I want to use token authenticate for the Power BI REST APIs. Now I have a service principal, then I using the az command line to login in and generate the token:
az login --service-principal -u ${app_id} -p ${password} --tenant ${tenant_id}
$token= az account get-access-token --query accessToken
And it does get the token.
However, I could not authenticate my power bi server, I got the error 403 Forbidden.
The service principal have the correct rights and add to the workspace access.
In order to verify the permission, I use the source code of a tripartite extension powerbi action:
https://marketplace.visualstudio.com/items?itemName=maikvandergaag.maikvandergaag-power-bi-actions
And there is function Invoke-API:
Function Invoke-API {
Param(
[parameter(Mandatory = $true)][string]$Url,
[parameter(Mandatory = $true)][string]$Method,
[parameter(Mandatory = $false)][string]$Body,
[parameter(Mandatory = $false)][string]$ContentType
)
$apiHeaders = Get-PowerBIAccessToken
...
}
return $result
}
It is using the Get-PowerBIAccessToken to get the token.
So, I using same service principal to connect powerbi service:
$powerbiUrl = 'https://api.powerbi.com/v1.0/myorg'
$sp_secret_key = $Env:sp_secret_key | ConvertTo-SecureString -asPlainText -Force
$organizationType = 'Public'
$cred = New-Object System.Management.Automation.PSCredential($sp_client_id, $sp_secret_key)
Connect-PowerBIServiceAccount -Environment $organizationType -Tenant $sp_tenant_id -Credential $cred -ServicePrincipal
Publish-PowerBIFile -WorkspaceName $target_wrokspace_name -FilePattern "$FilePattern" -Create $Create -Overwrite $Overwrite
The function Publish-PowerBIFile will invoke the Invoke-API. Surprisingly, it worked.
This seems to indicate that my Service Principal has sufficient permissions.
But unfortunately, the execution of this function calling Connect-PowerBIServiceAccount requires the installation of the MicrosoftPowerBIMgmt function module,Our production environment is in a high security environment and does not allow me to install this module. So I have to generate a token through Service Principal to complete the authentication.
So my question is, how is the way I generate the token using Service Principal different from the token generated by Get-PowerBIAccessToken? What should I do to be successful?
Any advice would be greatly appreciated.
update:
I grab the token through F12 and use postman to verify the token obtained by F12 and the token obtained by az account get-access-token --query accessToken, and it is concluded that the token obtained by F12 is valid. So how to generate a valid token through sp or does generating a token require additional permission settings?
Please add --resource https://analysis.windows.net/powerbi/api to your az account get-access-token command to retrieve the access token for Power BI Rest APIs.