cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
piper
Frequent Visitor

Disabling multi factor authentication for power bi

Hi All,

 

I am new to power BI, and have purchased power bi pro account for some POC. However, a multi-factor authentication got enabled when I registered my cell/phone number with Azure/PowerBI.

 

However, now, I am not able to generate the access token for using power BI rest apis. We have written lot of code to automate few things w.r.t power bi, and I don't want all of that to go in vain.

 

I am getting following msg while generating token:

 

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000009-0000-0000-c000-000000000000'

 

Can anyone please help how to disable MFA for user?

1 ACCEPTED SOLUTION

Hi @piper ,

 

The request requires the user to do multi-factor authentication and then send this new token back to Web API 1 and complete the on-behalf-of flow. MFA was enabled by triggering a rule if some action (e.g. sudden location change) was treated as "risky activity". For an account there is a "moved to a new location" flag that can get set, automatically triggering the need for MFA, even if it was initially off.

 

Please check the conditional access locations in Azure AD and check if your AAD admin can clear the flag. Disable MFA for the account or configure conditional access to give access to "Global Admin" role.

 

Please find additional info in the following articles:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-location...

https://docs.microsoft.com/en-us/azure/active-directory/develop/conditional-access-dev-guide

https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authent...

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Best Regards,

Dedmon Dai

View solution in original post

8 REPLIES 8
iabrani
New Member

Found a solution.   Created a Service account with Power Bi portal admin and have this service account to be excluded from the nightly process that forces the MFA the next day.

 

Log in to the Power Bi Portal under this service account and recreate the subscription under this login.  This is working for my organization so far.

nickyvv
Community Champion
Community Champion

Hi @piper,

maybe you can use a Service Principal to use with automating things around the REST API?
https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal


Did I answer your question? Mark my post as a solution!

Proud to be a Super User!


Blog: nickyvv.com | @NickyvV


piper
Frequent Visitor

Thanks @nickyvv for your response.

 

Currently, for every new client, we are creating new workspace/group via REST apis. This is required to clone reports to entirely new workspace dedicated for a client.

There are few limitations for using service principal, which are provided on same link which you have shared, like following one:

 

"Embed for your organization applications can't use service principal."

 

I am not sure, but with this, I think I won't be able to generate embed token for reports.

 

I had tried service principal approach in past for powerbi rest api, before going for powerBi pro, and it hadn't work earlier.

I will try it again, and update back.

 

Meanwhile, do you think if there is any way to either disable MFA or get access token silently with MFA?

Hi @piper ,

 

The request requires the user to do multi-factor authentication and then send this new token back to Web API 1 and complete the on-behalf-of flow. MFA was enabled by triggering a rule if some action (e.g. sudden location change) was treated as "risky activity". For an account there is a "moved to a new location" flag that can get set, automatically triggering the need for MFA, even if it was initially off.

 

Please check the conditional access locations in Azure AD and check if your AAD admin can clear the flag. Disable MFA for the account or configure conditional access to give access to "Global Admin" role.

 

Please find additional info in the following articles:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-location...

https://docs.microsoft.com/en-us/azure/active-directory/develop/conditional-access-dev-guide

https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authent...

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Best Regards,

Dedmon Dai

Thanks @v-deddai1-msft .

 

I have followed steps outlined here :https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-aut...

 

And, have disabled default security measures. I understand this is bit risky as per security, but it has unblocked me for now.

I was able to get access token for powerbi rest api.

 

Once POC completes, I will go through shared links in detail, to setup conditional access.

G'day @piper ,

Did you ever 


@piper wrote:

... go through shared links in detail, to setup conditional access.


I am facing the issue of MFA, I turned on MFA for the accont that I use to refresh data and now my refreshes are failing. From the documentation @v-deddai1-msft quoted here: 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-location...

it appears one will need to specify a range of IP addresses for the Power BI service servers. Is that what you did?

Actually I think I have solved it for my installation. It may have been that I just had to re-send my SharePoint credentials in the Power BI admin console. I had been into the AD conditional policy and specifically Excluded the Power BI Service but it was still failing. After a while I noticed a message in the Power BI Datasets area that some credentials needed to be updated; the ones for SharePoint data source. I re-entered those and it sprang back into life for me, I am now doing scheduled refreshes again with MFA turned on.

Hi @piper ,

 

If my post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Best Regards,

Dedmon Dai

Helpful resources

Announcements
Carousel_PBI_Wave1

2023 Release Wave 1 Plans

Power BI release plans for 2023 release wave 1 describes all new features releasing from April 2023 through September 2023.

Power BI Summit Carousel 2

Global Power BI Training

Make sure you register today for the Power BI Summit 2023. Don't miss all of the great sessions and speakers!

BizApps LATAM 2023

Business Application LATAM Summit 2023

Join the biggest FREE Business Applications Event in LATAM this February.

Power Platform Bootcamp

Global Power Platform Bootcamp

In this bootcamp we will deep-dive into Microsoft’s Power Platform stack with hands-on sessions and labs, delivered to you by experts and community leaders.

Top Solution Authors
Top Kudoed Authors