Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get certified in Microsoft Fabric—for free! For a limited time, the Microsoft Fabric Community team will be offering free DP-600 exam vouchers. Prepare now

Reply
piper
Frequent Visitor

Disabling multi factor authentication for power bi

‎05-12-2020 09:47 AM

Hi All,

 

I am new to power BI, and have purchased power bi pro account for some POC. However, a multi-factor authentication got enabled when I registered my cell/phone number with Azure/PowerBI.

 

However, now, I am not able to generate the access token for using power BI rest apis. We have written lot of code to automate few things w.r.t power bi, and I don't want all of that to go in vain.

 

I am getting following msg while generating token:

 

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000009-0000-0000-c000-000000000000'

 

Can anyone please help how to disable MFA for user?

Labels:
Message 1 of 12
25,339 Views
1 ACCEPTED SOLUTION
v-deddai1-msft
Community Support
Community Support
In response to piper

‎05-12-2020 10:53 PM

Hi @piper ,

 

The request requires the user to do multi-factor authentication and then send this new token back to Web API 1 and complete the on-behalf-of flow. MFA was enabled by triggering a rule if some action (e.g. sudden location change) was treated as "risky activity". For an account there is a "moved to a new location" flag that can get set, automatically triggering the need for MFA, even if it was initially off.

 

Please check the conditional access locations in Azure AD and check if your AAD admin can clear the flag. Disable MFA for the account or configure conditional access to give access to "Global Admin" role.

 

Please find additional info in the following articles:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-location...

https://docs.microsoft.com/en-us/azure/active-directory/develop/conditional-access-dev-guide

https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authent...

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Best Regards,

Dedmon Dai

View solution in original post

Message 4 of 12
25,306 Views
0
11 REPLIES 11
iabrani
New Member

‎01-05-2022 06:43 AM

Found a solution.   Created a Service account with Power Bi portal admin and have this service account to be excluded from the nightly process that forces the MFA the next day.

 

Log in to the Power Bi Portal under this service account and recreate the subscription under this login.  This is working for my organization so far.

Message 11 of 12
18,505 Views
0
EduardD
Helper II
Helper II
In response to iabrani

9 hours ago

@iabrani  could you please elaborate on your approach? Why it forces MFA only next day? You mentioned subscriptions? what subscriptions are those? email report export ones?

@piper I wonder if you found a solution. I have a similair issue: Automate export to PDF for paginated without servi... - Microsoft Fabric Community

Message 12 of 12
8 Views
0
nickyvv
Most Valuable Professional
Most Valuable Professional

‎05-12-2020 09:53 AM
Hi @piper,

maybe you can use a Service Principal to use with automating things around the REST API?
https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal


Did I answer your question? Mark my post as a solution!

Blog: nickyvv.com | @NickyvV


Message 2 of 12
25,336 Views
0
piper
Frequent Visitor
In response to nickyvv

‎05-12-2020 11:00 AM

Thanks @nickyvv for your response.

 

Currently, for every new client, we are creating new workspace/group via REST apis. This is required to clone reports to entirely new workspace dedicated for a client.

There are few limitations for using service principal, which are provided on same link which you have shared, like following one:

 

"Embed for your organization applications can't use service principal."

 

I am not sure, but with this, I think I won't be able to generate embed token for reports.

 

I had tried service principal approach in past for powerbi rest api, before going for powerBi pro, and it hadn't work earlier.

I will try it again, and update back.

 

Meanwhile, do you think if there is any way to either disable MFA or get access token silently with MFA?

Message 3 of 12
25,322 Views
0
v-deddai1-msft
Community Support
Community Support
In response to piper

‎05-12-2020 10:53 PM

Hi @piper ,

 

The request requires the user to do multi-factor authentication and then send this new token back to Web API 1 and complete the on-behalf-of flow. MFA was enabled by triggering a rule if some action (e.g. sudden location change) was treated as "risky activity". For an account there is a "moved to a new location" flag that can get set, automatically triggering the need for MFA, even if it was initially off.

 

Please check the conditional access locations in Azure AD and check if your AAD admin can clear the flag. Disable MFA for the account or configure conditional access to give access to "Global Admin" role.

 

Please find additional info in the following articles:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-location...

https://docs.microsoft.com/en-us/azure/active-directory/develop/conditional-access-dev-guide

https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authent...

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Best Regards,

Dedmon Dai

Message 4 of 12
25,307 Views
0
piper
Frequent Visitor
In response to v-deddai1-msft

‎05-13-2020 01:54 AM

Thanks @v-deddai1-msft .

 

I have followed steps outlined here :https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-aut...

 

And, have disabled default security measures. I understand this is bit risky as per security, but it has unblocked me for now.

I was able to get access token for powerbi rest api.

 

Once POC completes, I will go through shared links in detail, to setup conditional access.

Message 5 of 12
25,299 Views
0
KarlOnEarth
Frequent Visitor
In response to piper

‎08-02-2020 04:18 PM

G'day @piper ,

Did you ever 

@piper wrote:

... go through shared links in detail, to setup conditional access.

I am facing the issue of MFA, I turned on MFA for the accont that I use to refresh data and now my refreshes are failing. From the documentation @v-deddai1-msft quoted here: 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-location...

it appears one will need to specify a range of IP addresses for the Power BI service servers. Is that what you did?

Message 7 of 12
24,990 Views
0
KarlOnEarth
Frequent Visitor
In response to KarlOnEarth

‎08-02-2020 05:50 PM

Actually I think I have solved it for my installation. It may have been that I just had to re-send my SharePoint credentials in the Power BI admin console. I had been into the AD conditional policy and specifically Excluded the Power BI Service but it was still failing. After a while I noticed a message in the Power BI Datasets area that some credentials needed to be updated; the ones for SharePoint data source. I re-entered those and it sprang back into life for me, I am now doing scheduled refreshes again with MFA turned on.

Message 8 of 12
24,981 Views
jessica-ko
Advocate I
Advocate I
In response to KarlOnEarth

‎04-12-2023 01:43 AM

@KarlOnEarth I did the same thing as you, but noticed it still fails once Im logged out/inactive of my profile. I always need to add my credentials everytime. Are you experiencing this also? 

 

 

Message 9 of 12
10,077 Views
0
KarlOnEarth
Frequent Visitor
In response to jessica-ko

‎04-12-2023 03:38 PM

@jessica-ko no it is all working fine for me now that I re-authenticated. Sorry I'm not able to give any further guidance.

Message 10 of 12
10,024 Views
0
v-deddai1-msft
Community Support
Community Support
In response to piper

‎05-13-2020 02:30 AM

Hi @piper ,

 

If my post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Best Regards,

Dedmon Dai

Message 6 of 12
25,292 Views

Helpful resources

Announcements
OCT PBI Update Carousel

Power BI Monthly Update - October 2024

Check out the October 2024 Power BI update to learn about new features.

September Hackathon Carousel

Microsoft Fabric & AI Learning Hackathon

Learn from experts, get hands-on experience, and win awesome prizes.

October NL Carousel

Fabric Community Update - October 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All