In Power Bi we get this error when trying to make a web connection:
"We couldn't authenticate with the credentials provided. Please try again"
The Azure function app is registered in our AAD . The function is a C# httptrigger with this code:
using System.Net;
using System.Net.Http;
using System.Security.Claims;
using System.Threading.Tasks;
public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
{
// parse query parameter
ClaimsIdentity userClaimsId = ClaimsPrincipal.Current.Identity as ClaimsIdentity;
var claims = userClaimsId.FindAll(ClaimTypes.Upn);
var groups = userClaimsId.Claims.Where(x => x.Type.Equals("groups")).ToList();
var upns = userClaimsId.Claims.ToList();
var roles = userClaimsId.Claims.Where(x => x.Type.Equals("upn")).ToList();
return req.CreateResponse(HttpStatusCode.OK, groups);
}
We are attempting to connect from Power Bi Desktop via the Get Data > Web option using an organizational account in our same AAD. When we call the function from browser it prompts for login and seems to return data.
User Authentication Power BI uses Azure Active Directory (AAD) to authenticate users who sign in to the Power BI service, and in turn, uses the Power BI login credentials whenever a user attempts to access resources that require authentication.
Follow the steps below to connect to Active Directory from a PowerApp: From the Power Apps main menu, click Create an app and select the on-premises or cloud PowerApp Studio. Select a blank app (choose Phone layout or Tablet layout). In the View tab, click Data Sources and click Add data source.
Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal.
The token that Power BI Desktop obtains from AAD when you sign in with an organizational account is for the https://yourfunction.azurewebsites.net audience. But when you configure AAD authentication for your Azure Function App, by default the audience configured is https://yourfunction.azurewebsites.net/.auth/login/aad/callback. That's why you receive an access denied.
So you can go to the AAD authentication settings of your Azure Function App, click AAD > Advanced > and enter the new allowed token audience there (see below, marked in red). Make sure to click OK, and to save the changes.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With