Share via

Azure Web App AAD Authentication with PBI API

Jimmy 21 Reputation points
2020-09-24T14:49:09.38+00:00

Hi,

I have created an App Registration, where the API Permissions for PBI (Delegated) are granted.
The App Registration also has a client secret.

Next I have created an App Service where one of the slots is used for a Web App (React + .NET Core).
For the App Service (Deployment Slot) I have enabled Authentication with AAD, and added the client secret of the App Service.

This all works fine. When a user goes to the Web App, they get a login screen. After logging in they have to accept the API Permissions for the App.
When a user is on a certain page, I make a GET request to ".auth/me" which gives back some information about the user and an access_token and id_token.

What I now want to do is use that access token to make a call to the PBI API, however, I keep getting a forbidden / unauthorized error.
However, when I use Powershell to generate a PBI Access Token and hardcode it into my web app, it does work. So it seems the token I get back from ".auth/me" doesn't have access to PBI, even though users have to accept the API Permissions dialog.
I'm using this React package: https://github.com/microsoft/powerbi-client-react.

Is what I'm trying to do possible?

28163-afbeelding.png
28019-afbeelding.png

Azure App Configuration
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
237 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,880 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,067 questions
Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,461 Reputation points
    2020-09-25T18:43:14.667+00:00

    By default the audience of the access token is the app itself. Follow the steps detailed in Refresh identity provider tokens to include https://analysis.windows.net/powerbi/api as a resource/audience. Basically using Azure Resource Explorer you have to add this under subscriptions > <subscription_name > resourceGroups > <resource_group_name> > providers > Microsoft.Web > sites > <app_name> > config > authsettings: 

       "additionalLoginParams": [  
       "response_type=code id_token",  
       "resource=https://analysis.windows.net/powerbi/api"  
   ],

    --
    Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bandaru, Ananda Prasad 1 Reputation point
    2022-03-18T06:35:46.85+00:00

    Do you have a github link for your code pls

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.