Solved: Use logged-in user and app registration with deleg...

jufoga · ‎04-22-2025

The goal is to have reports that have:

-Registration app with delegated permissions hardcoded as parameter (id and secret) in order to use it in queries or whatever is possible.

-A user logs into Power BI with 2fa

-The report use the Graph API and will bring the data that the user is allowed to see when using the registration app with delegated permissions.

Is this possible out of the box or it is really necesary to create a custom connector for api graph?

It would be like doing this thing (powershell):

$body = @{

Grant_Type = "password"

resource = "https://graph.microsoft.com"

client_id = "xxxx"

client_secret = "xxxx"

username = "xxxx"

password = "xxxx"

}

But getting credentials from logged user, no matter if out of the box or using power query

v-venuppu · ‎04-23-2025

Hi @jufoga ,

Thank you for reaching out to Microsoft Fabric Community.

To address your question:

Is this possible out of the box.?

Partially, but not fully out-of-the-box with native Power BI and Power Query alone. Here's why:

1.Power BI does support Microsoft Graph via custom connectors or API calls using Power Query (M language), but:

Delegated permissions require an interactive login flow for the signed-in user.

Power BI service does not allow interactive authentication in refresh scenarios (e.g., MFA prompts or acquiring tokens interactively).

2.You cannot use a client secret with delegated permissions in Power BI directly. That’s more suited for application permissions, which don’t consider the logged-in user's context.

it is really necesary to create a custom connector for api graph?

To meet your requirements (i.e., using delegated permissions tied to the logged-in Power BI user):

Build a custom connector in Power Query SDK (Visual Studio Code).
Use OAuth2 with the Authorization Code Flow, which supports MFA.
Use delegated permissions in your App Registration.
Power BI Desktop allows the user to sign in, and the connector can retrieve the access token using the logged-in identity.
When publishing to Power BI Service, configure OAuth credentials in the data source settings (under Gateway if required).

Using Resource Owner Password Credential (ROPC) flow like in your PowerShell example is discouraged:

Doesn't support MFA.
Microsoft recommends against it for security reasons.
Not supported in Power BI environments that require MFA.

If this post helps, then please consider Accepting as solution to help the other members find it more quickly, don't forget to give a "Kudos" – I’d truly appreciate it!

Thank you.

View solution in original post

v-pgoloju · ‎04-27-2025

Hi @jufoga,

Thank you for reaching out to the Microsoft Fabric Forum Community.

Power BI does not automatically allow the use of the logged-in user's credentials to call Microsoft Graph API unless OAuth is explicitly handled within Power Query. While it's technically possible, the recommended approach is to create a custom connector that manages OAuth 2.0 delegated permissions properly. The Resource Owner Password Credentials (ROPC) flow, which uses username and password directly, is not suitable because it does not support multi-factor authentication (2FA). Therefore, building a custom connector is necessary to securely authenticate the user and access data from Graph API based on their permissions.

Thank you & regards,
Prasanna Kumar

View solution in original post

v-venuppu · ‎05-01-2025

Hi @jufoga ,

I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.

Thank you.

v-venuppu · ‎04-28-2025

Hi @jufoga ,

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

jufoga · ‎04-22-2025

Hi,

The goal is to have reports that have:

-Registration app with delegated permissions hardcoded as parameter (id and secret) in order to use it in queries or whatever is possible.

-A user logs into Power BI with 2fa

-The report use the Graph API and will bring the data that the user is allowed to see when using the registration app with delegated permissions.

Is this possible out of the box or it is really necesary to create a custom connector for api graph?

It would be like doing this thing (powershell):

$body = @{

Grant_Type = "password"

resource = "https://graph.microsoft.com"

client_id = "xxxx"

client_secret = "xxxx"

username = "xxxx"

password = "xxxx"

}

But getting credentials from logged user, no matter if out of the box or using power query

v-pgoloju · ‎04-27-2025

Hi @jufoga,

Thank you for reaching out to the Microsoft Fabric Forum Community.

Power BI does not automatically allow the use of the logged-in user's credentials to call Microsoft Graph API unless OAuth is explicitly handled within Power Query. While it's technically possible, the recommended approach is to create a custom connector that manages OAuth 2.0 delegated permissions properly. The Resource Owner Password Credentials (ROPC) flow, which uses username and password directly, is not suitable because it does not support multi-factor authentication (2FA). Therefore, building a custom connector is necessary to securely authenticate the user and access data from Graph API based on their permissions.

Thank you & regards,
Prasanna Kumar

v-venuppu · ‎04-23-2025

Hi @jufoga ,

Thank you for reaching out to Microsoft Fabric Community.

To address your question:

Is this possible out of the box.?

Partially, but not fully out-of-the-box with native Power BI and Power Query alone. Here's why:

1.Power BI does support Microsoft Graph via custom connectors or API calls using Power Query (M language), but:

Delegated permissions require an interactive login flow for the signed-in user.

Power BI service does not allow interactive authentication in refresh scenarios (e.g., MFA prompts or acquiring tokens interactively).

2.You cannot use a client secret with delegated permissions in Power BI directly. That’s more suited for application permissions, which don’t consider the logged-in user's context.

it is really necesary to create a custom connector for api graph?

To meet your requirements (i.e., using delegated permissions tied to the logged-in Power BI user):

Build a custom connector in Power Query SDK (Visual Studio Code).
Use OAuth2 with the Authorization Code Flow, which supports MFA.
Use delegated permissions in your App Registration.
Power BI Desktop allows the user to sign in, and the connector can retrieve the access token using the logged-in identity.
When publishing to Power BI Service, configure OAuth credentials in the data source settings (under Gateway if required).

Using Resource Owner Password Credential (ROPC) flow like in your PowerShell example is discouraged:

Doesn't support MFA.
Microsoft recommends against it for security reasons.
Not supported in Power BI environments that require MFA.

If this post helps, then please consider Accepting as solution to help the other members find it more quickly, don't forget to give a "Kudos" – I’d truly appreciate it!

Thank you.

v-venuppu · ‎05-04-2025

Hi @jufoga ,

I hope this information is helpful. Please let me know if you have any further questions or if you'd like to discuss this further. If this answers your question, please accept it as a solution and give it a 'Kudos' so other community members with similar problems can find a solution faster.

Thank you.