topic Re: Power BI API with service principal - 401 unauthorized in Developer

Power BI API with service principal - 401 unauthorized

matoxin — Mon, 22 Mar 2021 11:20:19 GMT

Hello everyone,

recently I have been trying to make Power BI APIs work with service principal authentication. All steps mentioned in this article https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal are done:

- an Azure AD app is registered (service principal created)

- an AD security group is created, the app is added to this group

- a Power BI admin has enabled service principal access in the admin portal

- the service principal and the security group are added to the workspace (and granted the admin role)

I am able to generate an access token using the POST method for https://login.microsoftonline.com/common/oauth2/token (screenshot below).

The issue is that whenever this token is used for any further calls (I have tried both non-admin and admin APIs - when it comes to admin ones, I only tested the supported APIS - can be seen in this article https://docs.microsoft.com/en-us/power-bi/admin/read-only-apis-service-principal-authentication), I am shown the 401 unauthorized error.

So my question is: did I overlook some security setting perhaps? Our company uses MFA, but service principals do not use that from what I have found on this forum/in the documentation. Or is the generated token invalid somehow?

Any help is greatly appreciated.

Re: Power BI API with service principal - 401 unauthorized

Everton — Tue, 23 Mar 2021 04:02:11 GMT

Hi,

What API Permissions are set up in your App Registration for Power BI? Everything else seems ok.

Re: Power BI API with service principal - 401 unauthorized

matoxin — Tue, 23 Mar 2021 08:33:09 GMT

Hello, at the moment, the app has the following API permissions:

- Dataset.ReadAll

- Report.ReadAll

- Workspace.ReadAll

I assume that Tenant.ReadAll should be added as well - is that correct?

Re: Power BI API with service principal - 401 unauthorized

v-lionel-msft — Thu, 25 Mar 2021 07:28:42 GMT

Hi @matoxin ,

Considerations and limitations

Have you checked these considerations and limitations?

Best regards,
Lionel Chen

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Re: Power BI API with service principal - 401 unauthorized

matoxin — Thu, 25 Mar 2021 08:10:16 GMT

Hello Lionel,

yes, we have checked that article multiple times - to make sure we have not forgotten anything.

Re: Power BI API with service principal - 401 unauthorized

Mthompson1984 — Fri, 30 Apr 2021 18:10:39 GMT

I'm curious if you were ever able to resolve this - I'm having the same issue. 401 unauthorized on all calls.

Re: Power BI API with service principal - 401 unauthorized

DavidCousinsT — Sun, 09 May 2021 16:56:56 GMT

Try getting the token with your resource set as:

https://analysis.windows.net/powerbi/api/.default

Also make sure that your tenant admin has added the AAD security group to the "specific security group" list in Power BI.

Re: Power BI API with service principal - 401 unauthorized

matoxin — Mon, 10 May 2021 07:25:12 GMT

No, not yet - still trying to figure this out. Will update the thread if I find anything.

Re: Power BI API with service principal - 401 unauthorized

matoxin — Mon, 10 May 2021 12:32:45 GMT

When I tried getting the token with the resource set to https://analysis.windows.net/powerbi/api/.default, it threw the following error:

The AAD security group (and also the service principal) has been added to the specific security group list in our Power BI workspace.

Re: Power BI API with service principal - 401 unauthorized

DavidCousinsT — Mon, 10 May 2021 20:53:03 GMT

Oh, that's easy then. Your POST is wrong. Didnt spot it the first time round because it was right at the top 😄 It must have the tenant ID in it, not 'common'

I use:

https://login.microsoftonline.com/[tenantid]/oauth2/v2.0/token/

Re: Power BI API with service principal - 401 unauthorized

DavidCousinsT — Mon, 10 May 2021 21:03:58 GMT

Ah, you've been using a different API. Not sure that one would ever work. Heres the working oauth one I have:

Re: Power BI API with service principal - 401 unauthorized

matoxin — Tue, 11 May 2021 08:18:03 GMT

Thank you so much, this actually worked, I was finally able to generate a bearer token without any error messages.

The issue now is that whatever call I make using this token, I get the following error:

I tried finding more information about this and everything points to some issue with permissions, but I cannot figure out what's wrong (I have tested both non-admin and some of the supported admin calls). Please, do you have any idea what might be the problem?

UPDATE: some non-admin calls actually work, but I was not able to make any of the admin ones work properly. I have checked Azure again to make sure I have all the correct permissions assigned, and it seems to be the case:

Is anything missing?

Re: Power BI API with service principal - 401 unauthorized

Anonymous — Tue, 23 Aug 2022 09:27:36 GMT

Hi, we are experiencing a similar problem. Were you able to solve the issue?

Re: Power BI API with service principal - 401 unauthorized

Anonymous — Thu, 28 Dec 2023 07:22:49 GMT

Hi, I meet tyhe same issue, could you please share your solution, thanks

Re: Power BI API with service principal - 401 unauthorized

q2bi — Wed, 29 May 2024 08:56:44 GMT

A long time has passed, do you remember how to add AD security group to PowerBI?