finops-toolkit icon indicating copy to clipboard operation
finops-toolkit copied to clipboard
verified publisher icon microsoft

Access to the Resource is forbidden when using Power BI & the Governance.storage report

Open denverwilliams opened this issue 11 months ago • 3 comments

🐛 Problem

When using the Governance.storage PowerBI Report, there are a few tables, 'AdvisorRecommendations, AdvisorReservationRecommendations, Disks, ManagementGroups' that run Azure Resource Graph Queries to populate the report. 

I am able to get this report to work if I setup PowerBI to use a Global Admin Account to connect to Azure Resource Graph. Which seems overkill, and from documentation I've seen, only Reader should be required. 

If I try to run the same Azure Resource Graph queries that are being used in PowerBI with az-cli/powershell and Reader Access, I can execute the queries just fine and don't have any access issues. But when running the PowerBI report, if it's done with anything less than Global Admin, the report fails with forbidden errors.

The Azure Resource Graph queries in PowerBI run at a tenant level, and I suspect this is why these fail with just Reader access. 

👣 Repro steps

  1. Run the Governance.storage.pbit Power BI Report. 

  2. Connect to Azure Resource Graph using an account with Reader Access only. 

🤔 Expected

It would be good to get clarity on what the minimum access requirements are in order to run the Governance.storage PowerBI Report. Or is Global Admin really the minimum required for this report?

📷 Screenshots

Image

denverwilliams avatar Jan 26 '25 06:01 denverwilliams

This is very strange. I don't have global admin access and I've never run into this. I would file a support request against ARG to get assistance with this. I'm not sure how to troubleshoot this without having someone else try their account.

@nteyan Have you seen anything like this before?

flanakin avatar Feb 02 '25 16:02 flanakin

@denverwilliams I’m not able to reproduce this either. In all my tests, reader permissions are sufficient. Do you have any JIT policies configured? The queries run at the tenant level but respect the permissions of your user. If you only have results to a few subscriptions within that tenant, the results would only be related to those resources. @flanakin Should this be investigated by the Entra ID or Power BI team?

arthurclares avatar Feb 24 '25 23:02 arthurclares

@arthurclares Power BI might be a good first start. I suspect there's something going on with how auth is configured in the report.

flanakin avatar Feb 25 '25 10:02 flanakin