cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
matoxin
Frequent Visitor

Power BI API with service principal - 401 unauthorized

Hello everyone,

 

recently I have been trying to make Power BI APIs work with service principal authentication. All steps mentioned in this article https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal are done:

- an Azure AD app is registered (service principal created)

- an AD security group is created, the app is added to this group

- a Power BI admin has enabled service principal access in the admin portal

- the service principal and the security group are added to the workspace (and granted the admin role)

I am able to generate an access token using the POST method for https://login.microsoftonline.com/common/oauth2/token (screenshot below).

token.PNG

The issue is that whenever this token is used for any further calls (I have tried both non-admin and admin APIs - when it comes to admin ones, I only tested the supported APIS - can be seen in this article https://docs.microsoft.com/en-us/power-bi/admin/read-only-apis-service-principal-authentication), I am shown the 401 unauthorized error.

 

So my question is: did I overlook some security setting perhaps? Our company uses MFA, but service principals do not use that from what I have found on this forum/in the documentation. Or is the generated token invalid somehow?

 

Any help is greatly appreciated.

11 REPLIES 11
DavidCousinsT
Frequent Visitor

Try getting the token with your resource set as:

https://analysis.windows.net/powerbi/api/.default

 

Also make sure that your tenant admin has added the AAD security group to the "specific security group" list in Power BI.

When I tried getting the token with the resource set to https://analysis.windows.net/powerbi/api/.default, it threw the following error:

matoxin_0-1620649897103.png

The AAD security group (and also the service principal) has been added to the specific security group list in our Power BI workspace.

Ah, you've been using a different API. Not sure that one would ever work. Heres the working oauth one I have: PBI Get Bearer.png

 

Thank you so much, this actually worked, I was finally able to generate a bearer token without any error messages.

The issue now is that whatever call I make using this token, I get the following error:

matoxin_0-1620720098230.png

I tried finding more information about this and everything points to some issue with permissions, but I cannot figure out what's wrong (I have tested both non-admin and some of the supported admin calls). Please, do you have any idea what might be the problem?

UPDATE: some non-admin calls actually work, but I was not able to make any of the admin ones work properly. I have checked Azure again to make sure I have all the correct permissions assigned, and it seems to be the case:

matoxin_1-1620721072043.png

 

Is anything missing?

Oh, that's easy then. Your POST is wrong. Didnt spot it the first time round because it was right at the top 😄 It must have the tenant ID in it, not 'common'

 

I use:

https://login.microsoftonline.com/[tenantid]/oauth2/v2.0/token/

Mthompson1984
Frequent Visitor

I'm curious if you were ever able to resolve this - I'm having the same issue.  401 unauthorized on all calls.

No, not yet - still trying to figure this out. Will update the thread if I find anything.

v-lionel-msft
Community Support
Community Support

Hi @matoxin ,

 

Considerations and limitations 

Have you checked these considerations and limitations?

 

Best regards,
Lionel Chen

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Hello Lionel,

yes, we have checked that article multiple times - to make sure we have not forgotten anything.

Everton
Frequent Visitor

Hi,

 

What API Permissions are set up in your App Registration for Power BI? Everything else seems ok.

matoxin
Frequent Visitor

Hello, at the moment, the app has the following API permissions:

- Dataset.ReadAll

- Report.ReadAll

- Workspace.ReadAll

I assume that Tenant.ReadAll should be added as well - is that correct?

Helpful resources

Announcements
PBI User Groups

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group!

MBAS on Demand

Microsoft Business Applications Summit sessions

On-demand access to all the great content presented by the product teams and community members! #MSBizAppsSummit #CommunityRocks

MBAS Attendee Badge

Claim Your Badge & Digital Swag!

Check out how to claim yours today!

secondImage

Are You Ready?

Test your skills now with the Cloud Skills Challenge.

Top Solution Authors