Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
navinrangar
Advocate I
Advocate I

Azure AD App Authentication 'scope doesn't exist on app' with power-bi APIs

‎02-09-2023 06:15 AM

I intend to call Powerbi APIs in my react app.

 

For this, I need to dynamically generate an access token.

 

And to generate that access token, I have registered my azure ad app. Have given all the powerbi permissions.

 

My APIs only need 'Dataset.ReadWrite.All' permission. And that permission doesn't need any admin consent.

 

In my react app, I'm using msal 2.0 library (msal-react and msal-browser) for authentication.

 

I'm hitting this endpoint in msal config which is responsible for generating an access token - 

 
I need a token with 'Dataset.ReadWrite.All' permission to authorize with powerbi rest API. And I have also configured my azure ad app for this permission.
 
sc4-azure-ad-permission.png
 
 
 
 
invalid_client: AADSTS650053: The application 'dashboard.navinrangar.work' asked for scope 'Dataset.ReadWrite.All' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor. Trace ID: 77e47883-fdd3-444a-bdd3-9f3a53bc1500 Correlation ID: aa77d724-0d9f-41aa-8e47-251c6b6f9293 Timestamp: 2023-02-09 13:51:46Z
 
EVERYTHING LOOKS GREAT IN AZURE AD.
 
I READ IT SOMEWHERE THAT THIS RESOURCE '00000003-0000-0000-c000-000000000000' indicates to the graph.microsoft.com resource. and I'm hitting https://login.microsoftonline.com/{myTenantId} . these are my app endpoints.
 
sc5-azure-ad-app-endpoints.png
 
I'm not sure if powerbi resources come under graph.microsoft.com ('00000003-0000-0000-c000-000000000000) resource!!??
 
also on my app's API permissions page I read, they come under https://analysis.windows.net/powerbi/api that is 00000009-0000-0000-c000-000000000000??
 
 
navinrangar_1-1675951932846.png
 
 
am I hitting the wrong endpoint or the issue is something else??
Labels:
Message 1 of 2
1,921 Views
0
1 REPLY 1
navinrangar
Advocate I
Advocate I

‎02-10-2023 04:18 AM

if we set any scope our azure ad app endpoint, then by default it is treated as a Microsoft graph scope. so to mention powerbi API scope, we need to define our scope w/ this hostname: https://analysis.windows.net/powerbi/api/{scope_you_want}

 

in my case i wanted dataset.readwrite.all so i defined my scope as https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All

 

 

this answer helped me a lot. 

 

https://stackoverflow.com/questions/75402011/access-token-scope-issue-in-azure-ad-and-power/75407572...

Message 2 of 2
1,859 Views

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All