Authenticate AAD user through API to AAS cube

Question

We have an AAS OLAP cube with authentication and would like to provide it with the AAD user currently querying it through the API.

Currently Azure handles the authentication for our web API's. We basically ticked the authentication to be enabled by Azure AD in the Azure portal.

The authorization is in the cube itself, as was recommended. Which means I have to supply it somehow with the Azure AD user.

I have looked into the Impersonator class found here but this is probably only suited for Windows context. I have also looked into this issue but this requires working with an app id and app secret which would defeat the purpose according to my basic knowledge of it.

I have tried ADOMD.NET and added the token and user id to the connection string as stated here. But then I receive the following error: "Exception has been thrown by the target of an invocation. Federated service at https://sts.blank.com/adfs/services/trust/13/usernamemixed returned error: ID3242: The security token could not be authenticated or authorized.". It could be that I'm taking the wrong claims here to insert into the connection string. My knowledge on this is limited.

This is the test code I am using to test ADOMD.NET:

string token = ClaimsPrincipal.Current.Claims.First(fod => fod.Type == "aio").Value;
string userId = ClaimsPrincipal.Current.Claims.First(fod => fod.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn").Value;

using (AdomdConnection conn = new AdomdConnection($"Data Source=asazure://blank.asazure.windows.net/blank;Initial Catalog=blank;user id={userId};password={token}"))
{
    conn.Open();
    StringBuilder result = new StringBuilder();
    foreach (CubeDef cube in conn.Cubes)
    {
        result.AppendLine(cube.Name);

        foreach (Dimension dim in cube.Dimensions)
        {
            result.Append("\t");
            result.AppendLine(dim.Name);
        }
    }

    conn.Close();
}

To query the OLAP cube I have also tested the NuGet package LinqToDAX because no one here knows DAX. But this is giving me the error: "The 'MSOLAP' provider is not registered on the local machine.". I don't know how to register this provider in Azure or how to pass it the credentials. I'm not sure if the same method would work by simply entering the values in the connection string because of the previous error.

This is the test code I am using to test LinqToDAX:

string token = ClaimsPrincipal.Current.Claims.First(fod => fod.Type == "aio").Value;
string userId = ClaimsPrincipal.Current.Claims.First(fod => fod.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn").Value;
DbContextOlap dbContextOlap = new DbContextOlap($"Provider=MSOLAP;Data Source=asazure://blank.asazure.windows.net/blank;Initial Catalog=blank;user id={userId};password={token}");

Can someone point me in the right direction?

EDIT: using the package suggested here I am receiving the following error: "Exception has been thrown by the target of an invocation.; parsing_wstrust_response_failed: Parsing WS-Trust response failed". I can connect with DAX studio so the problem must be in my code.

Answer 1

The solution to this was actually pretty simple.

1. Follow the sample project found here: https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof. But instead of connecting to the Graph API, you connect to the AAS cube. The ResourceId to get the on behalf of token should therefore be set to "https://datacenter.asazure.windows.net" where datacenter is the location of your AAS, for example westeurope.
2. Set the connection string to: "Provider=MSOLAP;Data Source=asazure://datacenter.asazure.windows.net/nameofyourserver;Initial Catalog=nameofyourcube;User ID=;Password=onBehalfOfToken;Persist Security Info=True;Impersonation Level=Impersonate". Leave the User ID blank. Set the password to the on behalf of token you get from AcquireTokenAsync().
3. Use the official NuGet packages: Microsoft.AnalysisServices.AdomdClient.retail.amd64.