TechQA.

ConfidentialClientApplicationBuilder bearer token unauthorized

346 views Asked by At

I am trying to access Power BI web api from my web application. For msal, I can get the correct access token when I use PublicClientApplicationBuilder with my organizational email and password.

enter image description here

but I dont want that. It exposes my email and password. plus I belive, this method is only suitable for desktop based application. And I need to use an app only access token.It should not be tied to any specific user.

But when using ConfidentialClientApplicationBuilder with client secret added in Azure app registry, It gives me a different access token which is unauthorized while access anything.

enter image description here

Am I missing anything?

powerbi azure-active-directory powerbi-rest-api msal
Original Q&A
1

There are 1 answers

0
Rukmini On

Note that: Client Credential flow works only for Application API permissions.

The "401 unauthorized" error usually occurs if the access token does not contain required roles/scopes to perform the action.

To resolve the error, make sure to grant application type API permission to the Azure AD Application:

enter image description here

I generated the access token using the below code:

var scopesDefault = new string[] { "https://analysis.windows.net/powerbi/api/.default" };
var app = ConfidentialClientApplicationBuilder
.Create("ClientID")
.WithAuthority("https://login.microsoftonline.com/TenantID")
.WithClientSecret("ClientSecret")
.Build();
Microsoft.Identity.Client.AuthenticationResult result = await app
.AcquireTokenForClient(scopesDefault)
.ExecuteAsync();
var text = result.AccessToken;
Console.WriteLine(text);

enter image description here

When I decoded access token, roles are displayed:

enter image description here

If still the issue persists, check the below:

  • Few Power BI operations or accessing Power BI requires only delegated admin access token.
  • Based on your requirement you can assign delegated Api permissions and make use of Authorization Code Flow to generate access token.
  • Create an Azure Security Group and add the Service Principal as a Member:

enter image description here

Enable Allow service principals to use read-only admin APIs option in Power BI Admin Portal and add Security Group:

enter image description here

References:

Power BI REST APIs for embedded analytics and automation - Power BI REST API

powerbi - Access Token Scope Issue in Azure AD and Power - Stack Overflow by me

Related Questions in POWERBI

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in POWERBI-REST-API

Related Questions in MSAL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions