Authenticate Power BI in ASP.NET Core Web API as service principal

Question

We are working on Power BI reports. The data is fetched once a day from an ASP.NET Core Web API we developed. OAuth2 was used as an authentication framework in the .NET Core application, which worked fine since it was tested with Swagger.

We want to authenticate Power BI in the .NET Core application. It can be done in various ways:

1. Basic authentication
2. Service Principal

Basic Authentication

Previously, the authentication was done with basic authentication (username and password), which worked fine. But now, we plan to make it more secure.

Service Principal

We think using the service principal is the right approach for our case. I assume that authentication with service principal in Power BI uses OAuth2 client credentials flow behind the scenes.

We configured the service principal in the Power BI Web app in the following way:

Power BI => Workspace => Semantic Model => Settings => Data Source Credentials => Edit Credentials

We added all kinds of API permissions in the APP registration in Entra ID. Here it is:

Also, we added app registration as a security group in Power BI with Admin permissions:

As you can see, the security group with app registration and, the app registration itself were added to the workspace with Admin permissions.

When we want to configure authentication for Power BI to access the ASP.NET Core Web API as a service principal, we get the following error:

Failed to update data source credentials.

How can we solve the problem of not being able to authenticate Power BI as a service principal in the ASP.NET Core Web API?

I assume that we didn't provide enough info to Power BI, because Power BI doesn't ask for other info, like scope and URL for OAuth2 token. So, I didn't tell Power BI, that this is the URL where to generate a token:

https://login.microsoftonline.com/azure-tenant-guid/oauth2/v2.0/token

.

For OAuth2 the scope is also important, which is the following format: api://***********/.default

Answer 1

You can make use of service principal to authenticate Power BI.

• Service principal authentication uses OAuth2 client credential flow, and it needs Application type API permissions (not delegated).
• According to this MsDoc, My Workspace isn't supported when using service principal that is myorg.
• It only works with new workspaces.

To authenticate Power BI using Service Principal, check the below:

Create a Microsoft Entra ID application and grant Power Bi application type permission:

Created Azure Security Group and add the Service Principal as a member:

Enable Service principals can access read-only admin APIs add the security group like below:

The above setting will take around 15mins to reflect.

Use the below code to generate access token using client credential flow and call Power Bi API:

class Program
{
    private static string tenantId = "TenantID";
    private static string clientId = "ClientID";
    private static string clientSecret = "ClientSecret";
    private static string scope = "https://analysis.windows.net/powerbi/api/.default";

    static async Task Main(string[] args)
    {
        try
        {
            var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
            var tokenRequestContext = new Azure.Core.TokenRequestContext(new[] { scope });
            var token = await clientSecretCredential.GetTokenAsync(tokenRequestContext);

            using (var httpClient = new HttpClient())
            {
                httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.Token);
                var response = await httpClient.GetAsync("https://api.powerbi.com/v1.0/myorg/groups");

                if (response.IsSuccessStatusCode)
                {
                    string responseData = await response.Content.ReadAsStringAsync();
                    Console.WriteLine("Response from Power BI API:");
                    Console.WriteLine(responseData);
                }
                else
                {
                    Console.WriteLine($"Error: {response.StatusCode}");
                }
            }
        }
        catch (Exception ex)
        {
            Console.WriteLine($"Exception: {ex.Message}");
        }
    }
}

• Not all APIs support service principal authentication.
• Based on the API you are calling assign permissions
• Make use of user interactive flow if the API do not support service principal authentication.