Access to the Resource is forbidden when using Power BI & the Governance.storage report

[denverwilliams]

🐛 Problem

When using the Governance.storage PowerBI Report, there are a few tables, 'AdvisorRecommendations, AdvisorReservationRecommendations, Disks, ManagementGroups' that run Azure Resource Graph Queries to populate the report. 

I am able to get this report to work if I setup PowerBI to use a Global Admin Account to connect to Azure Resource Graph. Which seems overkill, and from documentation I've seen, only Reader should be required. 

If I try to run the same Azure Resource Graph queries that are being used in PowerBI with az-cli/powershell and Reader Access, I can execute the queries just fine and don't have any access issues. But when running the PowerBI report, if it's done with anything less than Global Admin, the report fails with forbidden errors.

The Azure Resource Graph queries in PowerBI run at a tenant level, and I suspect this is why these fail with just Reader access. 

👣 Repro steps

1. Run the Governance.storage.pbit Power BI Report. 

2. Connect to Azure Resource Graph using an account with Reader Access only. 

🤔 Expected

It would be good to get clarity on what the minimum access requirements are in order to run the Governance.storage PowerBI Report. Or is Global Admin really the minimum required for this report?

📷 Screenshots

[flanakin]

This is very strange. I don't have global admin access and I've never run into this. I would file a support request against ARG to get assistance with this. I'm not sure how to troubleshoot this without having someone else try their account.

@nteyan Have you seen anything like this before?