recently I have been trying to make Power BI APIs work with service principal authentication. All steps mentioned in this article https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal are done:
- an Azure AD app is registered (service principal created)
- an AD security group is created, the app is added to this group
- a Power BI admin has enabled service principal access in the admin portal
- the service principal and the security group are added to the workspace (and granted the admin role)
I am able to generate an access token using the POST method for https://login.microsoftonline.com/common/oauth2/token (screenshot below).
The issue is that whenever this token is used for any further calls (I have tried both non-admin and admin APIs - when it comes to admin ones, I only tested the supported APIS - can be seen in this article https://docs.microsoft.com/en-us/power-bi/admin/read-only-apis-service-principal-authentication), I am shown the 401 unauthorized error.
So my question is: did I overlook some security setting perhaps? Our company uses MFA, but service principals do not use that from what I have found on this forum/in the documentation. Or is the generated token invalid somehow?
Any help is greatly appreciated.
Try getting the token with your resource set as:
Also make sure that your tenant admin has added the AAD security group to the "specific security group" list in Power BI.
When I tried getting the token with the resource set to https://analysis.windows.net/powerbi/api/.default, it threw the following error:
The AAD security group (and also the service principal) has been added to the specific security group list in our Power BI workspace.
Thank you so much, this actually worked, I was finally able to generate a bearer token without any error messages.
The issue now is that whatever call I make using this token, I get the following error:
I tried finding more information about this and everything points to some issue with permissions, but I cannot figure out what's wrong (I have tested both non-admin and some of the supported admin calls). Please, do you have any idea what might be the problem?
UPDATE: some non-admin calls actually work, but I was not able to make any of the admin ones work properly. I have checked Azure again to make sure I have all the correct permissions assigned, and it seems to be the case:
Is anything missing?
Oh, that's easy then. Your POST is wrong. Didnt spot it the first time round because it was right at the top 😄 It must have the tenant ID in it, not 'common'
Hello, at the moment, the app has the following API permissions:
I assume that Tenant.ReadAll should be added as well - is that correct?
Check out new user group experience and if you are a leader please create your group!
On-demand access to all the great content presented by the product teams and community members! #MSBizAppsSummit #CommunityRocks
Check out how to claim yours today!
Test your skills now with the Cloud Skills Challenge.