2

I'm trying to implement the daemon authentication flow. The following post request returns me an access token with the right scope:

p_url = 'https://login.microsoftonline.com/' + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' + '/oauth2/token'
data = { 'grant_type':'client_credentials',
         'client_id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
         'client_secret': 'L------------------------------------------=',
         'resource':'https://analysis.windows.net/powerbi/api' }
r = requests.post(url=p_url, data=data)

I receive the following response

{
  "access_token" : "ey------------"
  "expires_on" : "1454857253",
  "not_before" : "1454853353",
  "expires_in" : "3600",
  "token_type" : "Bearer",
  "scope" : "Dashboard.Read.All Data.Alter_Any Dataset.Read.All Dataset.ReadWrite.All Report.Read.All",
  "resource" : "https://analysis.windows.net/powerbi/api"
}

response = json.loads(r.text)
token = response['access_token']
headers = { 'Authorization': 'Bearer ' + token }
response = requests.get('https://api.powerbi.com/v1.0/myorg/datasets', headers=headers)

I use the endpoint from the applications "view endpoints" page. However, when I attempt to get list of "datasets" I always receive 403. What might be missing from the acquire token process?

volkan
  • 31
  • 1
  • 4
  • Not sure what's happening. Could you try to register a new client app just to make sure the app is correctly configured. You can register you app here: https://dev.powerbi.com/apps?type=native – Lukasz P. Feb 10 '16 at 15:28
  • Hi Lukasz, not only did I create a new application, I also created a new Azure AD tenant under my personal account with a trial PowerBI Pro subscription. I ended up with the same result. Matthias Leibmann [states that](http://blogs.msdn.com/b/exchangedev/archive/2015/01/21/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx) "application permissions" must be used rather than "delegated permissions" because this is client credential flow. However Azure AD does not allow defining "application permissions" for PowerBI. – volkan Feb 11 '16 at 09:45
  • hello, did you solved this client_credentials with powerbi, please? – Martin Janeček Feb 16 '16 at 09:55
  • 1
    Also curious if anyone has solved this – Chris Harrington Feb 16 '16 at 19:45
  • No. Unfortunately I have not received any explanation from Microsoft support teams yet (I had opened a ticket through our paid account). I opted for user based flow where I have to store user's password in cleartext. – volkan Feb 17 '16 at 13:20
  • You have to show some code. Did you include access token in a right way in rest call far datasets? – andrew.fox Feb 17 '16 at 21:06
  • Hi Andrew, the code is embarrasingly simple. I added thre rest of it. – volkan Feb 17 '16 at 22:15

1 Answers1

-1

Your flow is a bit short. REST call for datasets seems OK, but as far as I know, you have to request the access token by authorization code, not client credentials alone.

1) Get authorization code

Depends on your flow, for website it will be received during logon process or call to /oauth2/authorize with { 'response_type':'code }

2) Get access token

With authorization code in a variable, you have to modify your request to include to authorization code, like this (grant_type and code fields are altered):

p_url = 'https://login.microsoftonline.com/' + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' + '/oauth2/token'
data = { 'grant_type':'authorization_code',
     'client_id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
     'client_secret': 'L------------------------------------------=',
     'code': authorizationCodeForSingedInUser,
     'resource':'https://analysis.windows.net/powerbi/api' }
r = requests.post(url=p_url, data=data)

Basically saying, you have to have a user account that accesses the Power BI resource. Your website (clientid + secret) are not authorized by itself. There must be a user involved.

What's more, afaik only "organization account" users can access power bi.

To be explicit and underline the main cause in this thread, post and comments: Power BI REST API can only be used via User with credentials with Organizational Account and be already signed in (activated) Power BI on Power BI portal. You can check if REST Api will work by checking if this user is able to use Power BI portal manually.

andrew.fox
  • 7,435
  • 5
  • 52
  • 75
  • Andrew, check out [Azure AD Daemon or Server Application to Web API flow](https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/#daemon-or-server-application-to-web-api) as well as [Service to Service Calls Using Client Credentials](https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx) – volkan Feb 18 '16 at 09:01
  • @volkan - Power BI is specific, afaik it doesn't allow service-to-service calls without user (account) credentials. Refer to: https://powerbi.microsoft.com/en-us/documentation/powerbi-developer-power-bi-permissions/ – andrew.fox Feb 18 '16 at 09:16
  • 1
    I think the answer, which confirms your explanation, is in this [stackoverflow thread](http://stackoverflow.com/questions/32341877/cant-get-client-credentials-access-token-to-authorize-power-bi?rq=1). The first time I read it I assumed it was another flow but I believe it is the same thing. If no UI interaction is desired we have to use actual username/password for service-to-service calls. – volkan Feb 18 '16 at 14:06