Solved: Re: Government API 403 error: powerbi gcc endpoint...

hellodtonomy · ‎12-12-2023

We are currently conducting experiments with the Power BI API. We have configured our setup to use the GCC endpoint at api.powerbigov.us. As part of the setup, we registered our Azure client application and assigned the following Power BI permissions: "App.Read.All," "Capacity.Read.All," "Capacity.ReadWrite.All," "Content.Create," and "Dataset.ReadWrite.All."

To obtain an access token, we used a username and password authentication method. Subsequently, we attempted to use this access token to make a POST request to the dataset creation API endpoint: "https://api.powerbigov.us/v1.0/myorg/datasets." However, our requests consistently result in a 403 error. Do you have any suggestions on how to resolve this issue?

hellodtonomy · ‎01-09-2024

To address my own inquiry, when dealing with GCC cloud customers, it's essential to engage in an interactive OAuth process to acquire the token; conventional username and password authentication is not supported. Furthermore, to obtain the correct access token, we must supply the Power BI resource ID, which differs from that of regular commercial users. In our specific situation, we must request permission from the resource located at "https://analysis.usgovcloudapi.net/powerbi/api". To ascertain the GCC endpoint and resource ID, Power BI offers a REST API. You can initiate a POST request to "https://api.powerbi.com/powerbi/globalservice/v201606/environments/discover?user=someone@somewhere.g..." to retrieve endpoint information for GCC cloud users.

View solution in original post

hellodtonomy · ‎01-09-2024

To address my own inquiry, when dealing with GCC cloud customers, it's essential to engage in an interactive OAuth process to acquire the token; conventional username and password authentication is not supported. Furthermore, to obtain the correct access token, we must supply the Power BI resource ID, which differs from that of regular commercial users. In our specific situation, we must request permission from the resource located at "https://analysis.usgovcloudapi.net/powerbi/api". To ascertain the GCC endpoint and resource ID, Power BI offers a REST API. You can initiate a POST request to "https://api.powerbi.com/powerbi/globalservice/v201606/environments/discover?user=someone@somewhere.g..." to retrieve endpoint information for GCC cloud users.

Anonymous · ‎12-14-2023

Hi @hellodtonomy ,

We are unable to test this scenario due to permissions issues, if it's really urgent and you are a Power BI Pro licensee, I suggest you open a support ticket and a dedicated Microsoft engineer will look into the issue for you.

The link of Power BI Support: https://powerbi.microsoft.com/en-us/support/

For how to create a support ticket, please refer to https://community.powerbi.com/t5/Community-Blog/How-to-create-a-support-ticket-in-Power-BI/ba-p/6830...

Best Regards,

Liu Yang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Anonymous · ‎12-13-2023

Hi @hellodtonomy ,

Based on your error message mentioned, I think you need to first double-check these 2 points:

1. The API method to get the AAD token for the rest API using, you should define scope of the API body parameter like this to make sure all the delegated permissions has been assigned:

2. Since you are in the GCC environment for the rest API using, you need to double-check if you have opened/whitelist all the Power BI URLs now following this official document:

Power BI for US government customers - Overview - Power BI | Microsoft Learn

Best Regards,

Liu Yang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

hellodtonomy · ‎12-14-2023

We've made some progress by realizing that we need to specify the government resource as "https://analysis.usgovcloudapi.net/powerbi/api" instead of "analysis.windows.net." However, we encountered an "invalid grant" error. Does anyone know if the "password" grant type is supported in Azure Government Cloud?

hellodtonomy · ‎12-13-2023

Hi Liu Yang,

Thank you for your prompt response. The suggestion to add the scope parameter doesn't align with our specific scenario.

We utilized the endpoint "https://login.windows.net/common/oauth2/token" to acquire the token and designated "https://analysis.windows.net/powerbi/api" as the resource parameter for our API calls. In this context, the scope parameter isn't applicable, and attempts to add ".default" to the resource URL resulted in a "resource not found" error.

below is the sample code how we call the token api:

request(
  {
    json: true,
    method: 'post',
    url:'https://login.window.net/common/oauth2/token',
    form: {
       grant_type:'password',
       resource:"https://analysis.windows.net/powerbi/api",
       username: "username",
       password: "password",
       client_id: "client_id"
    },
    headers: {
       "Content-Type": "application/x-www-form-urlencoded" 
   }
 }, ProcessTokenResponse);

Our objective is to access the GCC Power BI API from a public network, where there are no connectivity restrictions in place. Could you please advise if there are any specific configurations required on the GCC endpoint to allow connections from a public network?

Thanks!

hellodtonomy · ‎12-14-2023

Hello Liu Yang,

We have another question regarding the API call. Is there a need to assign a specific role to the user for the API call to work correctly? We examined the "wid" from the access token returned for our current user and noticed that it has a default role of "b79fbf4d-3ef9-4689-8143-76b194e85509."

Thanks!