0

my team and I are trying to embed a PowerBi Report using the PowerBiEmbed component in order to visualize it without repeating the signin procedure every time you access to the dashboard app in a Microsoft Teams context.

Basically, we are missing how to generate the Bearer access token to use in the API request https://api.powerbi.com/v1.0/myorg/groups/{MY_WORKSPACE_ID}/reports/{MY_REPORT_ID}/GenerateToken to generate the actual token to use in embedding inside the component.

We figured out that using the token that PowerBi actually use when you login into its client, grabbed from the resource headers through inspection, has a particular scope (user_impersonation) that we are trying to replicate in some way because, using that token in Postman requests, we are obtaining the embed token correctly and everything works fine.

So our and my doubts are:

  • Microsoft has to generate this access token somewhere when i login, where and/or how?
  • which api do we need to call to get this bearer access token? is it https://login.microsoftonline.com/common/oauth2/authorize? Or is there an SDK or something that implements these calls?
  • do we need to configure an AAD client application? If so, what permission should we check?
  • is there a way to get this special access token with user_impersonation scope?
  • if i'm already in an authenticated context (i.e. Teams) can I skip this authentication step?

I really need some clarification about this kind of stuffs.

SyncGabri
  • 1

1 Answers1

0

Could you please try use this requset to generate access token and use this token to take a try?

POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=xxxx
&scope=https://analysis.windows.net/powerbi/api/Report.ReadWrite.All
&username=MyUsername@myTenant.com
&password=xxx
&grant_type=password

enter image description here

And app api permission in azure ad application.

enter image description here enter image description here

I can call this api in my side:

enter image description here

Tiny Wang
  • 10,423
  • 1
  • 11
  • 29
  • Thank you very much, this solutions worked perfectly with some fix in my AAD properties. But another couple of questions that rised while testing it: - Do I have to check some sort of flags in the headers to avoid eventual CORS-related issues? - Is it possible to use 'grant_type: client_credentials' instead? – SyncGabri Apr 22 '22 at 15:02
  • No need to worry about CORS issue when you want to generate access token for calling this api. And per my test about `grant_type: client_credentials`, I didn't get correct response. You may also take a try with client credential flow. You can review the my answer before my edit, I showed how to use credential flow to generate token. click the button to see my answer history. https://i.stack.imgur.com/98D9D.png – Tiny Wang Apr 24 '22 at 07:22