Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
luwa
Frequent Visitor

grant_type must be "password" and app level permissions

‎09-11-2018 02:31 PM

Hi all,

 

I am trying to call PBI REST APIs such as https://api.powerbi.com/v1.0/myorg/groups or delet tows in a dataset.

The access token I acuiqred using `grant_type: client_credentials`, and passing `client_id`, and `client_secret` doesn't return with `scope` claim, hence when calling the PBI endpoints, it's 401.

 

But if I acquire the token using `grant_type: password`, and pass in my own credentials in addition to the client_id and secret, the token returned then contains `scope` and I can call the PBI ednpoint successully.

 

On AAD, my app has only "Delegation Permission", no "Application Permission".

 

Question:

Is it true that calling PBI APIs, the token acquired must use the `grant_type: password`?

In other words, the there must be a user context for calling the APIs?

 

My goal is to write a Logic App (worker) to delete rows in my PBI dataset.

Hence GUI consent giving isn't an option. And having to put my own credentials in to obtain the correct token seems unsustainable. 

 

Thank you for your time!

Message 1 of 9
9,334 Views
0
1 ACCEPTED SOLUTION
ericleigh007
Helper II
Helper II

‎09-13-2018 03:00 PM

We use a service account that has access to PowerBI for this.  We have MFA turned on almost all accounts, but off for service accounts.

 

It apears to be true that one needs the password grant type.

 

And for extra fun, the AAD library no longer supports it.   "UserCredential" is no lnoger there.

 

So what you must do is issue a regular old HTTPS POST to the authority URL, and a body like this:

 

            string authBody = $@"
			grant_type = password
			&resource ={WebUtility.UrlEncode(resourceString)}
			&username ={WebUtility.UrlEncode(username)}
			&password ={WebUtility.UrlEncode(password)}
			&client_id ={clientId}
            &client_secret={ WebUtility.UrlEncode(secret)}";

With this information, becuase you're including a client secret, there will be no prompt necessary.

 

Good luck.

-e

View solution in original post

Message 2 of 9
9,332 Views
0
8 REPLIES 8
luwa
Frequent Visitor

‎09-14-2018 10:54 AM

Thank you Eric for your reply!!!

 

Yeah, after many tries, I believe it is true as the doc says, "Power BI permissions give an application the ability to take certain actions on a user's behalf. All permissions must be approved by a user in order to be valid." https://docs.microsoft.com/en-us/power-bi/developer/power-bi-permissions

 

Therefore grant_type: client_credentials does not work.

 

Here is a Postman screentshot of what to include to get the token:

 

Capture.PNG

 

Then you would get a token with scope in it.

"scp": "Capacity.Read.All Capacity.ReadWrite.All Content.Create Dashboard.Read.All Dashboard.ReadWrite.All Data.Alter_Any Datapool.Read.All Datapool.ReadWrite.All Dataset.Read.All Dataset.ReadWrite.All Group.Read Group.Read.All Metadata.View_Any Report.Read.All Report.ReadWrite.All Workspace.Read.All Workspace.ReadWrite.All".

 

Even if you grant the "Application Permissions" on the Azure App Registration page, I don't think it can bypass the "user context" requirement, which means, you must have user consent and use grant_type: password to get access token.

 

To achieve my goal, later I learned, to display the latest data for a push set, I just have to use TopN visual filter, and add a timestamp to my incoming data. 

So in the end, I use LogicApp to pipe data to EventHub, and used Azure Stream Analytics to process further SQL queries, and then push data to PBI's stream dataset.

Learnt it from this tutorial https://www.pluralsight.com/courses/azure-power-bi-streaming

Message 9 of 9
9,288 Views
0
ericleigh007
Helper II
Helper II

‎09-13-2018 03:00 PM

We use a service account that has access to PowerBI for this.  We have MFA turned on almost all accounts, but off for service accounts.

 

It apears to be true that one needs the password grant type.

 

And for extra fun, the AAD library no longer supports it.   "UserCredential" is no lnoger there.

 

So what you must do is issue a regular old HTTPS POST to the authority URL, and a body like this:

 

            string authBody = $@"
			grant_type = password
			&resource ={WebUtility.UrlEncode(resourceString)}
			&username ={WebUtility.UrlEncode(username)}
			&password ={WebUtility.UrlEncode(password)}
			&client_id ={clientId}
            &client_secret={ WebUtility.UrlEncode(secret)}";

With this information, becuase you're including a client secret, there will be no prompt necessary.

 

Good luck.

-e

Message 2 of 9
9,333 Views
0
sam_tran
New Member
In response to ericleigh007

‎08-22-2022 01:51 AM

Not true, you can use client_credentials. But note, many endpoints are not allowed (not documented) and note this especially: python - Power BI Rest API Requests Not Authorizing as expected - Stack Overflow


sam_tran_0-1661158142718.png


sam_tran_1-1661158212836.png

 

And you need to grant your Service Principal access to the workspace

sam_tran_0-1661158633352.png

 

And alter the api settings in the Admin portal

sam_tran_1-1661158677323.png

 

Message 4 of 9
3,711 Views
0
WheresWally
Helper III
Helper III
In response to sam_tran

‎11-06-2022 08:52 PM

Hi Sam, 

 

I have this working and giving me a bearer code. I can use it to access things like the activity logs. 

 

I can't manage to get it to post rows to a push dataset though.

 

I can push rows to the dataset if I grab the bearer code from my login using the 'try this' page, so I know my API push setup is all correct. I have all the admin settings as you've described and have the dataset and workspace (admin) shared to the application and the group it's in. 

 

Any ideas about what else might be getting in the way? Thanks

Message 5 of 9
3,219 Views
0
WheresWally
Helper III
Helper III
In response to WheresWally

‎11-06-2022 08:55 PM

Wait..I just read your linked stack overflow question and it's exactly what I needed. Now I need to go and remove powerbi permissions from the application. How conterintuitive. Hope it works. 

Message 6 of 9
3,217 Views
0
WheresWally
Helper III
Helper III
In response to WheresWally

‎11-06-2022 10:09 PM

Oh no, I just read it again. Read only...

 

Can't use applications to post rows....ughhhhh. Does anyone here have a method they use for posting rows via API that works? I'd like to use an application secret type setup because the current method (Knime ETL send to powerbi node, requires microsoft authentication via a user). 

 

https://learn.microsoft.com/en-us/power-bi/enterprise/read-only-apis-service-principal-authenticatio...

 

 

Message 7 of 9
3,199 Views
0
WheresWally
Helper III
Helper III
In response to WheresWally

‎11-06-2022 10:38 PM

Just having my own journey over here...

 

In case it matters to anyone, I got it to work. Seems that PostRowsToGroup works for some reason. Was using (succesfully with other bearer code from 'tryit' site) plain old PostRows where the group isn't specified.  

Message 8 of 9
3,195 Views
0
hsheikhali
Frequent Visitor
In response to ericleigh007

‎09-13-2018 05:15 PM

Can you elaborate Eric? I am possibly having the same issue. What do you mean by 

"So what you must do is issue a regular old HTTPS POST to the authority URL"?

Message 3 of 9
9,297 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All