so that you receive only the minimum necessary privileges:

1. Azure AD Application Registration or Service Principal Setup

• Application Registration Permission:
  If you need to use a service principal for embedding (the recommended approach for App Owns Data), you must have an Azure AD application registered. In many organizations only admins can register applications. Ask your Azure admin either to:
  • Grant you permission to register applications (if your organization allows that), or
  • Create the required Azure AD application on your behalf.
• API Permissions for the App:
  The registered application must have the requisite Power BI API permissions (for example, permissions like Dataset.ReadWrite.All and Report.Read.All) consented by an admin. This enables your app to request embed tokens and interact with the Power BI service.

2. Power BI Workspace Access via Service Principal

• Workspace Role Assignment:
  In the Power BI Service, the service principal (or the AAD app) must be added to the target Power BI workspace where your reports reside. For publishing and embedding, the minimum effective role is typically Contributor (sometimes referred to as Member).
  • Ask that the service principal be granted Contributor-level access on the specific workspace.
  • If your scenario requires additional administrative capabilities (for example, to add or remove content), then a higher role like Workspace Admin might be necessary, but for publishing and embedding the minimum is Contributor.

3. Premium Capacity Considerations (if applicable)

• Capacity Assignment:
  If your embedded solution uses a Power BI Premium capacity (or Embedded capacity), ask the admin to ensure that the service principal is enabled for use with that capacity and is also added as a contributor in the capacity settings if required. This confirms that the service principal can publish and refresh content under the dedicated capacity.

Putting It All Together

You can send your Azure administrator a request along these lines:

“I need to set up a Power BI App Owns Data embedding scenario. Could you please help by:

1. Either granting me (or creating on my behalf) an Azure AD application registration with the necessary Power BI API permissions (e.g., Dataset.ReadWrite.All) and ensuring it has admin consent; and
2. Granting the service principal associated with that application Contributor access to the specific Power BI workspace (and the relevant Premium capacity if we’re using one)?

This will enable me to publish reports and to configure the embedding with the minimum required privileges.”

By phrasing your request in this way, you limit the permissions to just those needed for the App Owns Data scenario.

---

This approach provides you with the minimal required Azure and Power BI permissions without overreaching into broader administrative rights.