Power BI October 21 Updates GetUserArtifactAccessAsAdmin API through to PowerShell

There have been some new API updates (September October Power BI 2021) and I thought I would see what they were all about and how you can use them starting with the API mentioned in the October updates.

I haven’t used these APIs before and I thought it would be interesting to see how the documentation holds up.

So the first start at https://powerbi.microsoft.com/en-us/blog/power-bi-october-2021-feature-summary/#post-17563-_Toc84518701

And this links you you to https://docs.microsoft.com/en-gb/rest/api/power-bi/admin/users-get-user-artifact-access-as-admin

So this API returns all the artifacts for a given user which I imagine would be really useful when someone leaves the company and you need to assess the objects that they may own.

To use the API you need to be Power BI admin or Global Admin. I have the Power BI admin so I am good to go.

Delegated permissions are supported. I imagine this needs a lot more investigation as to why and how you would set this up.

There are some limitations, For example you can only make 200 requests per hour. You can click on Try it to try out the API from this URL by logging into your account

But this API’s need you to get the userGraphId. my first question is, What is a userGraphID and how can I get it?

It is mentioned in the documentation. ‘The graph ID of user’

And to be honest that is unhelpful. I have no idea how to get this information to run the API. Its just assumed. I have also asked on the forums and no one else seems to know either.

So to just get an idea of how you would use these APIs, I’m working with one that doesn’t need the userGraphIDhttps://docs.microsoft.com/en-us/rest/api/power-bi/admin/groups-get-groups-as-admin#code-try-0

This will get me out all the objects in power BI and for the time being I just want the top 10.

I added the $expand name and value by creating the name and value and hitting the +

Then hit Run to make sure it works

So where do we use it? Open up Windows Powershell

We can run the commands via Windows Powershell. https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.1 ISE (Integration Scripting Environment)

powershell_ise.exe

And type in

 login-PowerBI

And now you can create your code

I simply added the URL from the Try it above (Without the Authorisation Line)

Value[0] Simply means give me the first element inside this command and run.

I can go even further an parameterise the URL by doing the following

Param(
[string]$url = 'https://api.powerbi.com/v1.0/myorg/admin/groups?%24top=10&%24expand=users%2Creports%2Cdashboards%2Cdatasets'
)
login-PowerBI
$result = Invoke-PowerBIRestMethod -Url $url -Method Get 
$workspaceContents = $result | convertFrom-Json
$firstworkspace = $workspacecontents.value[1]
$firstworkspace

This is great

  • But what if I want to automate this and, for example create a json file from it once a month?
  • And what if I don’t want to have to run it as the Power BI Admin?

Back to the original question regarding userGraphId

It seems that many other people have asked this question. I got a possible answer on the Power BI Issues forum saying that the userGraphID is the users Object ID that you can find in azure Active Directory – Users.

So I went into Azure – Azure Active Directory – Users and took my Object ID

I added the Object ID and got the results back that I was hoping for.

Great. This gives all the artifacts that I own. Can I now do this in Powershell like the previous API? Open Powershell again.

powershell_ise.exe

Can I reuse the Previous Script.

Open my previous Script. InvokePowerBIRESTMethos.ps1

 Param(
    #commented out the other API
    #[string]$url = 'https://api.powerbi.com/v1.0/myorg/admin/groups?           %24top=10&%24expand=users%2Creports%2Cdashboards%2Cdatasets' 

    [string]$url = 'https://api.powerbi.com/v1.0/myorg/admin/users/objectID/artifactAccess'

   )

login-PowerBI


$result = Invoke-PowerBIRestMethod -Url $url -Method Get 

$workspaceContents = $result | convertFrom-Json

$firstworkspace = $workspacecontents.value[1]
$firstworkspace 

And this works. I get back all my objects

So this is just the initial investigation. To do

  • How to Delegate Permissions for this API?
  • How to Automate the Powershell script and create a dataset to work with?

And even further research

  • can we automate checking between a list of users from Yesterday and today to see who has gone to automate the process even further?
  • Is it possible that Azure can handle use cases where we know the user is leaving and have assigned a leave date in Azure Active Directory?
  • Then Feed this loop into the API to generate this list so we know what reports need to have their ownership taken over
  • Automate the handling of take over accounts

Create your website with WordPress.com
Get started