PowerBI AADSTS90002: Tenant authorize not found

Question

Reference: Power BI Sample Solution

I have moved the necessary code from the sample solution to my solution and its giving me the following error when authenticating:

AADSTS90002: Tenant authorize not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.

I am authenticating with these 2 lines:

 var authenticationContext = new AuthenticationContext(AuthorityUrl);
 var authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, ApplicationId, credential);

The error is occurring on the last line. Below are values in my web.config:

<add key="authorityUrl" value="https://login.windows.net/common/oauth2/authorize/" />
<add key="resourceUrl" value="https://analysis.windows.net/powerbi/api" />

Again, this works 100% in the sample app but not when I move to my app. Any ideas why ?

Thanks in advance for any help.

Answer 1

In my case instead of downgrading Microsoft.IdentityModel.Clients.ActiveDirectory, I changed the authentication endpoint from https://login.windows.net/{My tenant}/oauth2/tokento https://login.microsoftonline.com/{My tenant} which resolved the issue.

Answer 2

So after some research I found that it was to do with the version of the following nuget packages:

Microsoft.IdentityModel.Clients.ActiveDirectory
Microsoft.PowerBI.Api

The following versions needed to be used:

Microsoft.IdentityModel.Clients.ActiveDirectory v3.13.9
Microsoft.PowerBI.Api V2.0.12

It seems it has something to do with the endpoints that are used. If you downgrade to the above versions(which are the same versions used in the sample tool provided), then it works.

The latest versions use something like this : https://login.microsoftonline.com/common/ where the versions provided in the same uses : https://login.windows.net/common/oauth2/authorize/

Once I "downgraded" my versions, it authenticated!

Hope this helps someone else.

Answer 3

Yes all the answer are correct, I just want to put some lights on the things like why it's working in low version and not in new version

As per the official doc this is a better authority validation update from microsoft

ADAL.NET 4.x is also less forgiving than ADAL 3.x when setting the authority in the constructor of AuthenticationContext. Valid authorities should be, in the case of Azure AD v1.0:

• https://login.microsoftonline.com/{Guid}, where the Guid is the tenant ID
• https://login.microsoftonline.com/domainName, where the domain name is a domain associated with your tenant

• https://login.microsoftonline.com/common which, in the case of ADAL.NET means any Azure AD tenant (note that the meaning is
  different in MSAL.NET)

  It cannot be https://login.microsoftonline.com/common/OAuth2/endpoint even if this for could have been wrongly accepted in ADAL 3.x

Answer 4

Resolved by reverting the assembly "Microsoft.IdentityModel.Clients.ActiveDirectory" to Version=3.13.9.1126.

Using latest version of this assembly raised this issue. Version = 4.4.0.0

Answer 5

The fix is quite simple but it's hard to find it from Microsoft Docs as they are very vast. So I'm sharing what worked for us.

Note that we are using AuthenticationContext combined with ClientCredential to get the token.

The AuthorityUrl for 3.x versions is - https://login.windows.net/{yourOrg}/oauth2/token

After upgrading to 4.x or later it should be changed to - https://login.microsoftonline.com/{yourOrg}

Incase if you are wondering the full code is just 2 lines

var authenticationContext = new AuthenticationContext(AppSettings.AuthorityUri);
var token = authenticationContext.AcquireTokenAsync(AppSettings.ResourceUri, new ClientCredential(AppSettings.ClientId, AppSettings.ClientSecret)).GetAwaiter().GetResult();