1

I'm trying to put together a quick web api data feed that can be accessed from powerbi using azureAd auth on a .netcore6 app, I've also tried this on .netcore3.1 and get the same results.

When using "Organizational account" powerBI expects the below flow:

https://learn.microsoft.com/en-us/power-query/connectorauthentication#connecting-with-azure-active-directory-using-the-web-and-odata-connectors

By default microsoft.identity.web or I guess aspnetcore.authentication.jwtbearer isnt sending the authorization_URI parameter in the www-authenticate header with the 401 response

Are we able to modify the behaviour for the 401 response?

Using the basic weatherforecast example and enabling azure identity the www-authenticate response to a controller with a blank bearer token just contains "Bearer"

.net webapi postman example

By comparison the intune warehouse feed works exactly as expected for this and can utilise organizational account, you can see the authorization_URI is populated on the response to a blank bearer request.

intune data warehouse postman example

on .net6

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));

Had a read here as well but cant see anything to control the www-authenticate response https://github.com/AzureAD/microsoft-identity-web/wiki/Customization

In older versions it looks like you could use WindowsAzureActiveDirectoryBearerAuthenticationOptions to tweak but I dont know which methods will do what I need.

UPDATE:

I've managed to get PowerBI happy and it authenticates with the API and then downloads data but using the code below the original empty Bearer challenge still exists, I've also had to pull the client and tenant ID from the config into a var to build the URI... I'm not sure how to remove the empty Bearer challenge

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(options =>
{
    builder.Configuration.Bind("AzureAd", options); 

    options.Events = new JwtBearerEvents
    {

        OnChallenge = async context =>
        {
            context.HttpContext.Response.StatusCode = 401;
            context.HttpContext.Response.Headers.Add("WWW-Authenticate", $"Bearer authorization_uri=\"https://login.microsoftonline.com/{tenantId}/oauth2/authorize?client_id={clientId}\"");

        }

    };

},
    options => {  builder.Configuration.Bind("AzureAd", options); }
);
ajajaja22211
  • 11
  • 2
  • I've tried your OnChallenge response header but I get error invalid_resource: AADSTS500011 when I try to sign in to Power BI Desktop as an Organizational account. Did you run into this issue? – Coxy Mar 08 '23 at 04:46

0 Answers0