Solved: Power Bi Api access token validation

rahulrathor · ‎05-19-2024

Hi,

I want to consume the PowerBI resource using rest APIs. Is it possible to get the aceess token from Auth0 instead of service principal and configure the PowerBI to validate the aceess token for any rest Api call from Auth0(registered app in Auth0) instead of service principal(resgistered app in Azure portal).

Thanks

Rahul Rathor

Anonymous · ‎05-20-2024

Hi @rahulrathor ,

Please review the following link, hope its solution can help you.

Can Auth0 integrate PowerBI? - Auth0 Community

There may be two options for this integration:

Option 1 : Provisioning the users on Azure AD with Auth0 identities

This option is explained for Office 365 app but the same idea may apply for PowerBI too. In this option, the domain federation is done in Azure AD so it should work for every application that uses Azure AD to authenticate technically.

On the first link below, there is a sample rule to create any required licenses on the Azure AD side, so that after a user logs in using a 3rd party IdP e.g. Google through Auth0, Office 365 sees the user as a valid user.

1- https://auth0.com/docs/integrations/office-365-custom-provisioning

2- https://auth0.com/learn/sprinklr-achieves-impossible-sso-with-auth0/

3- https://docs.microsoft.com/en-us/microsoft-365/enterprise/federated-identity-for-your-office-365-dev...

Option 2: Leveraging Power-BI embedded row security feature:

With this option, you may send the user’s credentials obtained from a successful authentication through Auth0 to power-bi API as a proof of user identity. Here are some related links showing how to implement this.

1- Security in Power BI embedded analytics - Power BI | Microsoft Learn

2- Embedding and Report Filters - Microsoft Power BI Community

3- azure-content/power-bi-embedded-app-token-flow.md at master · uglide/azure-content · GitHub

Microsoft Entra token

Use the external Postman tool to acquire a token. For more information, see this Power BI Community thread. The request URL for a service principal must be https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token, but for a master user, it can be either https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token or https://login.microsoftonline.com/common/oauth2/token.

Follow the sample solutions at PowerBI-Developer-Samples. For example:

For Embed for your customers see this AadService.cs file. Find the authorityUrl and scopeBase at AppOwnsData/Web.config.

For Embed for your organization see this OwinOpenIdConnect.cs file. Find authorityUrl at UserOwnsData/Web.config.

Best Regards

View solution in original post

dan-data-ces · ‎05-29-2024

Hello, I am wondering if what you got as a solution was helpful ? I am about to go through the same journey you are and we are actually thinking of not using Power BI because of the little to no documentation there is about Auth0 authentication registration.

From thr reply you got Option 1 is not an option for us and besides all of the links provided in it don't work, and option 2 is good but docs area a bit generic. Anyway, just asking in case you were successful in using Auth0 and Power BI.

Cheers!

Anonymous · ‎05-20-2024

Hi @rahulrathor ,

Please review the following link, hope its solution can help you.

Can Auth0 integrate PowerBI? - Auth0 Community

There may be two options for this integration:

Option 1 : Provisioning the users on Azure AD with Auth0 identities

This option is explained for Office 365 app but the same idea may apply for PowerBI too. In this option, the domain federation is done in Azure AD so it should work for every application that uses Azure AD to authenticate technically.

On the first link below, there is a sample rule to create any required licenses on the Azure AD side, so that after a user logs in using a 3rd party IdP e.g. Google through Auth0, Office 365 sees the user as a valid user.

1- https://auth0.com/docs/integrations/office-365-custom-provisioning

2- https://auth0.com/learn/sprinklr-achieves-impossible-sso-with-auth0/

3- https://docs.microsoft.com/en-us/microsoft-365/enterprise/federated-identity-for-your-office-365-dev...

Option 2: Leveraging Power-BI embedded row security feature:

With this option, you may send the user’s credentials obtained from a successful authentication through Auth0 to power-bi API as a proof of user identity. Here are some related links showing how to implement this.

1- Security in Power BI embedded analytics - Power BI | Microsoft Learn

2- Embedding and Report Filters - Microsoft Power BI Community

3- azure-content/power-bi-embedded-app-token-flow.md at master · uglide/azure-content · GitHub

Microsoft Entra token

Use the external Postman tool to acquire a token. For more information, see this Power BI Community thread. The request URL for a service principal must be https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token, but for a master user, it can be either https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token or https://login.microsoftonline.com/common/oauth2/token.

Follow the sample solutions at PowerBI-Developer-Samples. For example:

For Embed for your customers see this AadService.cs file. Find the authorityUrl and scopeBase at AppOwnsData/Web.config.

For Embed for your organization see this OwinOpenIdConnect.cs file. Find authorityUrl at UserOwnsData/Web.config.