Search code examples
c#.netasp.net-corepowerbipowerbi-embedded

Unauthorized response on GetReportInGroupAsync PowerBI Embedded API call using Service Principal

I'm attempting to embed Power BI reports into my .Net Core application, however I'm unable to get a valid response back from the request. I'm using the Microsoft.PowerBI.API package and an azure app registration with service principal.

As far as I can tell, I have set up the AAD and Service Principal up with the correct permissions following the instructions here: https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal

I caught the part where you have to add the AAD/Service Principal to the security group before adding that security group to the admin settings in Power BI Admin Portal.

Here's my code snippit I'm using:

var AuthorityUrl = "https://login.microsoftonline.com/common/";
var ResourceUrl = "https://analysis.windows.net/powerbi/api";

var authenticationContext = new AuthenticationContext(AuthorityUrl);
AuthenticationResult authenticationResult = null;
var credential = new ClientCredential("application_id", "application_secret");
authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, credential);

using (var client = new Microsoft.PowerBI.Api.PowerBIClient(new Uri("https://api.powerbi.com/"), new TokenCredentials(authenticationResult.AccessToken, "Bearer")))
{
    var report = await client.Reports.GetReportInGroupAsync(new Guid("workspace_id"), new Guid("report_id"));
}

I successfully get the token back from the AcquireTokenAsync call, however when getting the report I get an unauthorized.

Here are the permissions of my AAD/Service Principal in Azure: azure aad api permissions

Here is my Request/Response that I captured with Fiddler. Request:

GET https://api.powerbi.com/v1.0/myorg/groups/{workspace_id}/reports/{report_id} HTTP/1.1
Authorization: Bearer {access_token}
User-Agent: FxVersion/4.6.28207.03 OSName/Windows OSVersion/Microsoft.Windows.10.0.18362. Microsoft.PowerBI.Api.PowerBIClient/3.14.01300.0002
Host: api.powerbi.com

Response:

HTTP/1.1 401 Unauthorized
Content-Length: 0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: deny
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: RequestId
request-redirected: true
home-cluster-uri: https://wabi-west-us-redirect.analysis.windows.net/
RequestId: {request_id}
Date: Thu, 10 Sep 2020 16:23:07 GMT

Any help would be appreciated!

Solution

  • For Service Principal to work for any embedding, you need to enable Service Principal option in Power BI Admin portal and then, add it to the Power BI workspace.

    Please check the following once:

    1. Check if service principal is enabled under Admin portal in Power BI service. Follow step 3 onwards
    2. If things don't work for you after following the above step, try embedding with the developer sample

    Besides, based on your code it looks like you are using ADAL library for authentication. Microsoft recommends to use MSAL library for authentication with Azure AD entities.
    Also, you can use certificate instead of app secret for service principal authentication. (Docs)