Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get inspired! Check out the entries from the Power BI DataViz World Championships preliminary rounds and give kudos to your favorites. View the vizzies.

Reply
reportmanager
New Member

How do properly authorize an application to access PowerBI data?

‎11-26-2024 02:05 PM

I'm trying to setup a Blazor application that embeds PowerBI reports into a page.

I've been following the [Embed Power BI content with service principal and an application secret tutorial](https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal?tabs=azure-por...) and I am able to setup the [App Owns Data](https://github.com/microsoft/PowerBI-Developer-Samples/tree/master/.NET%20Core/Embed%20for%20your%20...) example successfully.

Now I would like to publish this application so that an azure admin of another organization in Microsoft Entra can authorize the application and embed one of his reports. Eventually, the user wouldn't have to be signed in, and can delegate a different user (not in his Microsoft Org, but inside the application) to view a report, so I need to authorize the
*application* ( to manage PowerBI data without a signed in user.

There's an example for this use case [here](https://github.com/Azure-Samples/ms-identity-aspnet-daemon-webapp) in .Net Framework. I've also seen the linked examples on that Readme [here](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2) for .Net Core, but all of these examples require a manual user process of creating the service principal in Microsoft Entra, and authorizing that Service Principal in PowerBI.

I was able to register an application in Microsoft Entra (through App Registrations), and was also able to sign into my application as a user from another organization. This creates an "Enterprise Application" inside the user's tenant. Now, when I try to get a token for PowerBI using the clientId of my application, I get an "Unauthorized" message.

Here's the relevant code in my application:

appsettings.json

```json
{
"AzureAd": {
"AuthorityUrl": "https://login.microsoftonline.com/organizations/",
"Instance": "https://login.microsoftonline.com/",
"Domain": "<domain>", // this is the domain where I registered my app
"ClientId": "<clientId>", // this is the clientId of the registered app
"TenantId": "organizations",
"ScopeBase": ["https://analysis.windows.net/powerbi/api/.default"],
"ClientSecret": "<secret>", // this is the secret I've added to the registered app
"CallbackPath": "/signin-oidc"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*"
}
```


```csharp
WebApplicationBuilder? builder = WebApplication.CreateBuilder(args);
builder.Services.Configure<AzureAd>(config.GetSection(key: nameof(AzureAd)));
builder
.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(config);

builder
.Services.AddRazorComponents()
.AddInteractiveServerComponents()
.AddMicrosoftIdentityConsentHandler();

builder.Services
.AddControllersWithViews()
.AddMicrosoftIdentityUI();

```

I then add the `[Authorize]` attribute to my Blazor component, so when the user tries to access that page, they are prompted to authorize the app. This is where the "Enterprise Application" gets created in the user's tenant in Microsoft Entra. It looks like this successfully creates a service principal, since I can go to PowerBI and add this service principal as an admin of his PowerBI workspace.

However, when I try to generate a token for it:

```csharp

IOptions<AzureAd> options = services.GetRequiredService<IOptions<AzureAd>>();

string tenantSpecificUrl = options.Value.AuthorityUrl?.Replace("organizations", "<MyClientId>") ?? string.Empty;

var clientApp = ConfidentialClientApplicationBuilder
.Create(options.Value?.ClientId)
.WithClientSecret(options.Value?.ClientSecret)
.WithAuthority(tenantSpecificUrl)
.Build();

AuthenticationResult authenticationResult = clientApp
.AcquireTokenForClient(options.Value?.ScopeBase)
.ExecuteAsync()
.Result;

string token = authenticationResult.AccessToken;
TokenCredentials tokenCredentials = new(token, "Bearer");
var powerBIClient = new PowerBIClient(new Uri("https://api.powerbi.com"), tokenCredentials);

var groups = await powerBIClient.Groups.GetGroupsAsync();

```

I get an Unauthorized message.

I do believe there's something fundamentally wrong with the way I'm doing this, but I cannot find any examples of automatically creating a service principal anywhere.

Any help is much appreciated!

Labels:
Message 1 of 3
254 Views
2 REPLIES 2
v-xinc-msft
Community Support
Community Support

‎11-26-2024 11:15 PM

Hi @reportmanager ,

Please check the following considerations and limitations carefully when we use service principal:

  • Not all read-only APIs are supported by service principal. To enable service principal support for read-only admin APIs, enable the Power BI service admin settings in your tenant. For more information, see Enable service principal authentication for read-only admin APIs.
  • When you use service principal with an Azure Analysis Services data source, the service principal itself must have Azure Analysis Services instance permissions. Using a security group that contains the service principal for this purpose doesn't work.

If you have checked but the issue cannot be solved, you could create a support ticket: Power Platform admin center. The professional engineer will contact you and offer you more assistance.

Best regards,

Lucy Chen

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Message 3 of 3
190 Views
0
Poojara_D12
Super User
Super User

‎11-26-2024 10:11 PM

Hi @reportmanager 

The issue lies in permissions and service principal configuration. Here's what you need to do:

  • Grant Admin Consent: Ensure your application has admin consent for the Power BI Service API permissions (e.g., Tenant.ReadWrite.All, Workspace.Read.All). Do this in Azure Portal for your app registration.
  • Enable Service Principal for Power BI:In Power BI Admin Portal, ensure "Allow service principals to use Power BI APIs" is enabled.Assign your service principal as an admin or member of the target workspace in Power BI.
  • Fix Token URL: Your tenantSpecificUrl should use the tenant ID of the user's organization, not your app's client ID. Replace "<MyClientId>" with the tenant ID of the org you're accessing. If multi-tenant, get the tenant ID dynamically from the user's login info.
  • Enterprise App Authorization: Since the user adds the enterprise app, ensure they complete the Power BI role assignment process. Without it, your app cannot access their resources.

If you follow these steps, your app should get the token and access Power BI resources successfully.

 

Did I answer your question? Mark my post as a solution, this will help others!

If my response(s) assisted you in any way, don't forget to drop me a "Kudos" 🙂

Kind Regards,
Poojara
Data Analyst | MSBI Developer | Power BI Consultant
Please Subscribe my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS
Message 2 of 3
204 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code FABINSIDER for a $400 discount!

FebPBI_Carousel

Power BI Monthly Update - February 2025

Check out the February 2025 Power BI update to learn about new features.

March2025 Carousel

Fabric Community Update - March 2025

Find out what's new and trending in the Fabric community.

View All