The ultimate Microsoft Fabric, Power BI, Azure AI, and SQL learning event: Join us in Stockholm, September 24-27, 2024.
Save €200 with code MSCUST on top of early bird pricing!
Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started
Hello everyone,
recently I have been trying to make Power BI APIs work with service principal authentication. All steps mentioned in this article https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal are done:
- an Azure AD app is registered (service principal created)
- an AD security group is created, the app is added to this group
- a Power BI admin has enabled service principal access in the admin portal
- the service principal and the security group are added to the workspace (and granted the admin role)
I am able to generate an access token using the POST method for https://login.microsoftonline.com/common/oauth2/token (screenshot below).
The issue is that whenever this token is used for any further calls (I have tried both non-admin and admin APIs - when it comes to admin ones, I only tested the supported APIS - can be seen in this article https://docs.microsoft.com/en-us/power-bi/admin/read-only-apis-service-principal-authentication), I am shown the 401 unauthorized error.
So my question is: did I overlook some security setting perhaps? Our company uses MFA, but service principals do not use that from what I have found on this forum/in the documentation. Or is the generated token invalid somehow?
Any help is greatly appreciated.
Hi, I meet tyhe same issue, could you please share your solution, thanks
Hi, we are experiencing a similar problem. Were you able to solve the issue?
Try getting the token with your resource set as:
https://analysis.windows.net/powerbi/api/.default
Also make sure that your tenant admin has added the AAD security group to the "specific security group" list in Power BI.
A long time has passed, do you remember how to add AD security group to PowerBI?
When I tried getting the token with the resource set to https://analysis.windows.net/powerbi/api/.default, it threw the following error:
The AAD security group (and also the service principal) has been added to the specific security group list in our Power BI workspace.
Ah, you've been using a different API. Not sure that one would ever work. Heres the working oauth one I have:
Thank you so much, this actually worked, I was finally able to generate a bearer token without any error messages.
The issue now is that whatever call I make using this token, I get the following error:
I tried finding more information about this and everything points to some issue with permissions, but I cannot figure out what's wrong (I have tested both non-admin and some of the supported admin calls). Please, do you have any idea what might be the problem?
UPDATE: some non-admin calls actually work, but I was not able to make any of the admin ones work properly. I have checked Azure again to make sure I have all the correct permissions assigned, and it seems to be the case:
Is anything missing?
Oh, that's easy then. Your POST is wrong. Didnt spot it the first time round because it was right at the top 😄 It must have the tenant ID in it, not 'common'
I use:
https://login.microsoftonline.com/[tenantid]/oauth2/v2.0/token/
I'm curious if you were ever able to resolve this - I'm having the same issue. 401 unauthorized on all calls.
No, not yet - still trying to figure this out. Will update the thread if I find anything.
Hi @matoxin ,
Considerations and limitations
Have you checked these considerations and limitations?
Best regards,
Lionel Chen
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Hello Lionel,
yes, we have checked that article multiple times - to make sure we have not forgotten anything.
Hi,
What API Permissions are set up in your App Registration for Power BI? Everything else seems ok.
Hello, at the moment, the app has the following API permissions:
- Dataset.ReadAll
- Report.ReadAll
- Workspace.ReadAll
I assume that Tenant.ReadAll should be added as well - is that correct?
Join the community in Stockholm for expert Microsoft Fabric learning including a very exciting keynote from Arun Ulag, Corporate Vice President, Azure Data.
Check out the August 2024 Power BI update to learn about new features.
User | Count |
---|---|
14 | |
2 | |
1 | |
1 | |
1 |