Missing scopes in token for calling Power BI REST API, sudden issue since Friday 30/6

[MarksPoint]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

macOS

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

• browser version: Chrome, Version 136.0.7103.114 (Official Build) (arm64)
• SPFx version: 1.20.0
• Node.js version: 18.20.2

Describe the bug / error

We've been calling the Power BI REST API for about five years using a token retrieved from the web part context's AAD token provider. However, starting around Thursday, May 29 or Friday morning, May 30, the token no longer includes previously granted scopes, resulting in 401 Unauthorized errors on endpoints like https://api.powerbi.com/v1.0/myorg/groups.

Although the Workspace.Read.All permission is granted for the Power BI Service resource, the generated token no longer includes this scope, which appears to be the cause of the failures.

Steps to reproduce

I built a dummy web part to showcase the unexpected behavior. See attached projects below for full reproduction.

Some specifics:

package-solution.json contains following props:

"webApiPermissionRequests": [
      {
        "resource": "Power BI Service",
        "scope": "Workspace.Read.All"
      }
    ],

These permissions have been granted after the solution was installed, which can be seen on the service principal:

Token is retrieved using the web part context object:

const tokenProvider =
  await context.aadTokenProviderFactory.getTokenProvider();
const accessToken = await tokenProvider.getToken(
  "https://analysis.windows.net/powerbi/api"
);

API is then called using a simple fetch with auth bearer token:

// Try to fetch Power BI groups, this requires scope Workspace.Read.All or Workspace.ReadWrite.All
// https://learn.microsoft.com/en-us/rest/api/power-bi/groups/get-groups
const response = await fetch(
  "https://api.powerbi.com/v1.0/myorg/groups",
  {
    headers: {
      Authorization: `Bearer ${accessToken}`,
      "Content-Type": "application/json",
    },
  }
);

The dummy web part will render something like this:

It shows that:

• fetching the token itself was successful
• fetching groups failed in an unexpected 401
• fetching reports was successful (because the token does contain a scope for this endpoint)
• the scopes in the token aren't what's to be expected

The full solution, zipped:
SPFx project.zip

The solution package (unzip first):
power-bi-api-401.sppkg.zip

Expected behavior

The Power BI Service token should contain all the scopes that have been granted to the SharePoint service principal.

[1-chris]

We are also experiencing the exact same issue as you in production web parts. We also see the same scopes on the token that you see ("Dataset.Read.All","Report.Read.All","UserState.ReadWrite.All","MLModel.Execute.All") instead of a greater set of permissions that we have set already within the package-solution.json and SharePoint Online Web Client Extensibility enterprise application.

[Ashlesha-MSFT]

Hello @MarksPoint,
Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.

[Ashlesha-MSFT]

@MarksPoint,
Thank you for the detailed explanation and for sharing the sample SPFx solution files. We appreciate the effort you've taken to clearly demonstrate the issue.

We were able to successfully reproduce the behavior using your sample. As described, the token retrieved via the web part context’s AAD token provider no longer includes the Workspace.Read.All scope for the Power BI Service, even though the permission is granted and visible in the service principal.

We were able to reproduce the issue, and we are investigating it. We have logged this as a bug, and our engineering team will look into it.
Thank you for your patience!

[Marcinthedev]

@Ashlesha-MSFT This is a significant issue for us, as currently no Power BI resources can be accessed.
Could you please provide an estimated timeline for when it might be fixed?
Additionally, is there anything we can do on our end to help expedite the process? For instance, would escalating this through Microsoft Support - perhaps via corporate-to-corporate communication - or using a specific support channel help move things along more quickly?

[MarksPoint]

Hi, it's been over a week since I opened this ticket and the last response simply confirmed the issue without further updates.

This is a significant issue for us, and the lack of communication makes it difficult to plan accordingly. A rough timeline or status update would go a long way in helping us trust that the issue is being actively addressed.

[Ashlesha-MSFT]

@MarksPoint, @Marcinthede,
Thank you for your patience, and I completely understand your concern.

We acknowledge the importance of this issue and apologize for the delay.

Appreciate your understanding, and we’ll keep you posted as soon as we have more information.

[extprira]

We are also experiencing the exact same issue as you in production web parts. We defined the same scopes for getting dashboards in package.json ("Dashboards.Read.All"). we are getting 401 (Unauthorized) error.
@Ashlesha-MSFT , can you provide any timeline to fix this issue. it is impacting production