topic Re: Azure AD authorization in OData data source: published report refresh problem in Developer

Azure AD authorization in OData data source: published report refresh problem

AuRo — Thu, 10 Jun 2021 15:26:11 GMT

Hi,

my company has a self-developed and self-hosted OData service (asp.net core 5 odata), which uses Azure AD authentication. We need to use the data delivered by the web service in our PBI-Dashboards.

I managed to get it working in the PBI desktop application by following the answer in this SO-Problem (c# - Power Query/PowerBI connecting to Custom oDATA feed secured with AAD - Stack Overflow).

But now after publishing the PBI I'm getting the following error when refreshing the data source online:

Last refresh failed: Thu Jun 10 2021 16:43:07 GMT+0200
It looks like the refresh token expired. Please go to this dataset's settings page, and reenter the OAuth2 credentials for the OData data source.

Underlying error message:

AADSTS70000: Provided grant is invalid or malformed.

Trace ID: ...

Correlation ID: ...

Timestamp: 2021-06-10 14:43:07Z. https://login.windows.net/error?code=7000

The message confuses me, as a refresh token should not be present (or even expired) here at all. And the AADSTS70000 code gets me nowhere tbh. I guess that I have a wrong or missing setting in the app registration in Azure, but I have no idea what or where to look. So any help would be much appreciated.

What i tried so far:

In Azure Portal:
- added the custom scope "user_impersonation" to the app registration
- added the OData-Service-Url to the identifierUris-Array in the Manifest, so there's now 2 uris (https://odata-feed-url.com and api:// 123812a1-1234-1234-aed0-29f21ffbf044)
- added https://preview.powerbi.com/ and https://preview.powerbi.com/views/oauthredirect.html as redirect URIs to the app registration (but this had no effect)
In OData service:
- for all incoming HTTP-requests with an empty Bearer-Authorization Header, a 401-response with a "WWW-Authenticate"-Header with the value 'Bearer realm="" authorization_uri="https://login.microsoftonline.com/{company-tenant-id}/oauth2/v2.0/authorize"' is sent

Re: Azure AD authorization in OData data source: published report refresh problem

Anonymous — Mon, 14 Jun 2021 10:22:10 GMT

Hi @AuRo ,

Please review the content in the following links, hope they can help you.

Azure Graph API 2.0 error in refreshing token: Provided grant is invalid or malformed (AADSTS70000)

invalid grant when trying to get token for azure AD graph api

Best Regards

Re: Azure AD authorization in OData data source: published report refresh problem

AuRo — Mon, 14 Jun 2021 13:03:17 GMT

Hi @Anonymous,

thanks for your reply, I've worked through these posts and got the following result:

Authentication via Postman/Insomnia works as expected.
Authentication via Power BI Desktop works as expected.
Authentication via app.powerbi.com fails with the same error as in my original post. Credentials are the same as in the PBI Desktop connection.

Is there a way to debug or have a detailed log of the app.powerbi.com data source connection attempts? I guess that the error shown has no relation to an actual token refresh - as the data source connection never gets authorized, and the odata service never receives a request. Unfortunately I have no clue how to debug the app.powerbi.com-platform, nor do I know how to do this in the Azure portal. It would be really useful to know what the auth-request from app.powerbi.com to Azure AD looks like.

Re: Azure AD authorization in OData data source: published report refresh problem

pbiOrgUser — Mon, 06 Dec 2021 23:49:14 GMT

Hey @AuRo
Any luck in resolving this? We are getting the same error on power bi cloud and power bi desktop works perfectly fine (noting desktop is using Power Query for excel (a672d62c-fc7b-4e81-a576-e60dc46e951d).

When we deploy to power bi cloud and use power bi data refresh (b52893c8-bc2e-47fc-918b-77022b299bbc) we have this issue!