Search code examples
azureazure-active-directorypowerbipowerbi-embedded

Receiving a 'Forbidden (403)' when connecting to Power BI API


We've been trying to follow this Power BI article so that we can embed reports/dashboards in our SaaS product. Specifically, we're stuck at Step 3, 'Create the Embed Token.'

We're able to obtain an bearer token just fine but when the request to retrieve the reports is ultimately submitted to the API we receive:Operation returned an invalid status code 'Forbidden'

    private static string clientId = "...";
    private static string secretKey = "...";
    private static string groupId = "...";

    static void Main(string[] args)
    {
        string resourceUri = "https://analysis.windows.net/powerbi/api";
        string authorityUri = "https://login.windows.net/common/oauth2/authorize";

        ClientCredential credential = new ClientCredential(clientId, secretKey);
        AuthenticationContext authContext = new AuthenticationContext(authorityUri);

        var token = authContext.AcquireTokenAsync(resourceUri, credential).Result.AccessToken;

        var tokenCredentials = new TokenCredentials(token, "Bearer");

        using (var client = new PowerBIClient(new Uri("https://api.powerbi.com/"), tokenCredentials))
        {
            var reports = client.Reports.GetReportsInGroupWithHttpMessagesAsync(groupId);

            // !!! - Here's where the exception is thrown
            // !!! -- Operation returned an invalid status code 'Forbidden'
            var report = reports.Result.Body;
        }
    }

Here's what we've tried:

  • The required permissions have been granted (we've checked off all to ensure we're not missing anything). This includes both Windows Azure Active Directory/Power BI Service.
  • We've confirmed that the client ID, secret key and group id are correct.
  • The Power BI work-space is private, but we've tried making a public one to be sure it doesn't matter.
  • Finally, the token we receive via code matches the token on powerbi.com.

Solution

  • You are using client credential flow to acquire token for Power BI API . Currently , Power BI REST API only supports delegated permissions but does not support any application permissions . So your access token get insufficient access. To use Power BI, authentication needs to be based on a particular user. Related thread here and here are for your reference .

    According to your document ,the scenario is app owns access to the data. Users will not necessarily be Power BI users and the application controls authentication and access for the end users. Then you can use resource owner flow to acquiring token .

    A sample of this is available within Controllers\HomeController.cs of the App Owns Data sample.

    From the code sample , it is acquring token using a user password credential ,not application's credential :

                // Create a user password cradentials.
                var credential = new UserPasswordCredential(Username, Password);
    
                // Authenticate using created credentials
                var authenticationContext = new AuthenticationContext(AuthorityUrl);
                var authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, ClientId, credential);
    

    Please refer to Authenticate users and get an Azure AD access token for your Power BI app and check the Access token for non-Power BI users (app owns data) section .