Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
albrej
Regular Visitor

Push Datasets to PBI via multi tenant azure application with oauth2 auth 403 forbidden

‎12-14-2021 09:21 AM

I am developing a web application in which i want to allow users to push their data from the application to a power bi dataset (e.g. on their power bi work account).

Therefore i did the following:

 

I registered an azure ad application (Accounts in any organizational directory (Any Azure AD directory - Multitenant).

For authentication, i redirect a user to https://login.microsoftonline.com/common/oauth2/v2.0/authorize  and add the corresponding redirect_uri, scopes, client_id, prompt=consent and response_type=code to the URL.

The scopes are: 

 This looks like: 
&redirect_uri=XXX
&response_type=code
&prompt=consent
&state=XXXX
 
The scopes are defined in the azure application, too, besides im not sure if that is even necessary since I'm using the v2.0 endpoint here.
 
After this step, i fetch the access token by posting the grant_token/code  to https://login.microsoftonline.com/common/oauth2/v2.0/token . The post parameters consist of the following values: grant_type=authorization_code, client_id=from the application, client_secret=secret from the application, code=grant_token from the redirect, scope=scopes as listed above, redirect_uri
 
The response i get is an access token, looking like (actual tokens are a little anonymized, i just did it like 15 minutes ago):
token_type:"Bearer"
scope:""https://analysis.windows.net/powerbi/api/Dataset.Read.All https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All https://analysis.windows.net/powerbi/api/Workspace.Read.All https://analysis.windows.net/powerbi/api/Workspace.ReadWrite.All""
expires_in:5166
ext_expires_in:5166
access_token:"eyJ0eXWGZAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCQWDI6Imwzc1EtNTBjQ0g0eEJWWkxIVEd3blNSNzY4MCIsImtpZCI6Imwzc1EtNTBjQ0g0eEJWWkxIVEd3blNSNzY4MCJ9.eyJhdWQXXXXXXXXXXXGFzZXQuUXXXXXXmVhZFdyaX...
refresh_token:"0.ATwAjlTXXXXXXXGg3--XXXXX-XX...
expires_on:1639504569
 
Some additional information:
If i use the token from the api playground (try it - https://docs.microsoft.com/de-de/rest/api/power-bi/datasets/get-datasets ), i can use the api with the rest of my software..
 The azure ad account im testing this with is:
- power bi pro
- global admin
- owns workspaces
- owns datasets
 
 
Now my problem:
If i use this provided access_token at powerbi api v1, for example requesting https://api.powerbi.com/v1.0/myorg/datasets/  im getting a 403 Forbidden response. Does anybody know where im doing something wrong? Im using a azure multitenant app in a similar way to allow people push data to their onedrive...
 
Thanks in advance!
 
 
 
 
 
 
 
 
Labels:
Message 1 of 2
582 Views
0
1 ACCEPTED SOLUTION
albrej
Regular Visitor

‎12-15-2021 02:36 AM

I found the solution.

If anyone faces the same problem - here is what i did:

Since im using "Accounts in any organizational directory (Any Azure AD directory - Multitenant), the correct authentication endpoint is /organizations/ and not /common/. 

(i used the same url part - common - like i did with my service for OneDrive.. but my connection to PBI is only intendet for organizational accounts and not for 'all' kinds of accounts)

 

It is essential to use the correct endpoint for the corresponding setting in the azure ad app:

You can look it up here. https://docs.microsoft.com/de-de/azure/active-directory/develop/active-directory-v2-protocols#endpoi... 

View solution in original post

Message 2 of 2
482 Views
0
1 REPLY 1
albrej
Regular Visitor

‎12-15-2021 02:36 AM

I found the solution.

If anyone faces the same problem - here is what i did:

Since im using "Accounts in any organizational directory (Any Azure AD directory - Multitenant), the correct authentication endpoint is /organizations/ and not /common/. 

(i used the same url part - common - like i did with my service for OneDrive.. but my connection to PBI is only intendet for organizational accounts and not for 'all' kinds of accounts)

 

It is essential to use the correct endpoint for the corresponding setting in the azure ad app:

You can look it up here. https://docs.microsoft.com/de-de/azure/active-directory/develop/active-directory-v2-protocols#endpoi... 

Message 2 of 2
483 Views
0

Helpful resources

Announcements
July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All