Solved: Re: PowerBI API Developer & application "ClientID"...

shaunwilks · ‎10-02-2017

I will try to keep the question as simple as possible.

We are using the API within our "On premise" application. We have registered our application in Azurre and have a ClientId and Secret for our application.

Our application is sold to and used by our clients, each in their own domain, each on premise.

When they use the API within our application they log into their PowerBI Pro accounts to consume their reports/dashboards.

They are is what is classed as "User owns data" in all the API samples online.

Question.

In this scenario - Is it correct that we only require 1 single Client ID for all our clients ? That the ClientID and Secret we are using in our development that allows us to view our own content, is the same CLientID and Seceret that would be used by the application when it goes to access our clients PowerBi cotent.

We dont need to register the application or have our clients register the application and get unique client ids and secrets per each one of our clients do we ?

It was always my understanding our product has 1 single "ClientID" and "Client Secret".

Anyone using our application to consume powerbi content needs to provide the application permissions when they first go to use that appplication, but nothing more - they dont need a clientid of their own for our application.

Can someone please clarify ?

Thankyou in advance

Eric_Zhang · ‎10-04-2017

@shaunwilks wrote:

I will try to keep the question as simple as possible.

We are using the API within our "On premise" application. We have registered our application in Azurre and have a ClientId and Secret for our application.

Our application is sold to and used by our clients, each in their own domain, each on premise.

When they use the API within our application they log into their PowerBI Pro accounts to consume their reports/dashboards.

They are is what is classed as "User owns data" in all the API samples online.

Question.

In this scenario - Is it correct that we only require 1 single Client ID for all our clients ? That the ClientID and Secret we are using in our development that allows us to view our own content, is the same CLientID and Seceret that would be used by the application when it goes to access our clients PowerBi cotent.

We dont need to register the application or have our clients register the application and get unique client ids and secrets per each one of our clients do we ?

It was always my understanding our product has 1 single "ClientID" and "Client Secret".

Anyone using our application to consume powerbi content needs to provide the application permissions when they first go to use that appplication, but nothing more - they dont need a clientid of their own for our application.

Can someone please clarify ?

Thankyou in advance

Edit

===================================================================

Confirmed with some Azure AD experts, it is possible.

The AAD application registered by you will be listed in Azure portal->Azure AD->App registrations.

When one other than the registered app owner accesses the application, a pop-up window would appear to consent permissions.

After clicking "Accept" button, the registered App will be copied to the logging users Azure portal->Azure AD->Enterprise Application

==================================================================================

@shaunwilks

My test shows it possible. I tried to access the one "User Owns data" application with different accounts from different tenants, and the embedded report varies according to the account logged in. There's no problem when using the same clientid and secret, it looks the registered AAD app can be shared.

Since this is actually an Azure AD question, for more clarfication, I'd suggest you post in the dedicated AAD forum, there're more experts and you'll get better response.

View solution in original post

Eric_Zhang · ‎10-04-2017

@shaunwilks wrote:

I will try to keep the question as simple as possible.

We are using the API within our "On premise" application. We have registered our application in Azurre and have a ClientId and Secret for our application.

Our application is sold to and used by our clients, each in their own domain, each on premise.

When they use the API within our application they log into their PowerBI Pro accounts to consume their reports/dashboards.

They are is what is classed as "User owns data" in all the API samples online.

Question.

In this scenario - Is it correct that we only require 1 single Client ID for all our clients ? That the ClientID and Secret we are using in our development that allows us to view our own content, is the same CLientID and Seceret that would be used by the application when it goes to access our clients PowerBi cotent.

We dont need to register the application or have our clients register the application and get unique client ids and secrets per each one of our clients do we ?

It was always my understanding our product has 1 single "ClientID" and "Client Secret".

Anyone using our application to consume powerbi content needs to provide the application permissions when they first go to use that appplication, but nothing more - they dont need a clientid of their own for our application.

Can someone please clarify ?

Thankyou in advance

Edit

===================================================================

Confirmed with some Azure AD experts, it is possible.

The AAD application registered by you will be listed in Azure portal->Azure AD->App registrations.

When one other than the registered app owner accesses the application, a pop-up window would appear to consent permissions.

After clicking "Accept" button, the registered App will be copied to the logging users Azure portal->Azure AD->Enterprise Application

==================================================================================

@shaunwilks

My test shows it possible. I tried to access the one "User Owns data" application with different accounts from different tenants, and the embedded report varies according to the account logged in. There's no problem when using the same clientid and secret, it looks the registered AAD app can be shared.

Since this is actually an Azure AD question, for more clarfication, I'd suggest you post in the dedicated AAD forum, there're more experts and you'll get better response.

shaunwilks · ‎10-08-2017

Thanks very much Eric - your efforts are really appreciated. Ive tried posting in the Technet Azure forum you provided a link to and its down and not accepting new threads just at the moment.

The question I had (and excuse me if it sounds basic) but in regards to your comment

"After clicking "Accept" button, the registered App will be copied to the logging users Azure portal->Azure AD->Enterprise Application"

The logging in user would be a PowerBi Pro account.

So when you say the registered app will be copied to their "Azure portal->Azure AD->Enterprise Application" is their Azure portal automatcailly configured for them if they only held a powerbi pro user account ? They may never nor ever want to go to the Azure AD portal and just want to be a BI User.

Is the Azure AD account and portal auto created for them when they have a PowerBI Pro account ?

Eric_Zhang · ‎10-23-2017

@shaunwilks wrote:

Thanks very much Eric - your efforts are really appreciated. Ive tried posting in the Technet Azure forum you provided a link to and its down and not accepting new threads just at the moment.

The question I had (and excuse me if it sounds basic) but in regards to your comment

"After clicking "Accept" button, the registered App will be copied to the logging users Azure portal->Azure AD->Enterprise Application"

The logging in user would be a PowerBi Pro account.

So when you say the registered app will be copied to their "Azure portal->Azure AD->Enterprise Application" is their Azure portal automatcailly configured for them if they only held a powerbi pro user account ? They may never nor ever want to go to the Azure AD portal and just want to be a BI User.

Is the Azure AD account and portal auto created for them when they have a PowerBI Pro account ?

@shaunwilks

It is automatically. They don't do more things than clicking "accept".

shaunwilks · ‎10-23-2017

We have used the sample at https://github.com/Microsoft/PowerBI-Developer-Samples/tree/master/User%20Owns%20Data

The sample is working well and accesses content without a problem, when the user logging in to PowerBI is part of our Azure AD.

However we want the application to access user PowerBI Pro content external to our Azure AD. Numerous sources online suggest this shouldn’t be a problem. Using the sample though whenever the users accounts are external to our AD – outside our organisation – a “Bad Request” message is returned using the sample you posted. The only way the error is removed is if we force the external user to register for their own ClientID and Secret – which clearly we do not wish to do.

In summary.

The Application, ClientID and Secret are to reside inside our Azure AD account example @companyA

Users from any organisation outside of Domain A, are to use the application to consume their own PowerBI content.

The Reports and Dashboards and data would all reside in the PowerBI user who logs in. Eg user@companyz

In the sample solution you ran up were you accessing reports that only existing in the external users powerbi account ?

Id love to see your sample solution if you still had it available for use to see differences between the solution from github posted below and yours.

If that could be provided or source posted that would be terrific - thanks

PowerBI API Developer & application "ClientID" and "ClientSecret"

Helpful resources

Microsoft Fabric Learn Together

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024