cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
albrej
Regular Visitor

Push Datasets to PBI via multi tenant azure application with oauth2 auth 403 forbidden

‎12-14-2021 09:21 AM

I am developing a web application in which i want to allow users to push their data from the application to a power bi dataset (e.g. on their power bi work account).

Therefore i did the following:

 

I registered an azure ad application (Accounts in any organizational directory (Any Azure AD directory - Multitenant).

For authentication, i redirect a user to https://login.microsoftonline.com/common/oauth2/v2.0/authorize  and add the corresponding redirect_uri, scopes, client_id, prompt=consent and response_type=code to the URL.

The scopes are: 

 This looks like: 
&redirect_uri=XXX
&response_type=code
&prompt=consent
&state=XXXX
 
The scopes are defined in the azure application, too, besides im not sure if that is even necessary since I'm using the v2.0 endpoint here.
 
After this step, i fetch the access token by posting the grant_token/code  to https://login.microsoftonline.com/common/oauth2/v2.0/token . The post parameters consist of the following values: grant_type=authorization_code, client_id=from the application, client_secret=secret from the application, code=grant_token from the redirect, scope=scopes as listed above, redirect_uri
 
The response i get is an access token, looking like (actual tokens are a little anonymized, i just did it like 15 minutes ago):
token_type:"Bearer"
scope:""https://analysis.windows.net/powerbi/api/Dataset.Read.All https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All https://analysis.windows.net/powerbi/api/Workspace.Read.All https://analysis.windows.net/powerbi/api/Workspace.ReadWrite.All""
expires_in:5166
ext_expires_in:5166
access_token:"eyJ0eXWGZAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCQWDI6Imwzc1EtNTBjQ0g0eEJWWkxIVEd3blNSNzY4MCIsImtpZCI6Imwzc1EtNTBjQ0g0eEJWWkxIVEd3blNSNzY4MCJ9.eyJhdWQXXXXXXXXXXXGFzZXQuUXXXXXXmVhZFdyaX...
refresh_token:"0.ATwAjlTXXXXXXXGg3--XXXXX-XX...
expires_on:1639504569
 
Some additional information:
If i use the token from the api playground (try it - https://docs.microsoft.com/de-de/rest/api/power-bi/datasets/get-datasets ), i can use the api with the rest of my software..
 The azure ad account im testing this with is:
- power bi pro
- global admin
- owns workspaces
- owns datasets
 
 
Now my problem:
If i use this provided access_token at powerbi api v1, for example requesting https://api.powerbi.com/v1.0/myorg/datasets/  im getting a 403 Forbidden response. Does anybody know where im doing something wrong? Im using a azure multitenant app in a similar way to allow people push data to their onedrive...
 
Thanks in advance!
 
 
 
 
 
 
 
 
Labels:
Message 1 of 2
339 Views
0
1 ACCEPTED SOLUTION
albrej
Regular Visitor

‎12-15-2021 02:36 AM

I found the solution.

If anyone faces the same problem - here is what i did:

Since im using "Accounts in any organizational directory (Any Azure AD directory - Multitenant), the correct authentication endpoint is /organizations/ and not /common/. 

(i used the same url part - common - like i did with my service for OneDrive.. but my connection to PBI is only intendet for organizational accounts and not for 'all' kinds of accounts)

 

It is essential to use the correct endpoint for the corresponding setting in the azure ad app:

You can look it up here. https://docs.microsoft.com/de-de/azure/active-directory/develop/active-directory-v2-protocols#endpoi... 

View solution in original post

Message 2 of 2
239 Views
0
1 REPLY 1
albrej
Regular Visitor

‎12-15-2021 02:36 AM

I found the solution.

If anyone faces the same problem - here is what i did:

Since im using "Accounts in any organizational directory (Any Azure AD directory - Multitenant), the correct authentication endpoint is /organizations/ and not /common/. 

(i used the same url part - common - like i did with my service for OneDrive.. but my connection to PBI is only intendet for organizational accounts and not for 'all' kinds of accounts)

 

It is essential to use the correct endpoint for the corresponding setting in the azure ad app:

You can look it up here. https://docs.microsoft.com/de-de/azure/active-directory/develop/active-directory-v2-protocols#endpoi... 

Message 2 of 2
240 Views
0

Helpful resources

Announcements
Join Arun Ulag at MPPC23

Join Arun Ulag at MPPC23

Get a sneak peek into this year's Power Platform Conference Keynote.

PBI Sept Update Carousel

Power BI September 2023 Update

Take a look at the September 2023 Power BI update to learn more.

Learn Live

Learn Live: Event Series

Join Microsoft Reactor and learn from developers.

Dashboard in a day with date

Exclusive opportunity for Women!

Join us for a free, hands-on Microsoft workshop led by women trainers for women where you will learn how to build a Dashboard in a Day!

View All
Top Solution Authors
View All