Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

We've captured the moments from FabCon & SQLCon that everyone is talking about, and we are bringing them to the community, live and on-demand. Starts on April 14th. Register now

Reply
Anonymous
Not applicable

Generate Embed Token using Service Principle Account

‎11-26-2020 03:29 AM

Hi Team, 

 

I already have done all this steps:

  1. I have my Tenant account properly setup in Azure - Done
  2. Allow Service Principal to use the API Services. - Done
  3. Add Tenant account to the Security groups with all privilages to read and write.-  Done
  4. Add the Account to the Workspace as an Admin. - Done

I was successfully able to authenticate with powerbi client and get the Token Using PowerBI Rest API i was able to get the list of reports in the Workspa,but when I try to get the report (client.Reports.GenerateTokenInGroupAsync) I got the next error: "

Operation returned an invalid status code 'Forbidden'"
 
Below is my code Snippet:
To authenticate to Power BI using SPN 

public PowerBIClient GetPowerBIClient(PowerBiSettings powerBiSettings)
{

Console.WriteLine("Creating an instance of the Client App with the Client Secret.");
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
.Create(powerBiSettings.PowerBIClientId.ToString())
.WithClientSecret(powerBiSettings.PowerBIClientSecret)
.WithAuthority(new Uri($"https://login.microsoftonline.com/{powerBiSettings.PowerBIAppTenantId.ToString()}"))
.Build();

// Use .default to get all the permissions available (those configured in AAD for this app)
string[] scopes = new string[] { $"{powerBiSettings.ResourceUrl}/.default" };

Microsoft.Identity.Client.AuthenticationResult result = null;
try
{
Console.WriteLine("Aquiring the bearer token using the Client App");
result = app.AcquireTokenForClient(scopes).ExecuteAsync().Result;
}
catch (MsalUiRequiredException ex)
{
// The application doesn't have sufficient permissions.
// - Did you declare enough app permissions during app creation?
// - Did the tenant admin grant permissions to the application?
Console.WriteLine("Exception - MsalUiRequired: " + ex.Message);
}
catch (MsalServiceException ex) when (ex.Message.Contains("AADSTS70011"))
{
// Invalid scope. The scope has to be in the form "https://resourceurl/.default"
// Mitigation: Change the scope to be as expected.
Console.WriteLine("Exception - MsalService: " + ex.Message);
}
catch (Exception ex)
{
Console.WriteLine("Error: " + ex.Message);
}

Console.WriteLine($"Obtained App-Only Access Token:\n{result.AccessToken}\n");
var tokenCredentials = new TokenCredentials(result.AccessToken, "Bearer");

Console.WriteLine("Creating the new Power BU client using the new bearer token.");
var _powerBIClient = new PowerBIClient(new Uri(powerBiSettings.ApiUrl), tokenCredentials);

return _powerBIClient;
}

 

To Generate the Embed Token : 

var reports = client.Reports.GetReportsInGroupAsync(powerBiUserAccess.WorkspaceId).Result;

Microsoft.PowerBI.Api.V2.Models.Report report = null;
if (!string.IsNullOrEmpty(reportId))
{
report = reports.Value.FirstOrDefault(r => r.Id == reportId);
if (report == null)
{
_logger.Error("No report found matching the ID provided. ReportId: {0}", reportId);
throw new IdInvalidException("No report found matching the ID provided.");
}
}
else
{
_logger.Error("No report ID provided.");
throw new IdMissingException("No report ID provided.");
}

GenerateTokenRequest generateTokenRequestParameters;

string accessLevel = Constants.PowerBiEmbeddedAccessType.View;
if (!string.IsNullOrEmpty(powerBiUserAccess.AccessLevel)
&& powerBiUserAccess.AccessLevel.ToLower() == Constants.TenantAccessRoles.Contributor)
{
accessLevel = Constants.PowerBiEmbeddedAccessType.View;
}

_logger.Trace("Generate Embed Token for Reports");
// Generate Embed Token for reports without effective identities.
generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: accessLevel);

EmbedToken tokenResponse = null;
try
{
_logger.Trace("Generate token in group.");
tokenResponse = client.Reports.GenerateTokenInGroup(powerBiUserAccess.WorkspaceId, report.Id, generateTokenRequestParameters);
}

 

After sometime, we are facing the below issue when Embed toke is being generated.

govardhanams_0-1606390129085.png

 

Please do the needful.

 

Thanks,

Swathi

 
Labels:
Message 1 of 2
1,459 Views
0
1 REPLY 1
Anonymous
Not applicable

‎11-29-2020 05:56 PM

Hi @Anonymous ,

 

Please try to select all the permission for PowerBI service...Or you could take a look at these for reference.

 

https://community.powerbi.com/t5/Developer/Generate-PowerBI-Embed-Token-gives-me-Forbidden-500-Internal/m-p/242526

https://community.powerbi.com/t5/Developer/Operation-returned-an-invalid-status-code-Forbidden/m-p/372894

https://community.powerbi.com/t5/Developer/Power-BI-Embedded-RLS-How-do-I-get-it-to-work/m-p/240359

 

Did I answer your question ? Please mark my reply as solution. Thank you very much.

 

Best Regards,
Eyelyn Qin

Message 2 of 2
1,405 Views
0

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

March Power BI Update Carousel

Power BI Community Update - March 2026

Check out the March 2026 Power BI update to learn about new features.

View All
Top Solution Authors
View All