0
votes

Dears, My Angular app needs to get a access_token with scope=https://analytics.windows.net/powerbi/api Using this I need to fetch Power BI embed token. I cannot use username/password or client_secret. I can provide client_id/tenant_id, redirect_uri, I have looked at all the sof posts and read many documents in the net, but cannot figure it out. My app has redirect AAD login, but the access token has scope=api://<some id> profile openid ... Can I use implicit grant? Authorization code flow need interactive login, which is not possible. Can anyone help please? Any angular code sample/links to code will be great.

.....

More Details:

We are using "App-owns-data" approach. Logged in users will not have Power BI login access. We use security principal at Azure Side, and added power-bi-service API permission with report/dataset/dashboard read.all with the registered UI app.

1
See new answer. TLDR you need an API (eg an Azure Function, or App Service App) to generate the embed token for "App-owns-data". - David Browne - Microsoft
I have added more details in the post, apologies for not adding before, Can you please check them out and provide a solution? Really stuck here badly! Thanks @DavidBrowne-Microsoft - Souvik

1 Answers

0
votes

To embed from a browser app without a supporting back-end API, your users must be Power BI Pro Users (or Premium-Per-User) and you must use the "Embed For Your Organization" style of embedding.

There a sample in React and Typescript here: https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-sample-for-your-organization

And here is the code that acquires the access token:

 msalInstance.acquireTokenSilent(loginRequest)
        .then((response: AuthResponse) => {

            // get access token from response: response.accessToken
            accessToken = response.accessToken;
            this.setUsername(response.account.name);
            this.getembedUrl();
        })
        .catch((err: AuthError) => {

            // refresh access token silently from cached id-token
            // makes the call to handleredirectcallback
            if (err.name === "InteractionRequiredAuthError") {
                msalInstance.acquireTokenRedirect(loginRequest);
            }
            else {
                thisObj.setState({ error: [err.toString()] })
            }
        });

https://github.com/microsoft/PowerBI-Developer-Samples/blob/master/React-TS/Embed%20for%20your%20organization/UserOwnsData/src/App.tsx

Using this library: UserAgentApplication to interact with AAD.

Because you fetch the access token with the user's identity, you can't use the "Application Owns Data" workflow. That workflow requires a client secret or username/password. Without a secure API to communicate with the Power BI service and generate the embed token, there's no way to securely use "Application Owns Data". So you'll need a secured server API of some kind to hold the client secret and generate the embed token.