Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
jihool3670
Helper I
Helper I

Service principal authentication for Web Connection throws OAuth error

‎08-11-2023 07:04 PM

Hi,

 

I'm trying to replicate the ADF pipeline from this blog which involves connecting to the Power BI/Fabric Admin API (https://api.powerbi.com/v1.0/myorg/admin/). I'm following this documentation to create a Web connection but the connection fails with the error below. It's not clear to me why the error references OAuth when I'm trying to use a service principal.

 

I did notice that when creating a REST linked service in ADF, you have to specify the AAD resource (AAD resource: https://analysis.windows.net/powerbi/api), but that is does not seem possible in Fabric (yet). Perhaps that's the cause of error?

 

Thanks!

Web OAuth Error.png

 

 

 

Labels:
Message 1 of 13
3,648 Views
0
1 ACCEPTED SOLUTION
jihool3670
Helper I
Helper I

‎08-09-2024 02:48 PM

This issue is resolved as the Web V2 connection now allows for service principal auth. For those wondering, the "Token Audience URI" is the same thing as the "AAD Resource" and in this scenario, https://analysis.windows.net/powerbi/api is the correct value for that parameter.

View solution in original post

Message 13 of 13
2,295 Views
0
12 REPLIES 12
jihool3670
Helper I
Helper I

‎08-09-2024 02:48 PM

This issue is resolved as the Web V2 connection now allows for service principal auth. For those wondering, the "Token Audience URI" is the same thing as the "AAD Resource" and in this scenario, https://analysis.windows.net/powerbi/api is the correct value for that parameter.

Message 13 of 13
2,296 Views
0
Lorenz33
Helper III
Helper III

‎08-09-2024 02:48 PM

I was about to log a ticket but see that jihool3670 had the exact same issue a year ago. Has anyone had success in getting this to work?

 

For the past year I have been retrieving Power BI Audit from the Power BI Activity log using Power BI Managememnt cmdlets for Powershell. I ran a Powershell script that that retrieved a days worth of Audit data to a json file and then ran an SSIS package to move the data to an SQL Server database.

 

Our organization now has MS Fabric. I want to utilize the features and update the process to using MS Fabric Data Factory to retrieve Power BI Activity data and move it to a database.

 

I had a service principal created and added it to an Azure AD group. In the Power BI tenant settings, I then enabled permissions to this group for "Service principals can use Fabric APIs". I am trying to follow the instructions from this blog and following this documentation. The exact same scenario as jihool3670.

 

I tried creating a connection using Web as the connection type and Service Principal as the Authentication method.  I used "https://api.powerbi.com/v1.0/myorg/admin/" as the base URL. Creation fails with the same message originally posted "Unable to create connection for the following resaon: Failed to login with OAuth token, please update the credential manually and retry."

 

With the base URL I left myorg as is. Should I have replaced it with something else?

 

I have also tried creating a web2 connection and it fails with the same message. I left "Token Audience Uri" blank as I do not know what it is and could not find it anywhere or where to find it.

 

How could I get this working? Can this be done in MS Fabric? If not, has anyone got this working in Azure Data Factory using a Linked Service?

Message 12 of 13
2,293 Views
0
kalyanrk61
Microsoft Employee
Microsoft Employee

‎09-01-2023 09:09 PM

Hi , Are you trying to use Web Activity? if yes web activity works with Web V2 Connection, pls try use that, you will see option for Token Audience 

Message 10 of 13
3,423 Views
0
jihool3670
Helper I
Helper I
In response to kalyanrk61

‎09-04-2023 02:23 PM

Thanks for the suggestion!

 

I am able to successfully create a Web V2 connection and I am able to select that connection in both the Web and Webhook activities in a Fabric pipeline.

 

However, I want to use the Copy Activity rather than the Web activity. When I add a Copy Activity to the canvas, I don't see my newly created V2 web connection as an option in the Source connection drop down, even after refreshing the list of the connections.

 

Additionally, when I try to create a new connection from within the Copy Acitivity, boththe REST and HTTP connections only have Anonymous and Basic as their authentication options and don't include service principal authentication.

 

jihool3670_0-1693862342762.png


It seems like this is just a current limitation of the Copy Activity at this point in time but I haven't been able to any documentation around current limitations so I'd love confirmation (and ideally a sense of when to expect this functionality).

Message 11 of 13
3,398 Views
0
Charline_74
Helper III
Helper III

‎08-21-2023 02:01 AM

Hi @jihool3670

Have you found a solution to your problem, as I have exactly the same problem?

Thanks in Advance, 

Charline

Message 8 of 13
3,509 Views
0
jihool3670
Helper I
Helper I
In response to Charline_74

‎08-21-2023 03:23 PM

Hi Charline - No, not yet. It seems to be a limitation of the copy activity authentication options in Fabric at the moment.


@makromer can you confirm Fabric pipelines can't authenticate to the Fabric/Power BI admin API at this point in time?

Message 9 of 13
3,491 Views
0
jihool3670
Helper I
Helper I

‎08-12-2023 07:43 AM

Yes I should have mentioned that. I have successfully used the service principal to access that specific API using a Spark notebook. I tried the credentials multiple times to make sure it wasn't a copy/paste error when creating the web connection. 

Message 3 of 13
3,604 Views
0
DennesTorres
Impactful Individual
Impactful Individual
In response to jihool3670

‎08-12-2023 07:55 AM

Hi,

I also notice your screenshot of the new connection window doesn't make very clear where the service principal is set on the connection.


Kind Regards,

Dennes

Message 4 of 13
3,603 Views
0
jihool3670
Helper I
Helper I
In response to DennesTorres

‎08-12-2023 08:15 AM

Here is the complete screenshot:

Web OAuth Error.png

Message 5 of 13
3,598 Views
0
DennesTorres
Impactful Individual
Impactful Individual
In response to jihool3670

‎08-12-2023 11:25 AM

Hi,

Maybe I can help a bit with the error message. "why it mentions OAUTH".

 

The authentication process needs to contact Azure and retrieve an authentication token for the service principal. Once Azure is contacted, this token is presented to the Power BI Admin API you are calling for authentication. Basically, this is an OAUTH authentication/authorization process.

 

The error message is clear: The service principal permission is denied. It's difficult to say if it's denied on the first step (while authenticating on Azure) or on the 2nd step (while authenticating against the power bi admin). But if I had to guess, it's the 2nd step. Permissions to access the Power BI Admin.

You mentioned you did this access from other places before, such as a notebook. I would double check if the information is all correct, because it's easy to mistype something: The tenantId, the service principal Id and the key.


If you double check it and everything is right, explaining why it works in one place and not in other is a bit more difficult. Maybe if you show both to compare we can come up with something.

 

Kind Regards,

 

Dennes

Message 6 of 13
3,587 Views
0
jihool3670
Helper I
Helper I
In response to DennesTorres

‎08-12-2023 01:21 PM

Thanks for the detail. I'll post screenshots when I'm at my PC.

 

Prior to trying with a Fabric pipeline, I was successful in using an ADF copy activity using the same SP. The difference was I was able to specify an AAD resource when creating the linked service. Is that not relevant with Farbic?

 

https://learn.microsoft.com/en-us/azure/data-factory/connector-rest?tabs=data-factory#use-service-pr...

Message 7 of 13
3,567 Views
0
DennesTorres
Impactful Individual
Impactful Individual

‎08-12-2023 04:53 AM

Hi,

You mentioned you are using a service principal. Did you give the service principal the permissions on power bi to access the API's ?

 

Kind Regards,

 

Dennes

Message 2 of 13
3,616 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All