We are working on Power BI reports. The data is fetched once a day from an ASP.NET Core Web API we developed. OAuth2 was used as an authentication framework in the .NET Core application, which worked fine since it was tested with Swagger.

We want to authenticate Power BI in the .NET Core application. We don't want to embed Power BI in a web page. Our problem is authenticating Power BI requests in the .NET Core API endpoint. It can be done in various ways:

1. Basic authentication
2. Service Principal

Basic Authentication

Previously, the authentication was done with basic authentication (username and password), which worked fine. But now, we plan to make it more secure.

Service Principal

We think using the service principal is the right approach for our case. I assume that authentication with service principal in Power BI uses OAuth2 client credentials flow behind the scenes.

We configured the service principal in the Power BI Web app in the following way:

Power BI => Workspace => Semantic Model => Settings => Data Source Credentials => Edit Credentials

Also, we added app registration as a security group in Power BI with Admin permissions:

As you can see, the security group with app registration and, the app registration itself were added to the workspace with Admin permissions.

When we want to configure authentication for Power BI to access the ASP.NET Core Web API as a service principal, we get the following error:

Failed to update data source credentials.

How can we solve the problem of not being able to authenticate Power BI as a service principal in the ASP.NET Core Web API?

I assume we didn't provide enough info to Power BI, because Power BI doesn't ask for other info, like scope and URL for OAuth2 token. So, I didn't tell Power BI, that this is the URL where to generate a token:

https://login.microsoftonline.com/azure-tenant-guid/oauth2/v2.0/token

For OAuth2 the scope is also important, which is the following format: api://***********/.default