The Setup :
Am trying to access Azure PowerBI based APIs using console application since my company wants to Suspend/Resume PBI capacity to optimize costing.
Have been successful in accessing those apis as per official documentation API Emulator Window, it works by perfect as it just asks with a authentication window for username and password of my outlook account and it generates authentication token implicitly successful.
When i tried to implement calling api from my console application which will be triggered automatically scheduled, there are ways to generate authentication token programmatically. Following are the methods i used to generate the same before accessing the PBI APIs.
Approach #1 : Generating token by using Azure Active Directory Authentication Libraries..
This approach asks to add AAD authentication libraries via Nuget, upon adding the same and it goes unsuccessful as the method AcquireTokenAsync takes no parameters but tutorial specified 4 parameters to be feed into this method (function overloading missing?). So i couldnt generate token using this approach. Surely a library version problem but the official MS documentation didnt explain anything above versions available over same.
Approach #2: Authorize Active Directory without dialog box StackOverflow Question with marked as answer
This approach upon calling HTTPResponseMessage, it gets hung up without going next line or catch statement.
Approach #3: Trying to emulate token generation using POSTMAN and using the generated token on my console app to check accessibility.
This approach gives a successful token generation but when using the generated token in the console app, it says unauthorised token.
Doubt Part:
Have generated ClientID, ClientSecretID and TenantID in Azure using AppRegisteration but dont know how this gets associated with PowerBI Service in azure. Do Azure Active Directory comes in place betweeen PBIService and AppRegisteration? Based on generated AppRegisteration details have tried to access this authentication api (https://login.microsoftonline.com/tenantId/oauth2/token) to generate token. This is successfully generates a token but miserably getting failed with unauthorised access on PBI api.
Am i badly missing something? will be helpful on what wrong about this concept of accessing PBI based API getting authenticated via console app. Asusual PBI community sites didnt help much.
1. How to manage Azure Power BI Embedded capacity
If you want to manage Azure Power BI Embedded capacity with rest API, please refer to the following steps.
create a service principal and assign Azure RABC role to the sp(I use Azure CLI)
az login
#it will create a service principal and assign contributor role to the sp
az ad sp create-for-rbac -n "jonsp2"
Get Token
Post https://login.microsoftonline.com/tenantId/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type =client_credentials
&client_id=<sp app id>
&client_secret=<sp app password>
&scope=https://management.azure.com/
Call Rest API
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PowerBIDedicated/capacities/{dedicatedCapacityName}/suspend?api-version=2017-10-01
Authorization: Bearer <token>
2. How to call Power BI rest api
If you want to call Power BI rest api, please refer to the document and the document.
The detailed steps are as below
Register Azure AD application in Azure portal
Configure API permissions
Test (I test in postman)
a. get access token
b. call API
Suspend/Resume PowerBI API is described over here:
https://learn.microsoft.com/en-us/rest/api/power-bi-embedded/capacities/suspend
https://learn.microsoft.com/en-us/rest/api/power-bi-embedded/capacities/resume
Did you read the whole Azure REST API Reference?
All steps needed to send an HTTP request are documented over here:
https://learn.microsoft.com/en-us/rest/api/azure/
Related
I have Azure Functions which i want to authenticate using access token.
I have following things set up
Azure App which is being used by Angular SPA to authenticate user
Access token which is used to invoke graph APIs, Permissions are set in Azure app (point 1)
Azure Function which is having http triggers (APIs) which are being used by SPA
Currently, APIs are anonymous and can be invoked from anywhere. i want to secure these apis using access token which is being used by graph api (point 2)
I think the best approach for me is AAD multi tenant authentication. However, When i click on "Authentication (classic)" it gives me This app is configured using the new authentication experience. Click here to access Authentication (preview).
Also, if i keep authenticated with following options, i get "You do not have permission to view this directory or page." error
Most of the articles which i find online are talking about AAD. for me that option is not enabled.
I have tried following articles to make it work but somehow its not happening. can anyone suggest. how can i achieve this.
https://medium.com/medialesson/protecting-azure-function-apps-with-azure-ad-authentication-authorization-fd167ce4fe33
https://medium.com/geekculture/easyauth-in-functions-app-with-azure-active-directory-29c01cad8477
is there something i need to do in my existing Azure app to make it work ?
Per my understanding, your Azure function is protected by AAD using Authentication(Easy auth). And now, your angular SPA would like to access this function. Pls follow the steps below:
Go to Azure AD => App registrations => The App you created to protect your Azure function=> Expose an API to add a scope, for instance, access_as_user so that your SPA could require an access token for this scope:
Got to Azure AD => App registrations => The App you created for your SPA app=> API permissions => Add a permission => My APIs to grant the scope we just created:
Click the grant admin consent button to finish the process.
In your SPA app, use MsalService to acquire an access token with scope: api://<your azure function app id>/access_as_user, by this token, you can access your Azure function. For a quick test, I just test it in post man and it works perfectly:
Not use this access token
Bring this access token
UPDATE
Basically, your app request diagram as below:
SPA (request with access token)==> Easy Auth of Azure function (valideate token,if pass,goes into Azure function code logic,if not, return 401)==> code logic of Azure function (obo flow to get access token for Graph API) ==> call Microsoft Graph API
By now, we have finished steps 1 and 2: get access token for easy auth and pass easy auth goes into Azure function code logic.
So in the Azure function code logic, we need to do 2 things:
Get the access token in the request header
Use the access token and OBO flow to exchange a new access token for Microsoft Graph API. Just refer to request below to use OBO flow to exchange an access token for Microsoft Graph API:
BTW, pls make sure that your Azure function app has been granted with permission user.read and Calendars.Read:
So that you can get a new access token to call Microsoft Graph API:
May be this will help someone, I have tried using above suggestions but could not achieve 😠instead i am using Key for each Azure function. and storing those keys in azure Key/Vault and retrieving those keys within App settings of the application using managed identity. This may be not be the ideal situation but i think it will do for me at the moment. I really hope MS will improve their documentation some day along with sample code/steps
I've setup single sign-on within Salesforce using Microsoft Azure. I've done this within the Setup > Settings > Identity > Single Sign-On Settings configuration menu by following the official tutorial from Microsoft. I'm successfully able to log into Salesforce using a user account in my Azure Active Directory, with just-in time provisioning enabled.
I'd like to be able to use the signed in user to then authenticate further requests to different Azure APIs, such as Azure blob storage. Is this possible using this configuration?
My assumption is that during the single sign-on process, Azure is returning some form of code or token to Salesforce which I can then use in future requests to obtain an authentication token for a specific API request. However, I'm not clear on how or where I'd access this code/token (or whether my assumption is actually correct).
When I was on the Salesforce end of AAD integration I didn't see anything that would look like session id but then again I'm not Azure guy. Might be something my client disabled.
If you followed that guide SF probably generated for you a sample Apex class for just-in-time (JIT) handling of logins and creating/updating users based on data it got from AAD.
You could edit this class, sprinkle some System.debug(JSON.serializePretty(attributes)); to see what AAD sent in the SAML assertion. (Or the assertion itself but it'll be base64-encoded from what I remember). Your SF admin will know how to add debug logging to the user you nominated as system user (who this code will be executed as).
See also https://stackoverflow.com/a/63992670/313628 and https://stackoverflow.com/a/58965058/313628
I've a requirement of refreshing the Power BI dataset from Azure data factory. I want to do it by calling the Power BI Rest API service. For authentication process I need a access token which I can get using a Client ID and secret. So, while registering the app I was wondering what type of redirect URI should I select? And how does it link with my task because I'm neither creating any web app or native app.
Regarding MS docs about creating Daemon application for authorization:
"During application registration, the reply URI isn't needed. You need to share secrets or certificates or signed assertions with Azure AD. You also need to request application permissions and grant admin consent to use those app permissions."
Please, read a whole documentation over here: https://learn.microsoft.com/en-gb/azure/active-directory/develop/scenario-daemon-overview
Newbie alert
I have successfully configured ADAL authentication using python code.
I have used the following code:
https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/website_sample.py
So I am now able to log in to the app configured in my azure account and retrieve the access token, refresh token Etc.
Next
I have an application that has user role based permitted actions.
Upon successful login in Azure, the App must check the user role and open the pages based on the user's role.
I used React JS and Python to build my app.
Now i am clueless as to how to integrate my user roles with the app.
Can anyone of you suggest any reading materials or solutions to this?
Thank you.
I have read about ADAL authentication but did not find process to post authentication.
https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/website_sample.py
I want any architecture plan or sample code in python/ JS where the token from ADAL authentication is retrieved and used to login to the application..
You can implement RBAC using Azure AD's Application Roles & Role Claims feature or using Azure AD Groups and Group Claims. You can add roles using the manifest in Azure AD and also in the app itself.
This is by far the best sample and guide for adding RBAC and using ADAL. I was able to get a working sample going quickly from this.
https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims
I have an AspNetCore 2.0 MVC web API secured by an Azure Active Directory B2C tenant. I have been able to use Postman to test the API end points by following this SO posting: Request Access Token in Postman for Azure AD B2C (in particular, the Microsoft documented steps referenced in SpottedMahn's comments:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi#use-postman-to-get-a-token-and-test-the-api )
Now, I am working on a serverless version of the above - the app is pretty much identical expect that the endpoints have been implemented by Azure functions in an Azure Functions App
The Functions App has Authentication on, Log in with Azure Active Directory and the following settings:
This is how i have set up the Application in the Azure B2C tenant:
If I access the functions endpoint via a browser, I get successfully routed to the Azure AD B2C login page and can log in, then see the results from the API endpoint. So I'm pretty confident all is good w.r.t. the Azure AD B2C <-> Function App configuration.
However, I can't use the Request Access Token technique linked above to get a token and inspect the endpoint in Postman
If I take the token obtained after authentication (for example by using fiddler and observing the id_token being returned), and in Postman I choose Bearer authentication and supply that id_token, then Postman successfully hits my endpoint. However, if I follow the steps in the linked document above, I do get the "login" popup and then do get a valid [looking] token, but when I click Use Token and run the request, I get
You do not have permission to view this directory or page.
I'd really like to be able to request an access token from postman just like I can with my aspnetcore 2.0 app (really just for the consistency so I don't have to remember lots of different techniques). Is that possible for Azure Function Apps and if so, any clues what I'm doing wrong in the above?
Ah I stumbled upon it. I fixed it by adding the Postman API client id (note: the postman API client id, not the postman App client id) [those references will make sense in the context of the Microsoft how-to linked above], under "ALLOWED TOKEN AUDIENCES" (visible in screenshot in question above).