Solved: PowerBI Application Authentication

elserafi · ‎09-30-2017

We are trying to utilize REST API of Power BI which allows to integrate a Power BI report into an application.

We have created an application within our Microsoft Azure Active Directory and given permission for Microsoft Power BI Reporting.

We are facing below issues while integrating PowerBI report from WebAPI.

1. Acquiring the token from the AZURE Active Directory.

How do we achieve the “Access Token” without user interaction? ( i.e. not showing Microsoft Authentication Popup).

We tried getting access token using below code, however the token which we received gives forbidden error.

TokenCache TC = new TokenCache();

ClientCredential CC = new ClientCredential (clientID,SecretID);

Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext authenticationContext1= new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authorityUri, TC);

AuthenticationResult result3 = authenticationContext.AcquireTokenAsync(resourceUri, CC).Result;

Eric_Zhang · ‎10-02-2017

@elserafi wrote:

We are trying to utilize REST API of Power BI which allows to integrate a Power BI report into an application.

We have created an application within our Microsoft Azure Active Directory and given permission for Microsoft Power BI Reporting.

We are facing below issues while integrating PowerBI report from WebAPI.

1. Acquiring the token from the AZURE Active Directory.

How do we achieve the “Access Token” without user interaction? ( i.e. not showing Microsoft Authentication Popup).

We tried getting access token using below code, however the token which we received gives forbidden error.

TokenCache TC = new TokenCache();

ClientCredential CC = new ClientCredential (clientID,SecretID);

Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext authenticationContext1= new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authorityUri, TC);

AuthenticationResult result3 = authenticationContext.AcquireTokenAsync(resourceUri, CC).Result;

@elserafi

What is the scenario in your case that required non-user interaction? For App Owns data, you can reference below snippet.

            // Create a user password cradentials.
            var credential = new UserPasswordCredential(Username, Password);

            // Authenticate using created credentials
            var authenticationContext = new AuthenticationContext(AuthorityUrl);
            var authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, ClientId, credential);

Or you can call the REST API directly.

POST /common/oauth2/token HTTP/1.1
Host: login.windows.net
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache 

client_secret={cilent_secrect}&client_id={client_id}&grant_type=password&resource=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi&username={pbi username}&password={pbi password}

View solution in original post

TedPattison · ‎10-31-2018

It looks like you are acquiring an app-only token which is not currently supported in the Power BI Service API. Yes, you can successfully acquire an app-only token for the Power BI Service API from azure AD but the call will always fail owhen you try to use the app-only token. Support for app-only tokens in the Power BI Service API is on the road map and should be released into preview in the coming months but currently you must acquire access tokens with a user identity.

While it is not ideal, the current way to acquire an access token without any user interaction is to use the UserPasswordCredential flow. Therefore, you must write the code to look like this.

private static string aadAuthorizationEndpoint = "https://login.windows.net/common";
private static string resourceUriPowerBi = "https://analysis.windows.net/powerbi/api";
private static string urlPowerBiRestApiRoot = "https://api.powerbi.com/";
private static string clientId = ConfigurationManager.AppSettings["client-id"];
private static string userName = ConfigurationManager.AppSettings["aad-account-name"]; 
private static string userPassword = ConfigurationManager.AppSettings["aad-account-password"]; 

private static string GetAccessToken() {

  // create new authentication context 
  AuthenticationContext authenticationContext = new AuthenticationContext(aadAuthorizationEndpoint);
  AuthenticationResult userAuthnResult = 
    authenticationContext.AcquireTokenAsync(resourceUriPowerBi,
                                            clientId,
                                            new UserPasswordCredential(userName, userPassword)).Result;
     

  // return access token to caller
  return userAuthnResult.AccessToken;
}

Since you are using delegated permissions, you also must grant permissions to the application ahead of time because the call to acquire an access token in this non-interactive manner will fail if the current user has not consented to the applications. The most common way to deal with this is to click the Grant permissions button for the Azure AD application in the Azure portal.

Eric_Zhang · ‎10-02-2017

@elserafi wrote:

We are trying to utilize REST API of Power BI which allows to integrate a Power BI report into an application.

We have created an application within our Microsoft Azure Active Directory and given permission for Microsoft Power BI Reporting.

We are facing below issues while integrating PowerBI report from WebAPI.

1. Acquiring the token from the AZURE Active Directory.

How do we achieve the “Access Token” without user interaction? ( i.e. not showing Microsoft Authentication Popup).

We tried getting access token using below code, however the token which we received gives forbidden error.

TokenCache TC = new TokenCache();

ClientCredential CC = new ClientCredential (clientID,SecretID);

Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext authenticationContext1= new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authorityUri, TC);

AuthenticationResult result3 = authenticationContext.AcquireTokenAsync(resourceUri, CC).Result;

@elserafi

What is the scenario in your case that required non-user interaction? For App Owns data, you can reference below snippet.

            // Create a user password cradentials.
            var credential = new UserPasswordCredential(Username, Password);

            // Authenticate using created credentials
            var authenticationContext = new AuthenticationContext(AuthorityUrl);
            var authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, ClientId, credential);

Or you can call the REST API directly.

POST /common/oauth2/token HTTP/1.1
Host: login.windows.net
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache 

client_secret={cilent_secrect}&client_id={client_id}&grant_type=password&resource=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi&username={pbi username}&password={pbi password}

Carshalton · ‎10-30-2018

Hi,

Can't we use below in the body to get the access code directly by posting to https://login.microsoftonline.com/{Tenant ID}/oauth2/token

grant_type=client_credentials&client_id={Client ID}&client_secret={Secret}&resource={Resourc URK}

Why do we still need the passowrd and username given we already have the client secret? I used the same approachi fine for Dynamics 365 but is getting the error below for Power BI

"error": "invalid_resource",
"error_description": "AADSTS50001: The application named {Our Application URL} was not found in the tenant named {Tenent ID}

PowerBI Application Authentication

Helpful resources

Join us at the Microsoft Fabric Community Conference

Power BI Monthly Update - February 2025

Fabric Community Update - February 2025

Join us at the 2025 Microsoft Fabric Community Conference

PowerBI Application Authentication

Helpful resources

Join us at the Microsoft Fabric Community Conference

Power BI Monthly Update - February 2025

Fabric Community Update - February 2025