Push Datasets to PBI via multi tenant azure application with oauth2 auth 403 forbidden

albrej — Tue, 14 Dec 2021 17:21:20 GMT

I am developing a web application in which i want to allow users to push their data from the application to a power bi dataset (e.g. on their power bi work account).

Therefore i did the following:

I registered an azure ad application (Accounts in any organizational directory (Any Azure AD directory - Multitenant).

For authentication, i redirect a user to https://login.microsoftonline.com/common/oauth2/v2.0/authorize and add the corresponding redirect_uri, scopes, client_id, prompt=consent and response_type=code to the URL.

The scopes are:

This looks like:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=XXX

&redirect_uri=XXX

&response_type=code

&prompt=consent

&state=XXXX

&scope=offline_access%20https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All%20https://analysis.windows.net/powerbi/api/Workspace.ReadWrite.All

The scopes are defined in the azure application, too, besides im not sure if that is even necessary since I'm using the v2.0 endpoint here.

After this step, i fetch the access token by posting the grant_token/code to https://login.microsoftonline.com/common/oauth2/v2.0/token . The post parameters consist of the following values: grant_type=authorization_code, client_id=from the application, client_secret=secret from the application, code=grant_token from the redirect, scope=scopes as listed above, redirect_uri.

The response i get is an access token, looking like (actual tokens are a little anonymized, i just did it like 15 minutes ago):

token_type:"Bearer"
scope:""https://analysis.windows.net/powerbi/api/Dataset.Read.All https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All https://analysis.windows.net/powerbi/api/Workspace.Read.All https://analysis.windows.net/powerbi/api/Workspace.ReadWrite.All""
expires_in:5166
ext_expires_in:5166
access_token:"eyJ0eXWGZAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCQWDI6Imwzc1EtNTBjQ0g0eEJWWkxIVEd3blNSNzY4MCIsImtpZCI6Imwzc1EtNTBjQ0g0eEJWWkxIVEd3blNSNzY4MCJ9.eyJhdWQXXXXXXXXXXXGFzZXQuUXXXXXXmVhZFdyaX...

refresh_token:"0.ATwAjlTXXXXXXXGg3--XXXXX-XX...
expires_on:1639504569

Some additional information:

If i use the token from the api playground (try it - https://docs.microsoft.com/de-de/rest/api/power-bi/datasets/get-datasets ), i can use the api with the rest of my software..

The azure ad account im testing this with is:

- power bi pro

- global admin

- owns workspaces

- owns datasets

Now my problem:

If i use this provided access_token at powerbi api v1, for example requesting https://api.powerbi.com/v1.0/myorg/datasets/ im getting a 403 Forbidden response. Does anybody know where im doing something wrong? Im using a azure multitenant app in a similar way to allow people push data to their onedrive...

Thanks in advance!

Push Datasets to PBI via multi tenant azure application with oauth2 auth 403 forbidden

albrej — Wed, 15 Dec 2021 10:36:32 GMT

I found the solution.

If anyone faces the same problem - here is what i did:

Since im using "Accounts in any organizational directory (Any Azure AD directory - Multitenant), the correct authentication endpoint is /organizations/ and not /common/.

(i used the same url part - common - like i did with my service for OneDrive.. but my connection to PBI is only intendet for organizational accounts and not for 'all' kinds of accounts)

It is essential to use the correct endpoint for the corresponding setting in the azure ad app:

You can look it up here. https://docs.microsoft.com/de-de/azure/active-directory/develop/active-directory-v2-protocols#endpoints

topic Push Datasets to PBI via multi tenant azure application with oauth2 auth 403 forbidden in Developer

Push Datasets to PBI via multi tenant azure application with oauth2 auth 403 forbidden

Push Datasets to PBI via multi tenant azure application with oauth2 auth 403 forbidden