Hi BenjaminLiSauerwine-6547,
Were you ever able to resolve this issue?
I'm having the identical problem with an app-service and power bi desktop.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I am setting up an enterprise application where third-party applications should be able to authenticate into it using our institutional SSO. The enterprise application has a GUID Client ID provided (e.g., 12345678-1234-1234-1234-1234567890ab) and I am indeed able to log into the application both through the public URL (e.g., https://myapp.myinstitution.edu) and using applications under my control that are aware of the Client ID.
The issue comes when I try to log into it with a third-party application like PowerBI. PowerBI, being outside my control, does not know the Client ID and attempts to log in using the public URL as the resource principal (https://myapp.myinstitution.edu).
My assumption is that somewhere I need to inform Azure Active Directory that the resource principal known to third-party apps (e.g., https://myapp.myinstitution.edu) is one and the same as my client ID (e.g., 12345678-1234-1234-1234-1234567890ab). My belief was that the correct way to do this would be to configure a Publisher Domain under the Branding section under App Registrations, but this did not resolve the issue.
How do I inform Active Directory that certain resource principals are synonymous with my application's Client ID?
Hi BenjaminLiSauerwine-6547,
Were you ever able to resolve this issue?
I'm having the identical problem with an app-service and power bi desktop.
I apologize that it's been so long since I've encountered this issue that I may have forgotten some important details. Further, checking my e-mail history, not all of what was done on the institutional AD admin side was ever made clear to me.
As far as I can tell looking at the Active Directory application (which in my case was an instance of HAPI FHIR connecting to PowerBI's FHIR connector), this is what needs to happen:
In Azure AD App Registrations:
Not all of that may be strictly necessary, but those are the steps I can reconstruct from my e-mail and is all that is directly visible in my AD application.
If that still doesn't work, there was one additional note I found in the e-mail thread, which was that the AD admin had to consent for "Power Query for Excel" also. I can't find any evidence that this actually happened in Azure Portal, though, so your mileage there may vary.