Generate Embed Token using Power BI REST API 403 error

Question

We are currently working on Embedding Power BI Reports into our web application. To achieve that we are following the instructions on official power bi documentation:

https://learn.microsoft.com/en-us/power-bi/developer/embed-service-principal#get-started-with-a-service-principal

We are on the “app owns data” case thus we will user service principal. There is also “access with master account” option but I could not find a way to generate token via REST API, it works only via .NET samples provided which is not compatible with out stack. Moreover, in all the samples I have examined, token is retrieved from the security context of currently logged in user(So not via REST API). So “access with master account” is not an option for us.

We followed the steps in the link above one by one:

Registered a server-side web application.
Created a security group in Azure AD and added our new server side web application to this group.
Enabled service principal (as power bi admin) for the new security group we created.
Created and published our reports.
Added the service principal as an admin to the workspace (new workspace ) that we have created.

On step 6 where we embed the report in our applications we are having issues. Here is what we do:

Generate Access Token For Service Principal.

URL: https://login.microsoftonline.com/{$tenantId}/oauth2/v2.0/token
Request Body:
grant_type: client_credentials
scope:https://graph.microsoft.com/.default
client_id:${clientId} (from our created server-side web application) >
client_secret:${client_secret} (from our created server-side web application)
Header: Content-Type: application/x-www-form-urlencoded
Response: { "token_type": "Bearer", "expires_in": 3600, "ext_expires_in": 3600, "access_token": "eyXXXXXXXXXXXXXXXXX....XXX" }

Generate Embed Token using Power BI REST API

URL:
https://api.powerbi.com/v1.0/myorg/groups/${groupId}/reports/${reportId}/GenerateToken (groupId and reportId fetched from power bi dev portal where we have our reports)
Request Body: { "accessLevel": "View", "allowSaveAs": "false" }
Header: Content-Type: application/json
Charset:utf-8 Accept: application/json
Authorization: Bearer ${access_token_from_step1}
Response: HTTP 403 (which means forbidden)

Unfortunately we are stuck at this point. We can not generate embed token which we will use to embed our reports/dashboards into our application. Although we have been through lots of online docs/discussions we could not find a solution. So here is what we need help.

Notes:

-We are creating/publishing reports using Power BI Desktop and our power bi pro account. (Although we are trying to embed them using service principal)

-We have run into this stackoverflow answer that claims we need to use resource owner flow instead of client credentials flow. But I believe it is against power bi documentation that states service principal can be applied without using any user/password.

Did you try decode your token or does your token contains that permission? Let me know. — Md Farid Uddin Kiron, Aug 03 '19 at 00:15
@MdFaridUddinKiron yes i did. It is a JWT token which resolves properly,having having obectId as service principal that I have defined. — selman, Aug 03 '19 at 16:55

score 15 · Accepted Answer · answered Aug 05 '19 at 03:00

15

The scope you defined when generating Access Token For Service Principal is not correct.

Try to use https://analysis.windows.net/powerbi/api/.default instead of https://graph.microsoft.com/.default

Note: There are many limitations when use service principal.

answered Aug 05 '19 at 03:00

Tony Ju

14,891
3
17
31

thank you very much!That worked. Now i am having a different error. "Creating embed token for accessing dataset 59d1101c-06d5-4811-9c71-b2cd830b7a75 requires effective identity to be provided" Any ideas about this one? – selman Aug 05 '19 at 08:32
@selman I am not familiar with PowerBI, maybe you can refer to https://community.powerbi.com/t5/Developer/quot-shouldn-t-have-effective-identity-quot-error-when-passing/td-p/433730 – Tony Ju Aug 05 '19 at 08:41
Also,just curious;in which documentation did you spot that we need to use that value for the scope? – selman Aug 05 '19 at 13:59
2

@selman You can find the resource uri `https://analysis.windows.net/powerbi/api/` here https://learn.microsoft.com/en-us/power-bi/developer/get-azuread-access-token. And resource parameter is for v1.0 endpoint, you are using v2.0 endpoint, so the scope should be `https://analysis.windows.net/powerbi/api/.default` – Tony Ju Aug 06 '19 at 00:58
5

Keep wondering why I find my self on stackoverflow when dealing with azure documentation – Illegal Operator Nov 10 '20 at 06:56
1

@IllegalOperator Stack Overflow IS their documentation lol. They own SO anyways. But I am running into a 401 Unauthorized error. Did anyone else run into this? – Noah Gary Jul 29 '21 at 14:04
wow i wish I found this answer earlier. was doing all sorts of nonsense – cmgchess May 27 '22 at 04:34

Generate Embed Token using Power BI REST API 403 error

1 Answers1