11-10-2016 03:10 PM - edited 11-21-2016 10:57 AM
I stumbled on this thread today while researching what sounds like a similar issue.
As with others on this thread, things had been working as expected for us over the last few weeks/months, but we're now suddenly experiencing this issue. MFA was enbled for our users 20 days ago, and several users are now reporting encountering this.
We opened a Premier Support case and have passed along the information contained in this thread. Our Support Engineer suggested that we update Power BU Desktop, uninstall/re-install the Gateway, and ultimately took a Fiddler trace. While he's analyzing the collected data, we're going to try to add preview.powerbi.com to our Trusted Sites (can't do so locally due to Group Policies), then whitelist IP ranges for this and the various regional clusters (e.g., https://wabi-north-europe-redirect.analysis.windows.net).
Please let us know if you receive any updates on your collective cases and we'll do the same.
11-11-2016 12:13 AM
Thanks for the details, I'll let you know as soon as we hear anything to.
I have updated our call to let them know you have also logged one.
11-21-2016 11:45 PM
Hey, y'all! Here's an update:
After reading the OP, my gut feeling was that our issue was probably related to the implementation of the MFA in our environment - and a subsequent Fiddler trace seem to support it. After digging a bit deeper, we determined that MFA was enabled the day before the users began having these issues - not 20 days prior as I was originally told. That news practically made it a certainty that an authentication issue was the culprit.
After bringing this up to the support engineer, he gave us the following eleven IP ranges which cover all of the 329 (and more) clusters:
The O365 admin added these ranges and confirmed that OAuth2 was working as expected. The IP ranges were subsequently and we were able to repro the error again. The error definitely appears to be related to an extra step in authentication while trying to reaching a resource within the eleven whitelisted IP ranges we were provided.
I'll submit an update once we narrow the issue down further, and if y'all will do the same, I'd appreciate it.