Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

Reply
peterhvogel
Regular Visitor

Getting Operation returned an invalid status code 'Unauthorized' while trying to embed a Power BI ap

‎09-13-2024 09:02 AM

I have been trying to embed a report in an ASP.NET Core web page using the "for customers/App Owns Data" leveraging a security principal -- I even got it to work in one implementation. However, I'm now in a new tenant and can not get it work here.

  1. I have checked in the Power BI Admin Portal and both "Embed Content in Apps" and "Service Principals can use Fabric APIs" are enabled for the whole organization

  2. I have created an App Registration, assigned it a client secret. I have also gone in Authentication and added the Web Platform and set the redirect URL (to <url>/signin-oidc) and confirmed that's the URL used by my Web app

  3. I have assigned about two dozen Power BI permissions to the App Registration as delegated permissions and granted them as administrator
  4. I've assigned the App Registration's security prinicipal to a security group and given that security group access to the workspace with my report as a contributor
  5. My code starts up and successfully creates a confidential client, a Power BI client, retrieves report information, builds the request token...and fails when it uses the request token when trying to get the embed token:
    var embedToken = client.EmbedToken.GenerateToken(tokenRequest);

    I can't figure out what I'm missing/have done wrong. Help!
Labels:
Message 1 of 6
626 Views
0
1 ACCEPTED SOLUTION
v-linyulu-msft
Community Support
Community Support

‎09-15-2024 07:46 PM

Hi, @peterhvogel 

Regarding the issue you raised, my solution is as follows:

1.First, in Workspace role assignments, we recommend that you assign members and above roles to the security group of the service principal app.

Here is a screenshot of the official documentation:

vlinyulumsft_0-1726454758377.png

vlinyulumsft_1-1726454758378.png

For more information, please refer to the following links:

Embed content in your Power BI embedded analytics application - Power BI | Microsoft Learn

https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal#add-a-service-...

 

2.Secondly, if you want to go into production, it is recommended that you upgrade your capacity.

Here is a screenshot of the official documentation:

vlinyulumsft_2-1726454792516.png

For more information, please refer to the following links:

Move your Power BI embedded analytics app to production - Power BI | Microsoft Learn

Capacity and SKUs in Power BI embedded analytics - Power BI | Microsoft Learn
Of course, if you have any new ideas, you are welcome to contact us.
 

Best Regards,

Leroy Lu

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Message 2 of 6
508 Views
0
5 REPLIES 5
peterhvogel
Regular Visitor

‎09-16-2024 05:39 AM

I'll try assigning the member role to the security group that my principal belongs to and see if it helps.

Message 3 of 6
483 Views
v-linyulu-msft
Community Support
Community Support
In response to peterhvogel

‎09-16-2024 07:41 PM

Hi, @peterhvogel 

 

Looking forward to your reply and hope your problem can be solved.

 

If you have any relevant experiences during this period, you are also welcome to share them with us.

 

If his post is helpful to you, you can consider accepting it as a solution.

 

Thank you in advance.


Of course, if you have any new ideas, you are welcome to contact us.
 

Best Regards,

Leroy Lu

Message 4 of 6
454 Views
0
peterhvogel
Regular Visitor
In response to v-linyulu-msft

‎09-19-2024 07:17 AM

OK, so I started off by working through the whole process (turning on dev access to service principals, setting up the App Registration -- granting even more permissions than before, setting up the security group, managing access to the workspace) and I used Member status for the security principal's security group.

And it worked! First time! Yay!

But having a nasty, suspicious mind, I tried setting the security group's access to the workgroup to Viewer. And it still worked! <grump/>

So, it seems to me, that there are three possibilities:

  • Workspace access doesn't matter -- I did something wrong the last time, never spotted it, and did it right this time 
    • Specifically (most likely): I granted some permission this time that I didn't grant on the previous time and granting the permission this time made it work
  • It is the workspace role...but it takes time for that change to propogate through to my app and, if I run the application again in (say) 60 minutes with access set to Viewer, it will fail
  • It is the workspace role...but only the settings that are in place when the app first executes matter so if I don't have it right the first time, I'm doomed

Remembering that I'm testing this on a trial license, it's possible (I guess) that the last option is the  correct one but that seems the least likely.

 

Of the two remaining options, the second seems most likely: I was testing, having a failure, changing something, testing again before the change had propogated, getting another failure and assuming my change wasn't helping. To test that, I'm going to walk away from the keyboard for an hour and see what happens when I run the app again with workspace access set to Viewer.

If the app continues to run with workspace access set to Viewer, I'm going to have to test the first option by creating a series of App regisrations with different sets of permissions. <fun/><sarcasm/>

Message 5 of 6
399 Views
peterhvogel
Regular Visitor
In response to peterhvogel

‎09-19-2024 06:08 PM

I left the application alone for the rest of the day and when I ran it, it failed with the "Unauthorized" message. I changed the Power BI workspace access for the security group that my principal is part of back to Member and, on my next run, the program ran just fine. I've marked the answer as the solution because it sure was!

Message 6 of 6
369 Views
v-linyulu-msft
Community Support
Community Support

‎09-15-2024 07:46 PM

Hi, @peterhvogel 

Regarding the issue you raised, my solution is as follows:

1.First, in Workspace role assignments, we recommend that you assign members and above roles to the security group of the service principal app.

Here is a screenshot of the official documentation:

vlinyulumsft_0-1726454758377.png

vlinyulumsft_1-1726454758378.png

For more information, please refer to the following links:

Embed content in your Power BI embedded analytics application - Power BI | Microsoft Learn

https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal#add-a-service-...

 

2.Secondly, if you want to go into production, it is recommended that you upgrade your capacity.

Here is a screenshot of the official documentation:

vlinyulumsft_2-1726454792516.png

For more information, please refer to the following links:

Move your Power BI embedded analytics app to production - Power BI | Microsoft Learn

Capacity and SKUs in Power BI embedded analytics - Power BI | Microsoft Learn
Of course, if you have any new ideas, you are welcome to contact us.
 

Best Regards,

Leroy Lu

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 6
509 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Jan25PBI_Carousel

Power BI Monthly Update - January 2025

Check out the January 2025 Power BI update to learn about new features in Reporting, Modeling, and Data Connectivity.

Jan NL Carousel

Fabric Community Update - January 2025

Find out what's new and trending in the Fabric community.

View All