Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

jevgenijmart

Error getting OData from Microsoft Graph: Access to the resource is forbidden

Submitted by on ‎06-01-2018 01:37 AM

Hello,

 

I am getting an error "Access to the resource is forbidden" when trying to access Microsoft Graph in Power BI Desktop report.

Microsoft Graph URL is https://graph.microsoft.com/v1.0/devices

I am logging in using Organization Account.

I have Global Admin role in the tenant.

 

The report was working normally for months, but stopped since yesterday.

I even tried creating new one - same result.

Accessing the same URL from Graph Explorer works fine.

 

What could actually impact this kind of error?

Status: New
See more ideas labeled with:
38 Comments (38 New)
Comments
bartekab
Regular Visitor
‎06-07-2018 07:38 AM

I have the same problem - it started on June 1st.

 

I placed a service call to MS through Azure, but I got the info that connecting to MS Graph from PowerBI using oAuth is an unsupported configuration 😕 Great support....

The service that use this connection in my company is completetly down at the moment.


But I'm not giving up...

ruiromano
MVP
‎06-08-2018 01:56 PM

Same problem here. 😞

v-qiuyu-msft
Community Support
Community Support
‎06-09-2018 01:57 AM

Hi all, 

 

I got information below: 

 

We do not support connecting to Graph. Because of various auth challenges, generic OData connectivity does not work.

 

Users should vote for a dedicated Graph connector on UserVoice to register their interest. 

 

Best Regards,
Qiuyun Yu 

Anonymous
Not applicable
‎06-09-2018 02:26 AM

@v-qiuyu-msft what do you mean you don't support it.. its been working for months, it only stopped a few days ago..

bartekab
Regular Visitor
‎06-09-2018 02:31 AM

Exactly - and what about a time period to make a neccessary changes in our services? What about any notifications to clients?

Someone just flipped the lever and ups....connectivity doesn't work anymore. And work yourself out!

jevgenijmart
Regular Visitor
‎06-09-2018 02:39 AM

@v-qiuyu-msft if OData with OAuth is not supported, what are our options connecting to Graph API from Power BI? We have tools and processes running based on data from Graph API. It is down more than a week now. We have to come up with alternatives

ruiromano
MVP
‎06-09-2018 11:27 AM

Here's an alternative:

 

  1. Register an App in Azure AD (webapp)
  2. Add the Service Microsoft.Graph and select all the permissions you need
  3. In PowerQuery
    1. create an "accessToken" query (see image)
    2. Use the Odata authorization header parameter (see image)
  4. Select anonymous as the authentication for the graph api, because we are handling it manually

 

Unfortunately wont work w/ schedule refresh, but could be something I'm doing wrong.

 

But at least works on PBIDesktop

 

2018-06-09_19-12-01.png2018-06-09_19-11-02.png

Anonymous
Not applicable
‎06-09-2018 04:49 PM

I just can't understand how one day a service is used by potentially hundreds of customers, running potentially thousands of reports.. and without any community awareness, customer communication, the service dissapears, and everything breaks..

 

Please bring some more information to this.

 

"We do not support connecting to Graph. Because of various auth challenges, generic OData connectivity does not work."

Anonymous
Not applicable
‎06-09-2018 06:38 PM

@v-qiuyu-msft, we're going to need more information than that.

 

"We do not support connecting to Graph. Because of various auth challenges, generic OData connectivity does not work."

 

It worked fine for a long time. Something changed on Graph's side of things that has now completely broken many, many reports that our clients use, as well as reports we use internally. This has put a huge wrench in projects we have in-progress based on what was working fine for a long time. Microsoft Graph is a huge component in leveraging Row-Level Security in Power BI; when you take away components of the O365 ecosystem from Power BI, you make Power BI a less valuable tool.

 

I know how we can approach this by pulling auth tokens on a schedule with Flow and reading those in our Power BI scheduled refresh, but the extra dev time for this is going to be very, very painful, and it's much less secure.

jevgenijmart
Regular Visitor
‎06-11-2018 01:26 AM

Thanks a lot for sharing, @ruiromano!

Code seems to be ok, but I am getting an error: Formula.Firewall: Query 'Devices (Azure AD)' (step 'Source') references other queries or steps, so it may not directly access a data source. Please rebuild this data combination.

Anyone has a clue why this is happening? 
AzureAccessToken query is returing token successfully, but I can't use it in OData.Feed method.

 

Parameters:

Azure Graph API Urlhttps://graph.microsoft.com/v1.0/

Azure Tenant Id = ...
Azure Application Id = ...

Azure Application Client Secret = ...


Query: AzureAccessToken

 

let
    TokenUri = "https://login.windows.net/" & #"Azure Tenant Id" & "/oauth2/token",
    ResourceId = "https://graph.microsoft.com",
    TokenResponse = Json.Document(Web.Contents(TokenUri, 
	[
	Content = Text.ToBinary(Uri.BuildQueryString([client_id = #"Azure Application Id", resource = ResourceId, grant_type = "client_credentials", client_secret = #"Azure Application Client Secret"])), 
	Headers = [Accept = "application/json"], ManualStatusHandling = {400}
        ]
    )),
    AzureAccessToken = TokenResponse[access_token]
in
    AzureAccessToken

 
Query: Devices (Azure AD)

 

let
    Source = OData.Feed(#"Azure Graph API Url" & "devices", [Authorization = "Bearer " & AzureAccessToken])
in
    Source

 

 

Idea Statuses