I try to get the list of the datasets for a particular tenant, using:
https://api.powerbi.com/v1.0/myorg/datasets
I get then a 403 error, it seems that my access code is not suitable for this call.
I could get an access_code successfully but I assume that it has the wrong scope since the response states:
"scope": "openid profile email User.Read"
yet I granted the correct permissions in azure:
when trying to add in the scope in the authentication call: openid offline_access DataSet.ReadWrite.All then I get an invalid_grant error
Try openid profile email https://analysis.windows.net/powerbi/api/.default as the scope.
You can find this endpoint while adding the power bi permission from Azure Portal:
Related
I am trying to use the request:
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}?api-version=2020-12-01
From microsoft graph API:https://learn.microsoft.com/en-us/rest/api/compute/virtualmachines/get#code-try-0.
I created an app registration within the an AD subscription. When I try to use the oauth2 credentials associated with the app registration I receive a 401. I believe this is due to a permissions error. I tried using https://developer.microsoft.com/en-us/graph/graph-explorer, but I am unable to assume the app registration to simulate the request. Any insight as to why this might be happening or how to debug the issue would be very helpful
Unlike the accepted answer, I had to set the scope to access this url...
https://management.azure.com/subscriptions/{SubscriptionID}/providers/Microsoft.Compute/virtualMachines?api-version=2020-12-01
to:
https://management.azure.com/.default
Your error is not a lack of permissions but the use of the wrong scope.
The error is actually very simple, you need to grant Azure Service Management api permissions instead of MS graph permissions, and then you need to set the scope to: https://management.azure.com/user_impersonation.
Next, use the auth code flow to obtain an access token.
Request an authorization code in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=https://management.azure.com/user_impersonation
&state=12345
Redeem token.
Call api:
Please note that do not use graph-explorer test, because you are not calling MS graph api, you can use postman.
I'm trying to get an embed token for power bi embedded.
I'm using 'App owns data' embed scenario.
I first get the access token of Azure AD and use it as Bearer token when calling embed token
Here is my Postman request details:
https://api.powerbi.com/v1.0/myorg/groups/{groyupid}/dashboards/{dashboardid}/GenerateToken
Request body
{accessLevel:"View"}
In authorization section I added the access token.
I received a 403 Forbidden response.
Here how I get the access token
I noticed that there is also another url to get token : https://login.microsoftonline.com/common/oauth2/token
What is the difference between the one with tenant id in the url
Then permissions for the AAD PowerBI application
Update
Thanks for the help I get another 404 not found error now
{
"error": {
"code": "PowerBIEntityNotFound",
"pbi.error": {
"code": "PowerBIEntityNotFound",
"parameters": {},
"details": [],
"exceptionCulprit": 1
}
}
}
For information I have added permission in PBI admin portal to pbireportingGroup an Azure security group that I created. ( as mentionned in docs )
Then I added to this group the AAD as member
Is that what should I do ?
403 means that your access token doesn't have the required permissions.
And you need to add the master account and service principal as the owner of the group / workspace (it may take 15 minutes to take effect).
UPDATE:
Now that you are using client credential flow, you should set application permissions:
And the resource in the request body should be https://analysis.windows.net/powerbi/api/.
Besides, you need to add the service principal as the admin of this workspace in Azure AD. (enter the name of your Azure AD app, and it will recognize its client id)
The application associated with client id 09ac92da-a796-4cd9-973b-c97756____ has no registered redirect URIs
Description
I followed the steps described in https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc?tabs=applications.
When attempting to obtain the token in Postman using ROPC I'm getting
{
"error": "invalid_request",
"error_description": "AADB2C90007: The application associated with client id '09ac92da-a796-4cd9-973b-c97756____' has no registered redirect URIs.\r\nCorrelation ID: e85003c3-cfd5-43ad-a74b-efa5c1ea6525\r\nTimestamp: 2019-12-06 19:47:42Z\r\n"
}
I should not be asked for a redirect URIs.
My POST is as follows:
URL: ''https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_ROPC_Auth"
username: some_username_of_a_user
password: its-password
grant_type: password
scope: openid offline_access 09ac92da-a796-4cd9-973b-c97756____
client_id: 09ac92da-a796-4cd9-973b-c97756____
response-type: token id_token
I didn't reproduce your issue by following this document. Here are the main steps for your reference.
1.Create a resource owner user flow
2.Register an application(It is an application under Azure AD B2C, not Azure AD)
3.Test the user flow
This error generally occurs because you still need to configure some application claims in the b2c directory user flow to allow complete access to the application.
You need to make sure that the right versions of the authentication are in the reply url (likely extension v2.0) and that the reply URL is configured in the application and in the code.
Please look to the documentation for the reply URL schema that you would need to follow: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=applications#register-a-web-application
If you still run into this issue let me know and I can reach out to the correct product team contacts, as sometimes this can happen due to breaking changes on our end.
I am trying to build a website where a user can log in via Azure AD B2C. After logging in, I'm trying to present a secure area where the user can change their Azure B2C user attributes (first name, last name, etc) via the Microsoft Graph API.
I am attempting to follow along with the Get a Token documentation
Everything is working up to step #3, where a call gets made out to https://login.microsoftonline.com/common/oauth2/v2.0/token to obtain an access_token using the code I received on my return URL.
Here's the general flow of what I am doing:
End user clicks a login link on my localhost site that links out to my Azure B2C tenant policy. Link looks something like this:
https://login.microsoftonline.com/mytenantname.onmicrosoft.com/oauth2/v2.0/authorize
?client_id=[MyAppID]
&response_type=code+id_token
&redirect_uri=http%3A%2F%2Flocalhost%3A17000%2Fprocessing%2Findex
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.write
&state=[MyCustomState]&p=[MyCustomPolicy]
User logs in and gets redirected to the redirect_uri.
redirect_uri successfully recieves code, id_token, and state values.
I take the code value from that and makes a POST https://login.microsoftonline.com/common/oauth2/v2.0/token request with the following body:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
HTTP/1.1
grant_type=authorization_code
&code=[code]
&client_secret=[application secret]
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.readwrite
&redirect_uri=http%3A%2F%2Flocalhost%3A17000%2Fprocessing%2Findex
The response code I receive back from that endpoint is the above error message.
{
"error": "invalid_grant",
"error_description": "AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID:6d7a8e32-bcbf-4fc4-a37a-87dae4781b00\r\nCorrelation ID:252912b7-5775-491a-968f-00ab03696dd9\r\nTimestamp: 2019-06-2722:11:18Z",
"error_codes": [9002313],
"timestamp": "2019-06-27 22:11:18Z",
"trace_id": "6d7a8e32-bcbf-4fc4-a37a-87dae4781b00",
"correlation_id": "252912b7-5775-491a-968f-00ab03696dd9"
}
Other StackOverflow posts mention verifying that the redirect_uri's have to match between the initial login and the subsequent access_token requests. They appear identical to me, but I am still receiving errors.
Any ideas what could be going wrong?
This is something you need to understand about OAuth on B2C before you are able to successfully request for a token.
This error means that the requested scope (resource) can’t be accessed by you (login user) because of the lack of permissions.
So, to fix that, you need to grant these required permissions to access that resource, by following these steps:
Define a new scope.
Grant Admin consent on that scope.
Request that scope when you request for a token.
In other words, in B2C-->App Registrations--> (Your App), shown in the image below, start with “Expose an API”, here you define a new scope of access, scope of resources or API, just a metadata that you know it represents some resources or API.
Then you click on “API Permissions”, here you will add the scope you just created and grand admin access in needed. But al least you need to add permissions to your newly defined scope.
The third and last step is when you hit: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
Make sure to pass the scope that you added. (Use the scope that you added)
The details are explained in here but I can simplify it for you.
configure b2c
So you need to go to your B2C
Seems you are trying to get access token using Authorization Code Grant V2.0
Your request doesn't match with Authorization Code Grant V2.0 format and you have encountered that error.
You should send token request for Authorization Code Grant V2.0 is like below:
Token Endpoint: `https://login.microsoftonline.com/common/oauth2/v2.0/token`
client_id:b603c7be-_YourApp_ID-e6921e61f925
scope:https://graph.microsoft.com/User.ReadWrite.All
redirect_uri:https://www.getpostman.com/oauth2/callback
grant_type:authorization_code
client_secret:Vxf1SluKbgu4P_YourAppSecret_DSeZ8wL/Yp8ns4sc=
code:OAQABAAIAAADCoMpjJXrxTq9VG9te-7FXrnBIp82sWR1nC
See Screen shot for details:
I am trying to get access_token using
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
endpoint using username and password where tenant = {some tenant id}
The parameters that I am using to make the request are:
client_id:{client_id}
scope:https://graph.microsoft.com/Calendars.ReadWrite
client_secret:{client_secret}
username:{username}
password:{password}
grant_type:password
I am getting the following error in response:
error: invalid_request
error_description : AADSTS90002: Tenant '' not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.
I have the following permissions for my application available on Azure:
The documentation for this is available here : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
On my side, it works. You should check your tenant whether your application is registered in this tenant.
I solved this issue by purchasing a subscription and adding my user as an administrator.
After that, I added two permissions to my application to get the delegate access for using ROPC (Resource Owner Password Credential)authentication method and granted them with the administrator consent.