The ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM.
Get registeredCompete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.
I have an application based on the "Embed for your organization" model. For authentication, on the server-side, it uses Owin and the Microsoft.Identity.Client package. On the client-side, it uses the PowerBI REST API to perform automated dataset refreshes based on parameters supplied.
I need to extend this to work with guest users from other tenants so they can perform these automated refreshes on datasets (in a workspace) within the tenant where they have been created as guests. The manual version of this complete flow works fine. By switching the tenant in Power BI Service, the guest has access to their workspace, and they can change dataset parameters and do manual refreshes.
My question is this: is there a REST API that I can use to switch the tenant from the source to the one where the user is a guest using the tenantId? And would the access token from the source be enough to make this switch? And are there any other constraints and considerations?
I have researched this problem high and low and unfortunately, am unable to find a clean solution without dismantling the current architecture completely. Any help or guidance would be much appreciated!
Many thanks.
Solved! Go to Solution.
Here is a final update. I was able to upgrade the app to .NET 6.0 and also update all packages to stable versions.
To summarize:
Start with sample app at: Embed Power BI report in a Power BI embedded analytics application for your organization - Power BI and use the tutorial. Use the code provided at Github.
1) If necessary, downgrade node.js/npm to V16.20.2/V8.19.4
2) Target framework .NET 6.0 to remove dependence on out of support .NET 5.0
3) Update Microsoft.AspNetCore.Authentication.JwtBearer: 6.0.12
4) Update Microsoft.AspNetCore.Authentication.OpenIdConnect: 6.0.12
5) Update Microsoft.PowerBI.Api: 4.22.0
6) Update Microsoft.Identity.Web: 3.9.1
I will mark this response as a solution for anyone who is interested. And if anyone needs more info on how to use the REST API in conjunction with the sample, I can provide further details.
Many thanks and best wishes.
Hi @powerapps_tec,
Thank you for reaching out to the Microsoft Fabric Forum Community.
thank you @lbendlin, for your insights.
To enable guest users to perform automated dataset refreshes in your Power BI solution, you’ll need to acquire an access token for the host tenant (where the datasets and workspaces reside) rather than using a token from the guest’s home tenant.
Currently, there isn’t a REST API available to switch tenants programmatically in the same way a user can manually switch in Power BI Service. Instead, the solution is to authenticate against the host tenant directly when acquiring access tokens, ensuring that the token is valid for accessing Power BI resources in that tenant.
This approach should work without dismantling your architecture. If tenant-switching APIs become available, if you get enough votes, they may consider in future. Raise your idea here:
Fabric Ideas - Microsoft Fabric Community
For further understanding, please refer to the following Links:
Public and confidential client apps (MSAL) - Microsoft identity platform | Microsoft Learn
If this post helps, then please give us ‘Kudos’ and consider Accept it as a solution to help the other members find it more quickly.
Thank you.
Hello v-saisrao-msft,
Thank you for your response. Yes, I have tried to access tokens for the host tenant by explicitly setting the tenantId in the the authorityURI. This does not work with ClientApplicationBase.GetAccountAsync, which I need to return the user and then acquire a token for that user. Using service principal rather than a specific user is not an option.
The documentation mentions that ITokenAcquisition.GetAccessTokenForUserAsync can be used to get tokens for guest users.
https://learn.microsoft.com/en-us/dotnet/api/microsoft.identity.web.itokenacquisition.getaccesstoken...
For this, I would have to switch from using Microsoft.Identity.Client to Microsoft.Identity.Web, which in turn means rewriting most of the app.
Tenant switching would be the ideal solution, so I will definitely submit the idea as you suggest.
Many thanks.
Hi, @powerapps_tec,
Thank you for the confirmation.
If this post helps, then please give us ‘Kudos’ and consider Accept it as a solution to help the other members find it more quickly.
Thank you
I'm still interested to know if anyone has used ITokenAcquisition.GetAccessTokenForUserAsync successfully as a means to allow guest users to perform operations on their host workspace objects through the REST API. I am only inferring this possibility from the documentation and have no concrete examples or evidence. I think it is in the interest of the community to keep this discussion open.
Hi @powerapps_tec,
Thanks for providing more context on your scenario! I completely understand the challenge you're facing with enabling guest users to perform operations on Power BI resources across different tenants.
I haven't personally used ITokenAcquisition.GetAccessTokenForUserAsync in this specific scenario, but I think it could be worth exploring. It seems like the ideal way to acquire tokens on behalf of a guest user, especially in a multi-tenant setup.
Thank you.
Hello,
This tutorial uses the Micrsoft.Identity.Web with a .NET 5.0 app and works with a guest user.
https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-organization-app
Nevertheless, this is a promising alternative if anyone else is interested!
Many thanks and regards.
You're welcome! I have also verified that the REST API with Javascript works perfectly for a guest user. That is, the token can be used for dataset refreshes, updating parameters and ofc all read operations. I will try and upgrade the app to a supported version of .NET, but this may take time because there are a number of dependencies. If and when I do, I will definitely post an update here.
Here is a final update. I was able to upgrade the app to .NET 6.0 and also update all packages to stable versions.
To summarize:
Start with sample app at: Embed Power BI report in a Power BI embedded analytics application for your organization - Power BI and use the tutorial. Use the code provided at Github.
1) If necessary, downgrade node.js/npm to V16.20.2/V8.19.4
2) Target framework .NET 6.0 to remove dependence on out of support .NET 5.0
3) Update Microsoft.AspNetCore.Authentication.JwtBearer: 6.0.12
4) Update Microsoft.AspNetCore.Authentication.OpenIdConnect: 6.0.12
5) Update Microsoft.PowerBI.Api: 4.22.0
6) Update Microsoft.Identity.Web: 3.9.1
I will mark this response as a solution for anyone who is interested. And if anyone needs more info on how to use the REST API in conjunction with the sample, I can provide further details.
Many thanks and best wishes.
i think this is (far) outside the design envelope.
If this is important to you please consider voting for an existing idea or raising a new one at https://ideas.fabric.microsoft.com
I have submitted this as part of an idea suggestion:
https://community.fabric.microsoft.com/t5/Fabric-Ideas/Cmdlet-and-REST-API-support-for-tenant-switch...