topic Re: Power Bi REST API - 401 Authorization error when using app secret in Developer

Power Bi REST API - 401 Authorization error when using app secret

tripleacoder — Wed, 19 Dec 2018 12:24:15 GMT

I have a console app that uses the REST API to get a dataset (and later add rows to it). This works when I supply my own user/password credentials.

Now I have registered the app as a Web/API app in order to use an app key/secret instead. I can get a token, but when I make the same REST call I get 401 Unauthorized.

I have given the app the following Application permissions in Power BI Service (is this needed?):

Read and write all content in tenant

View all content in tenant

These permissions have been granted by an Azure Administrator.

In addition to the Delegated permissions that worked with user authentication:

Read and write all Datasets

View all Datasets

I have decode the two tokens.

The token for app key autentication contains this:

"roles": [
"Tenant.ReadWrite.All",
"Tenant.Read.All"
],

while the token for user based authentication contains this:

"scp": "Dataset.ReadWrite.All Workspace.ReadWrite.All",

What am I missing..?

Re: Power Bi REST API - 401 Authorization error when using app secret

zoloturu — Wed, 19 Dec 2018 13:19:52 GMT

@tripleacoder,

Could you try to mention an access level in API request?

https://docs.microsoft.com/en-us/rest/api/power-bi/embedtoken/reports_generatetoken#tokenaccesslevel

Regards,
Ruslan
-------------------------------------------------------------------
Did I answer your question? Mark my post as a solution!

Re: Power Bi REST API - 401 Authorization error when using app secret

tripleacoder — Wed, 19 Dec 2018 13:28:36 GMT

Could you try to mention an access level in API request?

https://docs.microsoft.com/en-us/rest/api/power-bi/embedtoken/reports_generatetoken#tokenaccesslevel

I'm not sure what you mean. The link goes to "Required access level for EmbedToken generation", but I'm not using the Embed Token API.

I get the token using this code:

const string authorityUri = "https://login.microsoftonline.com/" + tenantId;

AuthenticationContext authContext = new AuthenticationContext(authorityUri);

        
AuthenticationResult result = null;
         
result = await authContext.AcquireTokenAsync(resourceUri, clientCredential);

Re: Power Bi REST API - 401 Authorization error when using app secret

tripleacoder — Wed, 19 Dec 2018 15:02:13 GMT

I found this link:

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#assign-the-application-to-a-role

It talks about assigning roles to the app.

I have now granted my app the Contributor role, but only on a Resource group.

It hasn't helped. I think the Poer BI service resides at the Subscription level... that means I will need help from a global admin again.

Re: Power Bi REST API - 401 Authorization error when using app secret

v-jiascu-msft — Wed, 26 Dec 2018 08:11:00 GMT

Hi @tripleacoder,

It seems you only need an access token. Please refer to developer/embed-sample-for-customers.

Best Regards,
Dale

Re: Power Bi REST API - 401 Authorization error when using app secret

v-jiascu-msft — Wed, 02 Jan 2019 07:22:10 GMT

Hi @tripleacoder,

Could you please mark the proper answers as solutions?

Best Regards,

Dale

Re: Power Bi REST API - 401 Authorization error when using app secret

sjc4062 — Wed, 02 Jan 2019 19:31:41 GMT

I had a simliar issue where i could use my own credentials but not the service account and the issue was the service account didnt have a power bi pro license. Not sure if thats the same issue but might be worth looking at

Re: Power Bi REST API - 401 Authorization error when using app secret

tripleacoder — Thu, 03 Jan 2019 09:23:18 GMT

@v-jiascu-msft wrote:

It seems you only need an access token. Please refer to developer/embed-sample-for-customers.

That link talks about using a special user account (username + password) for the app, not an app secret/service principal, which is what I am trying to do.

However, I have been told elsewhere that roles are not needed in order to authorize service principals. Only "App permissions" are needed.

Re: Power Bi REST API - 401 Authorization error when using app secret

tripleacoder — Thu, 03 Jan 2019 09:25:45 GMT

@sjc4062 wrote:
I had a simliar issue where i could use my own credentials but not the service account and the issue was the service account didnt have a power bi pro license. Not sure if thats the same issue but might be worth looking at

That might be it. But when I go to assign licenses and search for the service principal it does not come up in the results. Not sure if it is getting filtered away because only users and groups are valid, or if it's because I am not an Azure global admin.

Re: Power Bi REST API - 401 Authorization error when using app secret

v-jiascu-msft — Fri, 04 Jan 2019 10:10:23 GMT

Hi @tripleacoder,

Your requirements are quite clear now. You'd like to use the App secret (aka client secret) instead of the user password authentication. I'm afraid this isn't workable in Power BI. The reason is simple. Even the global admin can't access other's contents. How can an App access everything?

Best Regards,
Dale

Re: Power Bi REST API - 401 Authorization error when using app secret

tripleacoder — Fri, 04 Jan 2019 14:43:31 GMT

@v-jiascu-msft wrote:

Your requirements are quite clear now. You'd like to use the App secret (aka client secret) instead of the user password authentication. I'm afraid this isn't workable in Power BI. The reason is simple. Even the global admin can't access other's contents. How can an App access everything?

Thanks. This MS sample posts data to a custom Web API using the same method (but with a custom role):

https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-daemon/

Can you explain a bit more why that won't work with the Power BI REST API? Perhaps also with a link to some documentation...

The app has the permission (=role) "Tenant.ReadWrite.All" which I supposed was for this purpose.

Re: Power Bi REST API - 401 Authorization error when using app secret

v-jiascu-msft — Mon, 07 Jan 2019 03:02:05 GMT

Hi @tripleacoder,

As far as I know, the permissions of Power BI are all based on the users. So an App can't act as a user. Please refer to developer/power-bi-permissions where all the descriptions have "user".

Regarding "Tenant.ReadWrite.All", the documentation above also has a description. Actually, these permissions only can retrieve the profiles rather than data. Please refer to admin/reports_getreportsasadmin.

One simple proof we can see is that even an admin can't access all the App workspaces. The data is the precious asset of a company. I think this is reasonable.

Best Regards,
Dale

Re: Power Bi REST API - 401 Authorization error when using app secret

Anonymous — Thu, 28 Feb 2019 19:47:56 GMT

@v-jiascu-msft

can any power bi pro user register an app for power bi in the below link. I have a user who is power bi admin, and he cant register an app. It throws some error related to access when registering thru this dev.powerbi.com/apps.

https://docs.microsoft.com/en-us/power-bi/developer/register-app

Can u help

Re: Power Bi REST API - 401 Authorization error when using app secret

Anonymous — Thu, 28 Feb 2019 22:46:47 GMT

Most organization have app registrations locked down pretty tight. I am not familiar with that tool for app registration, but I don't imagine it is meant to be a workaround for corporate security restrictions, and I would expect it to fail for most users within most Azure tenants.

Re: Power Bi REST API - 401 Authorization error

Anonymous — Tue, 16 Apr 2019 08:42:48 GMT

I am getting a same error Failed to load resource: the server responded with a status of 401 when I try to open dashboard URL in new tab https://app.powerbi.com/dashboardEmbed?dashboardId=100114d8-9c7c-4ae1-b1d5-291603b4f22c&config=eyJjbHVzdGVyVXJsIjoiaHR0cHM6Ly9XQUJJLVVLLVNPVVRILUItUFJJTUFSWS1yZWRpcmVjdC5hbmFseXNpcy53aW5kb3dzLm5ldCJ9

It works fine on localhost sample dashboard app (C# visual studio 2017)

I am also getting this error on console for https://api.powerbi.com/powerbi/metadata/refreshusermetadata

When i open this link it shows message. See the screenshot below :

The dashboard URL should also work on a new tab too because I want to use this link into another website

Please help me, I am trying to find a solution for this now for two days.

Thanks in advance.

Re: Power Bi REST API - 401 Authorization error when using app secret

Anonymous — Tue, 15 Oct 2019 14:17:04 GMT

Hi All,

I am also geeting the same error when accessing power BI rest API's. I am able to generate token but not proceeding further. Can you please paste your code, which ran successfully exclusive of all tennat id and username and pwd.

Thanks & Regards

@tripleacoder wrote:
I have a console app that uses the REST API to get a dataset (and later add rows to it). This works when I supply my own user/password credentials.

Now I have registered the app as a Web/API app in order to use an app key/secret instead. I can get a token, but when I make the same REST call I get 401 Unauthorized.

I have given the app the following Application permissions in Power BI Service (is this needed?):
Read and write all content in tenant
View all content in tenant
These permissions have been granted by an Azure Administrator.

In addition to the Delegated permissions that worked with user authentication:
Read and write all Datasets
View all Datasets

I have decode the two tokens.
The token for app key autentication contains this:
"roles": [
"Tenant.ReadWrite.All",
"Tenant.Read.All"
],

while the token for user based authentication contains this:
"scp": "Dataset.ReadWrite.All Workspace.ReadWrite.All",

What am I missing..?

Re: Power Bi REST API - 401 Authorization error when using app secret

boylec — Fri, 13 Mar 2020 02:33:03 GMT

This doesn't make any sense.

Power BI released all of this documentation saying that consumers could use service principals to embed reports but we can't use service principals to list the reports in a workspace that the service principal is an admin member of?

Re: Power Bi REST API - 401 Authorization error when using app secret

Anonymous — Thu, 06 Aug 2020 13:59:50 GMT

Why does the sample code for the power bi embedded 'app owns data' scenario use the client credentials route when it is not supported?

Re: Power Bi REST API - 401 Authorization error when using app secret

ironmanwk — Fri, 21 Aug 2020 08:59:50 GMT

My teammate been trying to get REST API to work as well but also encounter the same 401 error message. Is this still an on-going issue or there is a solution we can apply?

Re: Power Bi REST API - 401 Authorization error when using app secret

lysdexia — Thu, 23 Sep 2021 15:13:21 GMT

This is all fine except for one thing: You have to infer the "user Apps only" status of Power BI dataflows.

Something explicit along these lines would have saved me the better part of a week chasing my tail.