CODEWITHSUNDEEP
c#azureaccess-tokenazure-active-directory
sam
sam

Reputation: 969

Error while getting access token for PowerBI service from AAD application

I need an access token from AAD (in non-interactive way) to access the PowerBI service.

Here is what I have:

  1. a Native application created in Azure Active Directory with PowerBI permissions
  2. a client_id and client_secret of the Native application
  3. a Console application where I am passing the client_id, user_email and user_password.

I have tried different users' credential,

  1. Normal user's credential
  2. Admin's credential
  3. Service account's credential

For all, I am getting following error while getting the token

Additional information: AADSTS65001: The user or administrator has not consented to use the application with ID ''. Send an interactive authorization request for this user and resource.

Here is the reference which I used https://msdn.microsoft.com/en-in/library/partnercenter/dn974935.aspx

What can be the possible reasons for this?

Upvotes: 0

Views: 1358

Answers (1)

Shawn Tabrizi
Shawn Tabrizi

Reputation: 12434

While it is possible to get an access token for a user in a non-interactive way, it is important to note that there must, at least to start, be some level of interactive experience for the user.

In order for a client application to access a Resource API, consent must be given by the user to allow the Resource API to give data to the Client Application. Even just to sign-in, the client app receives a token with the user's UPN, Security Groups, Roles, First/Last Name, etc... AAD itself must feel okay to give this personal data away to the client app, which means that the user must consent to "Sign-In and Read Basic Profile" for the app. This means there will ALWAYS need to be some consent for all user-based applications.

Once that consent trust has been established, subsequent calls can be made in a non-interactive way, but only once that consent has been recorded.

The entire consent experience is handled through our login experience, which is hosted on our servers, and does not require you to write any code or host anything. Simply point a user to sign-in and consent to your application by generating a url with your configuration information:

https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&resource=<ResourceURI>&prompt=admin_consent

Note here that we added "prompt=admin_consent" which is a special form of consent that tenant administrators can perform, which will consent to the permissions required by the client app on behalf of all users in the tenant. If you want your consent to be on a per-user basis, change this to "prompt=consent".

I hope this helps!

Upvotes: 1

Related Questions