Reply
Highlighted
Regular Visitor
Posts: 17
Registered: ‎12-04-2018
Accepted Solution

Power Bi REST API - 401 Authorization error when using app secret

[ Edited ]

I have a console app that uses the REST API to get a dataset (and later add rows to it). This works when I supply my own user/password credentials.

 

Now I have registered the app as a Web/API app in order to use an app key/secret instead. I can get a token, but when I make the same REST call I get 401 Unauthorized.

 

I have given the app the following Application permissions in Power BI Service (is this needed?):

Read and write all content in tenant

View all content in tenant

These permissions have been granted by an Azure Administrator.

 

In addition to the Delegated permissions that worked with user authentication:

Read and write all Datasets

View all Datasets

 

I have decode the two tokens.

The token for app key autentication contains this:

"roles": [
"Tenant.ReadWrite.All",
"Tenant.Read.All"
],

 

while the token for user based authentication contains this:

"scp": "Dataset.ReadWrite.All Workspace.ReadWrite.All",

 

What am I missing..?


Accepted Solutions
Community Support Team
Posts: 7,295
Registered: ‎05-02-2017

Re: Power Bi REST API - 401 Authorization error when using app secret

Hi @tripleacoder,

 

As far as I know, the permissions of Power BI are all based on the users. So an App can't act as a user. Please refer to developer/power-bi-permissions where all the descriptions have "user". 

Regarding "Tenant.ReadWrite.All", the documentation above also has a description. Actually, these permissions only can retrieve the profiles rather than data. Please refer to admin/reports_getreportsasadmin.

One simple proof we can see is that even an admin can't access all the App workspaces. The data is the precious asset of a company. I think this is reasonable.

 

 

Best Regards,
Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post


All Replies
Advisor
Posts: 291
Registered: ‎01-16-2018

Re: Power Bi REST API - 401 Authorization error when using app secret

@tripleacoder,

 

Could you try to mention an access level in API request?

 

https://docs.microsoft.com/en-us/rest/api/power-bi/embedtoken/reports_generatetoken#tokenaccesslevel

 

Regards,
Ruslan
-------------------------------------------------------------------
Did I answer your question? Mark my post as a solution!

Regular Visitor
Posts: 17
Registered: ‎12-04-2018

Re: Power Bi REST API - 401 Authorization error when using app secret

[ Edited ]

 

Could you try to mention an access level in API request?

 

https://docs.microsoft.com/en-us/rest/api/power-bi/embedtoken/reports_generatetoken#tokenaccesslevel

 

 


I'm not sure what you mean. The link goes to "Required access level for EmbedToken generation", but I'm not using the Embed Token API.

 

I get the token using this code:

 

 

const string authorityUri = "https://login.microsoftonline.com/" + tenantId;

AuthenticationContext authContext = new AuthenticationContext(authorityUri);

        
AuthenticationResult result = null;
         
result = await authContext.AcquireTokenAsync(resourceUri, clientCredential);

 

Regular Visitor
Posts: 17
Registered: ‎12-04-2018

Re: Power Bi REST API - 401 Authorization error when using app secret

[ Edited ]

I found this link:

 

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-porta...

It talks about assigning roles to the app.

 

I have now granted my app the Contributor role, but only on a Resource group.

It hasn't helped. I think the Poer BI service resides at the Subscription level... that means I will need help from a global admin again.

 

 

Community Support Team
Posts: 7,295
Registered: ‎05-02-2017

Re: Power Bi REST API - 401 Authorization error when using app secret

Hi @tripleacoder,

 

It seems you only need an access token. Please refer to developer/embed-sample-for-customers

 

 

Best Regards,
Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Community Support Team
Posts: 7,295
Registered: ‎05-02-2017

Re: Power Bi REST API - 401 Authorization error when using app secret

Hi @tripleacoder,

 

Could you please mark the proper answers as solutions?

 

Best Regards,

Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Frequent Visitor
Posts: 8
Registered: ‎09-26-2017

Re: Power Bi REST API - 401 Authorization error when using app secret

I had a simliar issue where i could use my own credentials but not the service account and the issue was the service account didnt have a power bi pro license. Not sure if thats the same issue but might be worth looking at

Regular Visitor
Posts: 17
Registered: ‎12-04-2018

Re: Power Bi REST API - 401 Authorization error when using app secret


@v-jiascu-msft wrote:

 

 

It seems you only need an access token. Please refer to developer/embed-sample-for-customers

 


That link talks about using a special user account (username + password) for the app, not an app secret/service principal, which is what I am trying to do.

 

However, I have been told elsewhere that roles are not needed in order to authorize service principals. Only "App permissions" are needed.

Regular Visitor
Posts: 17
Registered: ‎12-04-2018

Re: Power Bi REST API - 401 Authorization error when using app secret


@sjc4062 wrote:

I had a simliar issue where i could use my own credentials but not the service account and the issue was the service account didnt have a power bi pro license. Not sure if thats the same issue but might be worth looking at


 

That might be it. But when I go to assign licenses and search for the service principal it does not come up in the results. Not sure if it is getting filtered away because only users and groups are valid, or if it's because I am not an Azure global admin.

Community Support Team
Posts: 7,295
Registered: ‎05-02-2017

Re: Power Bi REST API - 401 Authorization error when using app secret

[ Edited ]

Hi @tripleacoder,

 

Your requirements are quite clear now. You'd like to use the App secret (aka client secret) instead of the user password authentication. I'm afraid this isn't workable in Power BI. The reason is simple. Even the global admin can't access other's contents. How can an App access everything?

 

Best Regards,
Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.