Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Generate Embed Token using Power BI REST API 403 error

We are currently working on Embedding Power BI Reports into our web application. To achieve that we are following the instructions on official power bi documentation:

https://learn.microsoft.com/en-us/power-bi/developer/embed-service-principal#get-started-with-a-service-principal

We are on the “app owns data” case thus we will user service principal. There is also “access with master account” option but I could not find a way to generate token via REST API, it works only via .NET samples provided which is not compatible with out stack. Moreover, in all the samples I have examined, token is retrieved from the security context of currently logged in user(So not via REST API). So “access with master account” is not an option for us.

We followed the steps in the link above one by one:

  1. Registered a server-side web application.
  2. Created a security group in Azure AD and added our new server side web application to this group.
  3. Enabled service principal (as power bi admin) for the new security group we created.
  4. Created and published our reports.
  5. Added the service principal as an admin to the workspace (new workspace ) that we have created.

On step 6 where we embed the report in our applications we are having issues. Here is what we do:

  1. Generate Access Token For Service Principal.

URL: https://login.microsoftonline.com/{$tenantId}/oauth2/v2.0/token
Request Body:
grant_type: client_credentials
scope:https://graph.microsoft.com/.default
client_id:${clientId} (from our created server-side web application) >
client_secret:${client_secret} (from our created server-side web application)
Header: Content-Type: application/x-www-form-urlencoded
Response: { "token_type": "Bearer", "expires_in": 3600, "ext_expires_in": 3600, "access_token": "eyXXXXXXXXXXXXXXXXX....XXX" }

  1. Generate Embed Token using Power BI REST API

URL:
https://api.powerbi.com/v1.0/myorg/groups/${groupId}/reports/${reportId}/GenerateToken (groupId and reportId fetched from power bi dev portal where we have our reports)
Request Body: { "accessLevel": "View", "allowSaveAs": "false" }
Header: Content-Type: application/json
Charset:utf-8 Accept: application/json
Authorization: Bearer ${access_token_from_step1}
Response: HTTP 403 (which means forbidden)

Unfortunately we are stuck at this point. We can not generate embed token which we will use to embed our reports/dashboards into our application. Although we have been through lots of online docs/discussions we could not find a solution. So here is what we need help.

Notes:

-We are creating/publishing reports using Power BI Desktop and our power bi pro account. (Although we are trying to embed them using service principal)

-We have run into this stackoverflow answer that claims we need to use resource owner flow instead of client credentials flow. But I believe it is against power bi documentation that states service principal can be applied without using any user/password.

like image 241
selman Avatar asked Dec 23 '22 22:12

selman


1 Answers

The scope you defined when generating Access Token For Service Principal is not correct.

Try to use https://analysis.windows.net/powerbi/api/.default instead of https://graph.microsoft.com/.default

Note: There are many limitations when use service principal.

like image 109
Tony Ju Avatar answered Jan 29 '23 13:01

Tony Ju