Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Shape the future of the Fabric Community! Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions. Take survey.

Reply
piper
Frequent Visitor

Disabling multi factor authentication for power bi

Hi All,

 

I am new to power BI, and have purchased power bi pro account for some POC. However, a multi-factor authentication got enabled when I registered my cell/phone number with Azure/PowerBI.

 

However, now, I am not able to generate the access token for using power BI rest apis. We have written lot of code to automate few things w.r.t power bi, and I don't want all of that to go in vain.

 

I am getting following msg while generating token:

 

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000009-0000-0000-c000-000000000000'

 

Can anyone please help how to disable MFA for user?

1 ACCEPTED SOLUTION

Hi @piper ,

 

The request requires the user to do multi-factor authentication and then send this new token back to Web API 1 and complete the on-behalf-of flow. MFA was enabled by triggering a rule if some action (e.g. sudden location change) was treated as "risky activity". For an account there is a "moved to a new location" flag that can get set, automatically triggering the need for MFA, even if it was initially off.

 

Please check the conditional access locations in Azure AD and check if your AAD admin can clear the flag. Disable MFA for the account or configure conditional access to give access to "Global Admin" role.

 

Please find additional info in the following articles:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-location...

https://docs.microsoft.com/en-us/azure/active-directory/develop/conditional-access-dev-guide

https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authent...

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Best Regards,

Dedmon Dai

View solution in original post

11 REPLIES 11
iabrani
New Member

Found a solution.   Created a Service account with Power Bi portal admin and have this service account to be excluded from the nightly process that forces the MFA the next day.

 

Log in to the Power Bi Portal under this service account and recreate the subscription under this login.  This is working for my organization so far.

@iabrani  could you please elaborate on your approach? Why it forces MFA only next day? You mentioned subscriptions? what subscriptions are those? email report export ones?

@piper I wonder if you found a solution. I have a similair issue: Automate export to PDF for paginated without servi... - Microsoft Fabric Community

nickyvv
Most Valuable Professional
Most Valuable Professional

Hi @piper,

maybe you can use a Service Principal to use with automating things around the REST API?
https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal


Did I answer your question? Mark my post as a solution!

Blog: nickyvv.com | @NickyvV


piper
Frequent Visitor

Thanks @nickyvv for your response.

 

Currently, for every new client, we are creating new workspace/group via REST apis. This is required to clone reports to entirely new workspace dedicated for a client.

There are few limitations for using service principal, which are provided on same link which you have shared, like following one:

 

"Embed for your organization applications can't use service principal."

 

I am not sure, but with this, I think I won't be able to generate embed token for reports.

 

I had tried service principal approach in past for powerbi rest api, before going for powerBi pro, and it hadn't work earlier.

I will try it again, and update back.

 

Meanwhile, do you think if there is any way to either disable MFA or get access token silently with MFA?

Hi @piper ,

 

The request requires the user to do multi-factor authentication and then send this new token back to Web API 1 and complete the on-behalf-of flow. MFA was enabled by triggering a rule if some action (e.g. sudden location change) was treated as "risky activity". For an account there is a "moved to a new location" flag that can get set, automatically triggering the need for MFA, even if it was initially off.

 

Please check the conditional access locations in Azure AD and check if your AAD admin can clear the flag. Disable MFA for the account or configure conditional access to give access to "Global Admin" role.

 

Please find additional info in the following articles:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-location...

https://docs.microsoft.com/en-us/azure/active-directory/develop/conditional-access-dev-guide

https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authent...

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Best Regards,

Dedmon Dai

Thanks @v-deddai1-msft .

 

I have followed steps outlined here :https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-aut...

 

And, have disabled default security measures. I understand this is bit risky as per security, but it has unblocked me for now.

I was able to get access token for powerbi rest api.

 

Once POC completes, I will go through shared links in detail, to setup conditional access.

G'day @piper ,

Did you ever 


@piper wrote:

... go through shared links in detail, to setup conditional access.


I am facing the issue of MFA, I turned on MFA for the accont that I use to refresh data and now my refreshes are failing. From the documentation @v-deddai1-msft quoted here: 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-location...

it appears one will need to specify a range of IP addresses for the Power BI service servers. Is that what you did?

Actually I think I have solved it for my installation. It may have been that I just had to re-send my SharePoint credentials in the Power BI admin console. I had been into the AD conditional policy and specifically Excluded the Power BI Service but it was still failing. After a while I noticed a message in the Power BI Datasets area that some credentials needed to be updated; the ones for SharePoint data source. I re-entered those and it sprang back into life for me, I am now doing scheduled refreshes again with MFA turned on.

@KarlOnEarth I did the same thing as you, but noticed it still fails once Im logged out/inactive of my profile. I always need to add my credentials everytime. Are you experiencing this also? 

 

 

@jessica-ko no it is all working fine for me now that I re-authenticated. Sorry I'm not able to give any further guidance.

Hi @piper ,

 

If my post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Best Regards,

Dedmon Dai

Helpful resources

Announcements
November Carousel

Fabric Community Update - November 2024

Find out what's new and trending in the Fabric Community.

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

Live Sessions with Fabric DB

Be one of the first to start using Fabric Databases

Starting December 3, join live sessions with database experts and the Fabric product team to learn just how easy it is to get started.