Access Token Scope Issue in Azure AD and Power
I'm working with Power Bi REST APIs, for which I need an azure ad token.
I have set up an app in Azure AD, and have configured it as.
a. I intend to use that access token in my react app so I have configured it as SPA.
b. i have allowed public-client flow.
** I hv not checked 'access token' and 'id token' checkboxes as I'm using msal 2.0.
c. also have specified redirect uri as http://localhost:4200
d. also have given it all the permission I need to access my powerbi content (I need 'Dataset.ReadWrite.All)
THESE ARE MY AZURE APP ENDPOINTS
I HAVE SET MY REACT APP AS: I'm using @azure/msal-browser and @azure/msal-react libraries.
This is my msalConfig object-
const configuration: Configuration = {
auth: {
clientId: "myclientidhere",//,
authority: "https://login.microsoftonline.com/mytenantidhere",
redirectUri: "http://localhost:4200/",
},
cache: {
cacheLocation: "localStorage",
storeAuthStateInCookie: false,
},
}
and, this is my scope:
export const loginRequest = {
scopes: ["Dataset.ReadWrite.All"]
};
after i run my app i see the auth popup. i put my credentials in it. and suddenly it throws this error-
invalid_client: AADSTS650053: The application 'dashboard.xyz.work' asked for scope 'Dataset.ReadWrite.All' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor. Trace ID: 77e47883-fdd3-444a-bdd3-9f3a53bc1500 Correlation ID: aa77d724-0d9f-41aa-8e47-251c6b6f9293 Timestamp: 2023-02-09 13:51:46Z
i have granted the same permission in my azure ad app. however my app has not been granted 'admin consent' but as a user my account has the permission to use this scope in powerbi.
NOTE: if I change my scope to 'user.read' or any other ms graph API resource, then I'm able to get an access token of that scope to access graph API resource. but I'm not able to get an access token to access my powerbi resources.
EVERYTHING LOOKS GREAT IN AZURE AD.
I READ IT SOMEWHERE THAT THIS RESOURCE '00000003-0000-0000-c000-000000000000' indicates to the graph.microsoft.com resource. and I'm hitting https://login.microsoftonline.com/{myTenantId} . these are my app endpoints.
I'm not sure if powerbi resources come under graph.microsoft.com ('00000003-0000-0000-c000-000000000000) resource!!??
also on my app's API permissions page I read, they come under https://analysis.windows.net/powerbi/api that is 00000009-0000-0000-c000-000000000000??
am I hitting the wrong endpoint or the issue is something else??
I tried to reproduce the same in my environment and got the same error as below:
To resolve the error, try the below:
I created an Azure AD SPA Application and added API permissions:
Note: Make sure to give scope as
https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.Allto access PowerBI content
I generated the auth-code by using below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All
&state=12345
&code_challenge=codeChallenge
&code_challenge_method=S256
As admin consent is not granted to the API permissions, you will get the consent screen as below:
The auth-code got generated successfully without any error as below:
Now, I generated access token by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientID
scope:https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All
code:code
redirect_uri:https://jwt.ms
code_verifier:S256
The access token generated successfully with the scope Dataset.ReadWrite.All like below:
To resolve the error, modify the code as below:
export const loginRequest = {
scopes: ["https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All"]
};
If still the issue persists, try scope as https://analysis.windows.net/powerbi/api/.default.
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?