Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
matoxin
Frequent Visitor

Power BI API with service principal - 401 unauthorized

Hello everyone,

 

recently I have been trying to make Power BI APIs work with service principal authentication. All steps mentioned in this article https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal are done:

- an Azure AD app is registered (service principal created)

- an AD security group is created, the app is added to this group

- a Power BI admin has enabled service principal access in the admin portal

- the service principal and the security group are added to the workspace (and granted the admin role)

I am able to generate an access token using the POST method for https://login.microsoftonline.com/common/oauth2/token (screenshot below).

token.PNG

The issue is that whenever this token is used for any further calls (I have tried both non-admin and admin APIs - when it comes to admin ones, I only tested the supported APIS - can be seen in this article https://docs.microsoft.com/en-us/power-bi/admin/read-only-apis-service-principal-authentication), I am shown the 401 unauthorized error.

 

So my question is: did I overlook some security setting perhaps? Our company uses MFA, but service principals do not use that from what I have found on this forum/in the documentation. Or is the generated token invalid somehow?

 

Any help is greatly appreciated.

13 REPLIES 13
bingo
Employee
Employee

Hi, I meet tyhe same issue, could you please share your solution, thanks

Anonymous
Not applicable

Hi, we are experiencing a similar problem. Were you able to solve the issue?

DavidCousinsT
Frequent Visitor

Try getting the token with your resource set as:

https://analysis.windows.net/powerbi/api/.default

 

Also make sure that your tenant admin has added the AAD security group to the "specific security group" list in Power BI.

When I tried getting the token with the resource set to https://analysis.windows.net/powerbi/api/.default, it threw the following error:

matoxin_0-1620649897103.png

The AAD security group (and also the service principal) has been added to the specific security group list in our Power BI workspace.

Ah, you've been using a different API. Not sure that one would ever work. Heres the working oauth one I have: PBI Get Bearer.png

 

Thank you so much, this actually worked, I was finally able to generate a bearer token without any error messages.

The issue now is that whatever call I make using this token, I get the following error:

matoxin_0-1620720098230.png

I tried finding more information about this and everything points to some issue with permissions, but I cannot figure out what's wrong (I have tested both non-admin and some of the supported admin calls). Please, do you have any idea what might be the problem?

UPDATE: some non-admin calls actually work, but I was not able to make any of the admin ones work properly. I have checked Azure again to make sure I have all the correct permissions assigned, and it seems to be the case:

matoxin_1-1620721072043.png

 

Is anything missing?

Oh, that's easy then. Your POST is wrong. Didnt spot it the first time round because it was right at the top 😄 It must have the tenant ID in it, not 'common'

 

I use:

https://login.microsoftonline.com/[tenantid]/oauth2/v2.0/token/

Mthompson1984
Frequent Visitor

I'm curious if you were ever able to resolve this - I'm having the same issue.  401 unauthorized on all calls.

No, not yet - still trying to figure this out. Will update the thread if I find anything.

v-lionel-msft
Community Support
Community Support

Hi @matoxin ,

 

Considerations and limitations 

Have you checked these considerations and limitations?

 

Best regards,
Lionel Chen

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Hello Lionel,

yes, we have checked that article multiple times - to make sure we have not forgotten anything.

Everton
Helper I
Helper I

Hi,

 

What API Permissions are set up in your App Registration for Power BI? Everything else seems ok.

Hello, at the moment, the app has the following API permissions:

- Dataset.ReadAll

- Report.ReadAll

- Workspace.ReadAll

I assume that Tenant.ReadAll should be added as well - is that correct?

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.