Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
samuelan
Regular Visitor

Get 403 in Postman trying to GenerateToken or List Group/Reports after getting access token

I want to embed PowerBI report in a web app. To test out, I am trying to generate embed token in Postman.

 

Before I did the following 2 steps, I have already register the app on https://dev.powerbi.com/apps and give the app all permissions. I was able to obtain the access token in step 1, but I am stuck at step 2. I keep getting 403 Forbidden error.

 

Step 1. Postman has a OAuth2 I obtained an access token using OAuth2.0 with the following parameters.

 

Auth URL: https://login.microsoftonline.com/{my azure tenant ID}/oauth2/authorize?resource=15637cae-03c4-49a3-9a32-5e28f0b46e3d

Token URL: https://login.microsoftonline.com/{my azure tenant ID}/oauth2/token

Callback URL: https://www.getpostman.com/oauth2/callback

 

After signing in with my credential with Postman, I was able to get an access token as a long string like following:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ing0Nzh4eU9wbHNNMUg3TlhrN1N4MTd4MXVwYyIsImtpZCI6Ing0Nzh4eU9wbHNNMUg3TlhrN1N4MTd4MXVwYyJ9.eyJhdWQiOiIxYjFiYmU2Ni00MzcyLTQ2YTctOGUyOS05OTBkMTY5Y2VkYWYiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcvIiwiaWF0IjoxNTEyOTU2NzgzLCJuYmYiOjE1MTI5NTY3ODMsImV4cCI6MTUxMjk2MDY4MywiYWNyIjoiMSIsImFpbyI6IlkyTmdZRENxL3MzK2ptK3kzK3pLaE9Cbm9sOWVMRkswcUpHZHdhMmRMWjErTUVQb3lGY0EiLCJhbXIiOlsicHdkIiwibWZhIl0sImFwcGlkIjoiMWIxYmJlNjYtNDM3Mi00NmE3LThlMjktOTkwZDE2OWNlZGFmIiwiYXBwaWRhY3IiOiIxIiwiZmFtaWx5X25hbWUiOiJBbiIsImdpdmVuX25hbWUiOiJ...

 

 

Step 2. I used the above token as the Auth header in Postman, the POST to the following URL.

https://api.powerbi.com/v1.0/{my azure tenant ID}/groups/e367de11-7296-46a7-bd1d-6727df903999/reports/49c31038-1192-45f0-a385-6b6c0f6256e9/GenerateToken

Postman filled in the Auth header for me, i.e. Authorization= Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ing0Nzh4eU9wbHNNMUg3TlhrN1N4MTd4MXVwYyIsImtpZCI6Ing0Nzh4eU9wbHNNMUg3TlhrN1N4MTd4MXVwYyJ9.eyJhdWQiOiIxYjFiYmU2Ni00MzcyLTQ2YTctOGUyOS05OTBkMTY5Y2VkYWYiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcvIiwiaWF0IjoxNTEyOTU2NzgzLCJuYmYiOjE1MTI5NTY3ODMsImV4cCI6MTUxMjk2MDY4MywiYWNyIjoiMSIsImFpbyI6IlkyTmdZRENxL3MzK2ptK3kzK3pLaE9Cbm9sOWVMRkswcUpHZHdhMmRMWjErTUVQb3lGY0EiLCJhbXIiOlsicHdkIiwibWZhIl0sImFwcGlkIjoiMWIxYmJlNjYtNDM3Mi00NmE3LThlMjktOTkwZDE2OWNlZGFmIiwiYXBwaWRhY3IiOiIxIiwiZmFtaWx5X25hbWUiOiJBbiIsImdpdmVuX25hbWUiOiJ... in the header.

 

When I send the request, I got 403 FOrbidden response, and no explanation. If I change the URL to just list the groups or reports as following, I also got the same 403 forbidden response code. https://api.powerbi.com/v1.0/124edf19-b350-4797-aefc-3206115ffdb3/groups/

 

It's very frustrating. What am I missing here? Any pointer is greatly appreciated.

1 ACCEPTED SOLUTION

Thanks, @v-ljerr-msft. My problem was not that. Actually I just figured out my problem with Azure AD support, so let me share it here. Hopefully it can benefit others. The reason for the 403 was because the Power BI account I used was an internal domain account, and at Microsoft only corp account can share content with Pro license, not internal domain account. The 403 forbidden was right, but I wish it indicated why. I did scratch my head for quite a while. 

 

The lesson to learn here is because I was able to get the access token using Postman, that indicated the Auth URL and Token URL were working for me. The Power BI API end point was not working, and that indicated app permission issue.

 

Also because I was doing "app owns data", I should have registered my app as Native App, not Server Side/Web App, even though I was going to embed my reports inside a web app. This was very confusing and counter-intuitive. I needed to give interactive consent for the user/service account I was using. This was a one time set up, after which my app was able to get both access token and the embed token, embed URL, etc. 

View solution in original post

8 REPLIES 8
Aarush
Regular Visitor

Hi @samuelan - I am seeing similar issue, where I have registerd one app in Azure AD and have given all relavant power bi delegated service at api permission. After that using client id and client secret , I was able to get access token using postman api, but when I try to call any method of Power BI rest api service , via adding bearer token in header, I receive 403 error code. Please suggest what step I'm missing over here.

 

Thanks

Aarush

Hi @Aarush 

Did you make sure in Power BI admin portal that service principals are allowed in your tenant? Did you add your service principal to the relevant workspaces wih Viewer/Member role?

If most cases when you get an error response from Power BI the message  body contains more information on the error that might be helpful.

@AmosHersch - Thanks for your reply, Yes I have alreday added service principal users into workspace as admin. Also, with this 403 error code, I am not getting any error message in response body, so no clue what access is missing. Let me know if need any details further.

 

Below are steps I have followed , let me know if you see I'm missing anything here.

 

1) Created Azure AD app and gave Power BI service deletgaed permissions to this app.

2) Retrieve access token using client id and secret as below.

 

Aarush_0-1655649229810.png

 

 

3) Then token recieved form step 2, used as authrozation header and passed to power bi rest api service in post man client as below.

Aarush_1-1655649229816.png

 

 

@Aarush I can't say for sure what's missing, but I might be able to help if you can provide the request ID from the header of the response message.

@AmosHersch - Thanks for your reply. I was able to resolve it.

The resolution is, I was using oauth 2.0 V1 end point for token generation which was giving 403 when being used with Power BI rest api, but when I tried oauth 2.0 V2 end point to generate tojen , it worked.

I would really be happy, if some kind of error message was thrown in response body to troubleshoot this, but this resolution may help for other users if they fall into similar issue.

 

Aarush_0-1655730814288.png

 

Anonymous
Not applicable

@samuelan. Thanks for sharing the resolution. I am facing the similar issue that after successfully generating the token, not able to invoke the APIs and getting 403 status. What do you mean by Internal Domain Account and Corp Account ? I am using the same user account, which I used to create the Power BI site.

v-ljerr-msft
Employee
Employee

Hi @samuelan,

 

After getting the access token, you should be able to call the POST API with the access token in POSTMAN as below to list all groups. Smiley Happy

Request
GET https://api.powerbi.com/v1.0/myorg/groups
Header
Authorization: Bearer eyJ0eX ... FWSXfwtQ

p1.PNG

 

Regards

Thanks, @v-ljerr-msft. My problem was not that. Actually I just figured out my problem with Azure AD support, so let me share it here. Hopefully it can benefit others. The reason for the 403 was because the Power BI account I used was an internal domain account, and at Microsoft only corp account can share content with Pro license, not internal domain account. The 403 forbidden was right, but I wish it indicated why. I did scratch my head for quite a while. 

 

The lesson to learn here is because I was able to get the access token using Postman, that indicated the Auth URL and Token URL were working for me. The Power BI API end point was not working, and that indicated app permission issue.

 

Also because I was doing "app owns data", I should have registered my app as Native App, not Server Side/Web App, even though I was going to embed my reports inside a web app. This was very confusing and counter-intuitive. I needed to give interactive consent for the user/service account I was using. This was a one time set up, after which my app was able to get both access token and the embed token, embed URL, etc. 

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.