Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Error getting OData from Microsoft Graph: Access to the resource is forbidden

Hello,

 

I am getting an error "Access to the resource is forbidden" when trying to access Microsoft Graph in Power BI Desktop report.

Microsoft Graph URL is https://graph.microsoft.com/v1.0/devices

I am logging in using Organization Account.

I have Global Admin role in the tenant.

 

The report was working normally for months, but stopped since yesterday.

I even tried creating new one - same result.

Accessing the same URL from Graph Explorer works fine.

 

What could actually impact this kind of error?

Status: New
Comments
jevgenijmart
Regular Visitor

I turned off Privacy settings in options and now I am getting same "Access to the resource is forbidden" error 😞

blittle
Regular Visitor

We are experiencing the same issue and this is extremely frustrating.  We have a PowerBI report that takes user information from Graph and ties it together with Application Insights activity information from a SharePoint site.  This is a report that worked fantastic as we never had a way to surface user information from a SharePoint site.  The report was so good we were going to template it for all our large SharePoint sites to help meausre adoption and validity of sites.

 

If Microsoft doesn't fix this then we aren't sure what we'll do for an Analytics solution since this was a huge help with understand which locations were access a SharePoint site, which weren't, in turn this helped sell the benefits of SharePoint to our Partners so we could get more buy in for a larger corporate intranet or more sites.

 

Access Forbidden.PNG

 

 

 

christoffeldg
Helper I

This is an issue, Microsoft can't just suddenly remove a feature people have been using for so long.

 

What trust can we have in a reliable service if that's the case?

 

Must we be scared that all our graph/Power BI applications will suddenly stop working tomorrow? Not a great message for customers.

ergore
Regular Visitor

As @v-qiuyu-msft mentioned earlier, Graph has some custom Auth requirements beyond the usual "Organization Account" login. Even before, most scenarios would encounter this. My own observations from a few months ago were that while the top-level "me" resource and a small number of resources reachable from that worked, the vast majority of resources have always produced this error. Something must have changed on Graph's side for all resources to be producing this error now.

 

Getting Power BI to use a custom Auth flow is possible by creating a custom Data Connector. We actually have a tutorial specifically for creating a basic sample Graph connector. If you are interested in a dedicated Graph connector, feel free to upvote the idea on UserVoice

christoffeldg
Helper I

@ergore 

Actually, that's exactly the reason why this should work. Because this function was scoped for users it was possible to delegate this to them, instead of forcing us in managing many app registrations for simple read access requests.

 

Perhaps in smaller companies this is not a big issue. However, we have a tenant of 200 000 users. Any change you make, no matter how slightly, will have massive impact. 

 

Even if it was a mistake to allow it, please don't change functionality on a whim and at least inform in advance so this is properly communicated.

ergore
Regular Visitor

To clarify, no functionality related to this was changed in Power BI; something must have changed in Graph. I'm not sure what you mean by the function being scoped for users. My understanding was that a Graph application has to explicitly request specific permissions at authentication time, and this is what gets delegated to users when they login. Since the generic OData connector wouldn't know to do that, there wouldn't be anything to delegate. I'm not aware of any way to request additional permissions in Graph without changing the client application; I would be surprised if one existed.

blittle
Regular Visitor

We'll, we've been running this report since August 2017 without any issues and as of a few weeks ago I wasn't able to connect to graph using my personal credentials and I could before, so I'm not sure what changed and where it changed. 

 

Anonymous
Not applicable

@ergore i appreciate your help.. Only issue is, I am not a developer, i used to be able to connect to graph with provided tooling.. Now i need to learn a LOT of new technology, new paradigms, fundamentals to coding and programming, auth flows etc just to connect and get some basic info..

 

crap.. microsoft.. crap..

jevgenijmart
Regular Visitor

I ended up creating PowerShell script, which downloads required info, saves it to CSV file and then I use CSV file in Power BI instead of direct connection to Graph API.

 

Apparently scheduled script can successfully authenticate to Graph API using saved credentials, but Power BI has "auth challenges", even in Dekstop mode.

christoffeldg
Helper I

@ergore

What I meant with user scoped is that any user could access this data without following a formal process to receive an app id. Which is, as you imagine for big companies that use a single tenant, not so straightforward.

 

Anyway, from your message I understood this is not the right board to request this to be fixed but we should request graph api support for help?