Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
s8nRrG
Regular Visitor

403 Forbidden error occured when using REST API

I'm developing API that allows to send data directly to Power BI. There must not be any user's interaction to authenticate the request. The user can set only clientId and clientSecret values. But all my requests retrun 403 status code. For instance, let's look at my code that I use to get data about all my datasets:

 

 

private static string GetAccessToken()
{
    const string clientId = "valid client id";
    const string clientSecret = "valid client secret";
    var clientCredentials = new ClientCredential(clientId, clientSecret);
    const string authorityUri = "https://login.windows.net/common/oauth2/authorize";
    const string resourceUri = "https://analysis.windows.net/powerbi/api";
	
    authContext = new AuthenticationContext(authorityUri, new TokenCache());
    var token = authContext.AcquireTokenAsync(resourceUri, clientCredentials).Result.AccessToken;
    return token;
}

private static string GetDatasets()
{
    var powerBIApiUrl = "https://api.powerbi.com/v1.0/myorg/datasets";

    var token = GetAccessToken();

    HttpWebRequest request = WebRequest.Create(powerBIApiUrl) as HttpWebRequest;
    request.Method = "GET";
    request.ContentLength = 0;

    request.Headers.Add("Authorization", $"Bearer {token}");
// 403 The remote server returned an error: (403) Forbidden. using (var httpResponse = request.GetResponse() as HttpWebResponse { using (var reader = new StreamReader(httpResponse.GetResponseStream())) { var responseContent = reader.ReadToEnd(); return responseContent; } } }

 

I get token "eyJ0...cceA" that seems valid. However, request.GetResponse() returns 403 status code. All permissions were delegated to Power BI Service in in Azure Active Directory.

 

Do you have any idea how to fix this? I really appreciate any help.

 

 

24 REPLIES 24
Anonymous
Not applicable

Also check the following (from https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal

In the admin portal of Power BI go to Tenant Settings > developer settings > enable Allow service principals to use Power BI Apps (if you want to restrict this to a security group and cant find your registered app then add your app to an AAD group - also in the above link)

You may also need to grant your app admin access to your workspace - also in the above link

jkemp92
Regular Visitor

Anyone figure this out yet? I seem to be doing everything right, but I get the 403 error. I am able to get an access token using Python, PowerShell, and PostMan, but I always get the 403 error. Error in PostMan shows: "

The request was a legal request, but the server is refusing to respond to it. Unlike a 401 Unauthorized response, authenticating will make no difference." Please help!
wakhan07
Frequent Visitor

Hi,

 

I'm aslo facing same issue. Any solution to this?

 

modifying the authentication to prompt for credentials allowed me to get past the 'Forbidden' error...

 

return ac.AcquireTokenAsync(resourceUriPowerBi, clientId, new Uri(RedirectURL), new PlatformParameters(PromptBehavior.Auto)).Result.AccessToken;

@erikskov

 

Thanks for your kind reply,

 

I don't see forbidden error anymore. However, we have WebAPI's returning token and we don’t want to get the popup at all.

When I set the prompt behavior to "NEVER" I get below error:

 

"user_interaction_required: One of two conditions was encountered: 1. The PromptBehavior.Never flag was passed, but the constraint could not be honored, because user interaction was required. 2. An error occurred during a silent web authentication that prevented the http authentication flow from completing in a short enough time frame"

 

And when I tried Directly specifying the username and password, it never returns any result.

 

 var authenticationResult = authenticationContext.AcquireTokenAsync(resourceUri, clientID, credential).Result;

 

this throws an error ""AADSTS75005: The request is not a valid SAML 2.0 protocol message."

 

I look forward for your reply,

Thanks for your support.

lukaszp
Power BI Team
Power BI Team

I'm not sure what you mean when you say 'all Power BI permissions were delegated in AAD', can you share more details?   Here's something to try:

 

Power BI has a tile embed sample, which I verified works correctly with interactive user login. Note, that when you're using Power BI.com, the user needs to be an AAD user and needs to login as themselves for licensing reason.  As someone alluded to in another comment if you want to not use AAD users, you'd use Power BI Embedded, which doesn't require the end user to be an AAD user. 

 

https://powerbi.microsoft.com/en-us/documentation/powerbi-developer-integrate-tile/

 

Can you use your client ID and secret with the above sample and see if it works.  Make sure the application has the following redirect URL configured:

Http://localhost:13526/

 

Usually, you get a 403 when the application does not have appropriate permissions. Remember that if you added permissions (scopes) to the application AFTER the user trusted the application, the user’s token won’t get the new scopes until they remove trust from the application and trust it again. Easiest workaround is to create a new application and use that instead.  Alternative is to manually remove the application using Office 365’s “my apps” feature and then try to use the application again.

 

You might also draw inspiration from several other similar threads from other services:

http://stackoverflow.com/questions/31735264/403-forbidden-from-azure-graph-api

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applica...

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-developers-guide

 

HTH,

-Lukasz

 

Just to say - thank you for this. I downloaded the demos, ran the the .net Core version in vscode.. was able to trace the code, inspect the auth response ... and figure out what I was doing wrong... which was two different things; 

 

1. I was sending a redirect URL .. so MSAL was using the public client pattern 

2. I'm using an spn with Power BI Embedded, which has admin at workspace level... so I can't query the tenant level rest api's. 

 

Having a working embedded demo gave me the leg up I needed. 

Hi Reuben, I know this is an older thread but... I'm also doing point 2 here, my spn also only has workspace admin - do you know if I need to give more permission away for this to work?  Thanks.

nlombardiCL
Regular Visitor

I'm having the same error message. 

 

We are using an angular2 SPA to interact with our REST API services.  We have a report service that we would like to use to call the Power BI REST API service endpoints.  We acquire an azure AD accessToken in our service and try and use that token for the PowerBI calls but keep getting the "The remote server returned an error: (403) Forbidden." error.  Our SPA is registered in Azure and we have given Power BI permissions to the application.  I have an account in Power BI as well.  Below is the code I am using to call the GetReports endpoint. The error is thrown when the GetResponse is called.  Any suggestions would be greatly appeciated.  Thanks.

 

var accessToken = Request.Headers.Authorization.Parameter;  //defined in controller and passed to method below.

Uri baseAddress = new Uri("https://api.powerbi.com/");   //defined above

 

public async Task<List<PbiReport>> GetPBIReports(string accessToken)

{

string responseData;

var powerBiApiUrl = baseAddress + "v1.0/myorg/reports";

List<PbiReport> reports = new List<PbiReport>();

HttpWebRequest request = WebRequest.Create(powerBiApiUrl) as HttpWebRequest;

request.KeepAlive = true;

request.Method = "GET";

request.ContentLength = 0;

request.ContentType = "application/json";

request.Headers.Add("Authorization", $"Bearer {accessToken}");

using (HttpWebResponse response = request.GetResponse() as HttpWebResponse)

{

using (StreamReader reader = new StreamReader(response.GetResponseStream()))

{

reports = JsonConvert.DeserializeObject<List<PbiReport>>(reader.ReadToEnd());

}

}

return reports;

}

On my end, I was doing it wrong.  If your goal is to simply trying to provide access to PowerBi reports to your users, and want to authenticate non-interactively, then you may consider grabbing using the PowerBi api from nuget.  I posted what ultimately worked for me in my StackOverflow post.  Maybe it will help in your case?

nlombardiCL
Regular Visitor

Anyone find a solution to this issue?  We are getting the same thing when we pass the access token we get in our REST service to the Power BI REST service APIs.

We are having the same issue as well, anyone have any ideas?

nlombardiCL
Regular Visitor

Anyone find a solution to this?  I'm having the same issue.  We receive the access token in our REST service and I'm passing it to the Power BI REST api and we get this same error.

The issue is that the default registration of an app in Azure AD requires the user click a button saying "I trust" this app. If you look at this video:

 

https://www.youtube.com/watch?v=ZSaBFf3ziUk

 

and go into the video about the 2:15 mark. This shows with simple app registration there is a one-time need for user interaction. After logging the first time with user interaction, your code can then authenticate programmatically without user interaction.

 

There is a way around this. It requires that you have an Azure subscription and that you use the Azure portal to register the app and configure security settings so that it doesn't require interactive consent on the part of the user. 

 

 

I tried adding the permissions and pretty much everything described on the "How To" tutorial, however still am not able to get beyond the 403 error. The code works fine in http://docs.powerbi.apiary.io but I am unable to make it work through code 😞 For authentication our app uses the approach where it does not require the user to approve the access permissions in the pop up mentioned above. Do we have to enable it for PowerBI to work?

KumarDarmesh
Helper IV
Helper IV

Can you post the complete code?

I hope your registered your app with Azure Active directory  and provided proper clientid,clientkey,username and pwd.

 

https://login.microsoftonline.com/yourdirectorykey/oauth2/token

 

Provide proper directory key to resolve your issues.

 

Let me know if you need any further details

Can you please elaborate on where the username/password go?

Thanks

I am having this same problem. I get a valid token, but when I pass the request, I get the HTTP Error 403: Forbidden. In Azure AD, I delegated permissions, and I tested sending request through Apiary and it worked.

 

Anyone have a solution?

 

Thanks,

 

Alan

I am in exactly the same situation as you. If there is a solution, please let me know, Thanks!

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors