Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Compete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.

Reply
LukeDrako
Regular Visitor

Graph api, keep getting "Access to the resource is forbidden"

‎05-16-2025 01:30 PM

How can I use the Graph API in powerbi using user credentials.

I am able to use an registered app and adding the client secret but I don't want to do this.  This needs to work with shceduled refresh in PBI services. 

 

The below c ode works perfectly but as you can see I need to add the secret. What I want to do is use normal credentials.  When I try to get data using OData feed, I put https://graph.microsoft.com/v1.0/users. PowerBI the prompts for crednetials and then I get the "Access to the resource is forbidden".  If I go to GRAPH explorer and use the same call, same user/credentials all works fine.

 

Any ideas?

LukeDrako_0-1747427074659.png

The above code calls this fucntion...I did it like this because of paging

LukeDrako_1-1747427389726.png

 

 

Labels:
Message 1 of 5
525 Views
0
1 ACCEPTED SOLUTION
v-veshwara-msft
Community Support
Community Support
In response to LukeDrako

‎05-19-2025 10:23 PM

HI @LukeDrako ,
Thanks for the follow-up.
You can refer to the following links for guidance on configuring Azure Key Vault for use within the Power BI Service:
Bring your own encryption keys for Power BI - Power BI | Microsoft Learn

How to access Azure KeyVault from Power BI Query t... - Microsoft Fabric Community

Re: How to access Azure KeyVault from Power BI Que... - Microsoft Fabric Community

 

Hope this helps. Please reach out for further assistance.
Please consider marking the helpful reply as Accepted Solution and giving kudos to assist others with similar issues.

View solution in original post

Message 5 of 5
393 Views
4 REPLIES 4
v-veshwara-msft
Community Support
Community Support

‎05-19-2025 04:40 AM

Hi @LukeDrako ,

Thanks for your question in Microsoft Fabric Community.

 

Power BI does not support authenticating to Microsoft Graph API using only user credentials (username and password), particularly in the context of scheduled refresh in the Power BI Service.

This is because Microsoft Graph requires authentication using OAuth 2.0, and all flows depend on a registered Azure AD application. Whether you're using delegated permissions (on behalf of a user) or application permissions (for service-level access), the presence of an App ID is required to issue an access token.

 

In Power BI Desktop, you might see prompts for user credentials when connecting via OData feed (e.g. https://graph.microsoft.com/v1.0/users). However, this delegated approach does not work when you publish the report to Power BI Service, as the service cannot impersonate a signed-in user or manage delegated tokens. As a result, you encounter the "Access to the resource is forbidden" error.

 

The supported and secure approach is to register an application in Azure AD, assign the necessary Microsoft Graph API permissions (such as User.Read.All), and authenticate using an App ID and either a client secret or certificate. This method is compatible with Power BI’s scheduled refresh model.

 

To avoid hardcoding secrets, you can store credentials securely in Azure Key Vault and reference them in Power BI Dataflows, which offers a cleaner and more secure setup. As @tharunkumarRTK  suggested, using a custom connector is also a valid path if you need more control over the API calls or token handling.

 

Here are some similar and useful resources:
Solved: Service Principal authentication (for Graph API) w... - Microsoft Fabric Community

Authentication and authorization basics - Microsoft Graph | Microsoft Learn

Choose a Microsoft Graph authentication provider - Microsoft Graph | Microsoft Learn

 

Hope this helps. Please reach out for further assistance.
If this post helps, then please consider to give a kudos and Accept as the solution to help the other members find it more quickly.


Thank you.

Message 3 of 5
425 Views
0
LukeDrako
Regular Visitor
In response to v-veshwara-msft

‎05-19-2025 02:28 PM

Thanks @v-veshwara-msft 

 

As I already have the the approach of an application in Azure AD, assign the necessary Microsoft Graph API permissions (such as User.Read.All), and authenticate using an App ID with the client secret what I need to solve then as you and @tharunkumarRTK  suggest is to sue Azure Key Vault. 

You mention:

"To avoid hardcoding secrets, you can store credentials securely in Azure Key Vault and reference them in Power BI Dataflows, which offers a cleaner and more secure setup"

I'm not sure how to do this, I'm using powerbi M to code this and not sure how to get the credential from vault secret. Any example I can follow?

 

Thanks Ahead of time...

Message 4 of 5
415 Views
0
v-veshwara-msft
Community Support
Community Support
In response to LukeDrako

‎05-19-2025 10:23 PM

HI @LukeDrako ,
Thanks for the follow-up.
You can refer to the following links for guidance on configuring Azure Key Vault for use within the Power BI Service:
Bring your own encryption keys for Power BI - Power BI | Microsoft Learn

How to access Azure KeyVault from Power BI Query t... - Microsoft Fabric Community

Re: How to access Azure KeyVault from Power BI Que... - Microsoft Fabric Community

 

Hope this helps. Please reach out for further assistance.
Please consider marking the helpful reply as Accepted Solution and giving kudos to assist others with similar issues.

Message 5 of 5
394 Views
tharunkumarRTK
Super User
Super User

‎05-18-2025 12:59 AM

@LukeDrako 

I will try to suggest few approaches:

 

1. Power BI Web connector supports service principal authentication, which means you can enter the SPN ID, secret and tenant id in the service. This way you can avoid hard coding the credentails. Please be informed, Now, it supports aure key vault as well which means, if you want to extract the secret from key vault rather than entering directly then you can do that as well. 

Screenshot 2025-05-18 at 1.20.38 PM.png

Screenshot 2025-05-18 at 1.20.03 PM.png

But I understand the fact that, if you remove the hard coded secret then you will not be able to load the queries and publish the report to the service. So I would suggest you to create a dataflow, move your queries into it. When you are trying to run the queries in a dataflow, it would prompt you to create a connection, so you can enter the details in the prompt itself. Not with in the code. Once this is done you can connect your power bi report to the dataflow. Then you will be able to publish the report.

 

2. You can create a custom connector which accepts service principal id , secret information and run the API calls, similar to this https://github.com/migueesc123/PowerBIRESTAPI

custom connector documentation: https://learn.microsoft.com/en-us/power-query/install-sdk

 

I have not tested the first approach with graph APIs, but I guess it would work. I did used SPN authetication with other API endpoint though, it worked. I tested the second approach with graph APIs as well and it was working=

 

Need a Power BI Consultation? Hire me on Upwork

 

 

 

Connect on LinkedIn

 

 

 








Did I answer your question? Mark my post as a solution!
If I helped you, click on the Thumbs Up to give Kudos.

Proud to be a Super User!
PBI_SuperUser_Rank@2x.png
Message 2 of 5
460 Views
0

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All