Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started
Hi!
I've been following this guide while setting up my app. Everything works fine if I use password credentials flow and supply my own userame/password to get an access token. However, if I try to use client credentials flow, I get a 401 whenever I call any power bi endpoint.
I also tried downloading the sample application provided here. Using "App Owns Data", I get the same results. If I use MasterUser (username/pass), everything works fine. But if I use ServicePrincipal (cliend_id/client_secret), I get 401.
I understand that this is a new feature and it's just a public preview. But has anyone had any luck getting it to work?
More details:
Azure:
Power BI:
Solved! Go to Solution.
Hi @Anonymous ,
I made the Service Principal work in the "App Owns Data" demo and with the Rest APIs. It seems everything is set up correctly according to your description. Some suggestions are as follows.
1. Add the Service Principal as an admin in the workspace directly rather than add the security group. Please refer to article 5 in embed-service-principal#get-started-with-a-service-principal. We should use the Object ID.
2. The Service Principal inherit permission from the tenant rather than the Azure App permissions.
>>>Service principals inherit the permissions for all Power BI tenant settings from their security group. To restrict permissions create a dedicated security group for service principals and add it to the 'Except specific security groups' list for the relevant, enabled Power BI settings.
3. I'm afraid you can't call the Admin REST API if the Service Principal doesn't have the permission.
Best Regards,
Hi all, this resolved the issue for me:
1. Enable the tenant setting "Allow service principals to use Power BI APIs".
2. Create an AAD user group.
3. Create a Service Principal account and add it to the AAD user group.
4. Assign the AAD user group to the workspace access.
5. IMPORTANT! Assign Service Principal account to workspace access directly! So that you would have both AAD user group and Service Principal in the wotkspace access.
6. After that you can remove the Service Principal direct assignment, but the access will still work through AAD user group.
Maybe it's a bug, but something is deinitely happening in the background with service principals and AAD user groups access.
After banging my head against the wall for what feels like days I solved my problem.
I migrated from a master user where I used an authority url of: https://login.microsoftonline.com/common
When I switched to a service principal I had to change the authority url to: https://login.microsoftonline.com/{my AAD tenant id}
Which then allowed my API calls to work.
Hi @Anonymous ,
I made the Service Principal work in the "App Owns Data" demo and with the Rest APIs. It seems everything is set up correctly according to your description. Some suggestions are as follows.
1. Add the Service Principal as an admin in the workspace directly rather than add the security group. Please refer to article 5 in embed-service-principal#get-started-with-a-service-principal. We should use the Object ID.
2. The Service Principal inherit permission from the tenant rather than the Azure App permissions.
>>>Service principals inherit the permissions for all Power BI tenant settings from their security group. To restrict permissions create a dedicated security group for service principals and add it to the 'Except specific security groups' list for the relevant, enabled Power BI settings.
3. I'm afraid you can't call the Admin REST API if the Service Principal doesn't have the permission.
Best Regards,
Thank you! Your first comment gave me an idea. My issue was that i did not add the Service Principal itself as Admin, i added the Security Group it belonged to. I was not able to choose a service pricipal in the UI when adding access permissions. Instead, i had to use the API and now everything is working fine.
Best regards
It's my pleasure. I'm glad you made it work. Thanks for sharing the details. This feature is under preview. I believe it will be easy to use when it's generally available.
Best Regards,
Hello,
I'm having the same problem and believe I have applied the Service Principal as admin. I am using the following tutorial which seems to provide for that step specifically in step 5: https://cloudarchitected.com/2019/03/embedding-power-bi-content-with-a-service-principal/
I am not immediately proficient in powershell or the Power BI API so it would be great if someone could confirm that step should have provided the correct outcome or if / how I can confirm further that I have implemented the resolution provided above correctly, or if not perhaps assist with script sample?
Many thanks for your help.
I was able to get the auth token by using the service principal (client id, secret) however when I use the token and query (getReports) etc, it fails with 401.
The trick to get the token was that the APP needs to be "Server-side web application" instead of "native".
However I believe the permissions are not being assigned when the app/security group is added to the Power BI API access.
Similar problem... I believe its related with the option Allow Service Principal to use Power BI APIs. on the PowerBI Tenant settings. That is mentioned that has to be activated in https://sqlitybi.com/authenticating-power-bi-xmla-endpoint-using-service-principal/
Then you're in the same situation as me 🙂 I also manage to get the access token, but i can't use it.
The same problem. Give all rights to app in Azure. Enable "Allow Service Principal to use Power BI APIs" but still get 401 Eror. Helpppp
Make sure you target a new workspace and not the default "My Workspace" and check you have assigned all relevant permissions.
See my blog hope it helps : https://blog.joshduxbury.co.uk/2021/04/22/import-data-into-power-bi-using-rest-logic-apps/
Check out the September 2024 Power BI update to learn about new features.
Learn from experts, get hands-on experience, and win awesome prizes.