Power BI Workspace - dataset credential patch receives 401 Unauthorized - powerbi

I am trying to programatically deploy a Power BI Report and dataset from one workspace to another, using a mix of PowerShell and the PowerBI REST API. In the new workspace, I am updating a dataset parameters to point to a new DB name.
The dataset is pointed to an Azure SQL DB, and in my DEV workspace (the source for the clone), the dataset passes the accessing user's credential through to the DB.
I am authenticating with a Service Principal that I created and then added to the dataset as an Administrator.
This is the PowerShell code that I wrote to do this:
$config = gc .\EnvConfig.json -raw | ConvertFrom-Json
$envSettings = $config.Dev
$toEnvSettings = $config.QA
# Convert to SecureString
[securestring]$secStringPassword = ConvertTo-SecureString $config.ServicePrincipalSecret -AsPlainText -Force
$userId = "$($config.ServicePrincipalId)#$($config.ServicePrincipalTenant)"
[pscredential]$credObject = New-Object System.Management.Automation.PSCredential ($userId, $secStringPassword)
Connect-PowerBIServiceAccount -Tenant $config.ServicePrincipalTenantName -ServicePrincipal -Credential $credObject
Get-PowerBIReport -WorkspaceId $envSettings.PBIWorkspaceId | ForEach-Object {
$filename ="c:\temp\$($_.Name).pbix"
Remove-Item $filename
Invoke-PowerBIRestMethod -Method GET `
-Url "https://api.powerbi.com/v1.0/myorg/groups/$($envSettings.PBIWorkspaceId)/reports/$($_.Id)/Export" `
-ContentType "application/zip" -OutFile $filename
New-PowerBIReport -WorkspaceId $toEnvSettings.PBIWorkspaceId -ConflictAction CreateOrOverwrite -Path $filename
}
$datasets = Get-PowerBIDataset -WorkspaceId $toEnvSettings.PBIWorkspaceId
$datasetId = $datasets[0].Id
$updateDBParam = "{`"updateDetails`": [ { `"name`": `"DBName`", `"newValue`": `"$($toEnvSettings.DBName)`" }]}"
$updateUri = "https://api.powerbi.com/v1.0/myorg/groups/$($toEnvSettings.PBIWorkspaceId)/datasets/$datasetId/Default.UpdateParameters"
Invoke-PowerBIRestMethod -Method POST -Url $updateUri -Body $updateDBParam
When I have cloned the report and dataset, when I open the report in the new workspace I see an error that the dataset does not have credentials:
If I take over this dataset with my personal login, then the report loads. This is not sufficient, I want to set the credential to pass through the user's id programatically.
I found this discussion on the PowerBI site, where they say you can use the dataset ID and gateway ID from the dataset, and send a PATCH request to https://api.powerbi.com/v1.0/myorg/gateways/[gateway id]/datasources/[datasource id]
I suspect that is only relevant to "My Workspace" datasets, not datasets in a workspace.
When I try and send that patch request with a gateway and datasource ID that I got from performing a GET on https://api.powerbi.com/v1.0/myorg/groups/[workspace id]/datasets/[dataset id]/datasources, I get a 401 error. I have tried posting with my own PowerBI Tenant Admin login, as well as with an Admin app I created through the PowerBI app registration tool, and also I added a tenant level PowerBI Read / Write permission in the AAD portal for my service principal. Nothing works, I keep getting a 401.
Two questions:
Can I set the credentials on a dataset in a workspace?
If not, how can I clone the dataset between workspaces so that it has the credential passthrough to start with?

#Joon: I wanted to leave a comment but am not allowed. I'm in the same boat with getting the 401 errors. But I'm not following your resolution; did you change any logic, or you changed the user account being used? We're using the PBI AAD account that is the Admin of that workspace where dataset resides. Here's the code I'm using, which is based on this: https://martinschoombee.com/2020/10/20/automating-power-bi-deployments-change-data-source-credentials/
$ApiRequestBody = #"
{
"credentialDetails": {
"credentialType": "Basic",
"credentials": "{\"credentialData\":[{\"name\":\"username\", \"value\":\"$FormattedDataSourceUser\"},{\"name\":\"password\", \"value\":\"$FormattedDataSourcePassword\"}]}",
"encryptedConnection": "Encrypted",
"encryptionAlgorithm": "None",
"privacyLevel": "None"
}
}
"#
#. . . (tried other values for "privacyLevel")
#Update username & password
Invoke-PowerBIRestMethod -Url $ApiUrl -Method Patch -Body ("$ApiRequestBody")

Solved the problem.
The 401 error was originating from the credential I was posting itself, not from me not having permissions to post. I was using the OAuth credential method, and the token I was passing was invalid. The response from the PowerBI API is just a bare 401 error, nothing tells the user that the problem is that the API validated the OAuth token and that failed.
I tested with an invalid basic credential, and in that case you get a 400 Bad Request error, which makes more sense.

Related

Upload multiple pbix from folder into workspace with a new dataset source

I downloaded multiple power bi's with the same datasource connection. Now i want to upload them into a new Workspace and connect them with the new dataset source id.
My current upload code in powershell uploads them into the new workspace but are still connected to the dataset in the "old" workspace...
Some brainstorm:
First i would upload the dataset into the new workspace
get the Dataset Id
and last upload the pbix reports and define the dataset source with the new id
Does anybody have an idea how to do this?
Thank you!!
------- My upload code:
$workspaceName = "MyWorkspace"
$workspace = Get-PowerBIWorkspace -Name $workspaceName
$PBIFilePath = "My\Path\...\"
ForEach($ReportName in Get-ChildItem $PBIFilePath -Filter *.pbix)
{
Write-Host "------ Uploading " $ReportName
$FullPath = $PBIFilePath + $ReportName
$import = New-PowerBIReport -Path $FullPath -Workspace $workspace -ConflictAction CreateOrOverwrit
}
Write-Host "------------------Done------------------"
That's called "report rebind", see the Reports - Rebind Report In Group API.
On the doc page there's a "Try it out" button where you can fill in a form and make the call. In this case POST
{
datasetId: "<datasetId>"
}
to
https://api.powerbi.com/v1.0/myorg/groups/<workspaceId>/reports/<reportId>/Rebind
With headers
Authorization: Bearer eyJ0eXAiOiJKV1QiL...H66IKh8dfDA
Content-type: application/json

how to invoke web url from power bi

I am trying to invoke web url from Power BI using Web data source in Power BI. But I'm unable to achieve.
We have requirement that users can click button on power bi so it should trigger or invoke web url in the backed there is another job or task will trigger when user click on button.
I'm doing invoke web url from powershell using below code, so want to get this to be from power bi.
$data =#{
"emailId"= "xxxxxxx"
"emailSubject"= "xxxxx"
"emailBody"= "xxxxx"
}
$json = $data | ConvertTo-Json
$LogicAppsUrl = "https://prod-83.westeurope.logic.azure.com:443/workflows/xxxxxxx"
$LogicAppInfo = Invoke-WebRequest -Uri $LogicAppsUrl -Headers #{
"Content-Type" = "application/json"
} -Method Post -Body $json -UseBasicParsing
Write-Host "Trigger Complete"
How can we achieve same using Power BI? Is there any option we can do ?
Please suggest any alternative plans to do from power bi.
Thanks,
Brahma

401 Unauthorized: Error while retrieving Embed URL (embed power bi for customers-Python)

I took every steps in this tutorial and got all the required information / IDs / Parameters. Also watched these vids.
However, at the final stage when running the sample python code (flask app), and opening the localhost url in my browser I get this error:
Error Details:
401 Unauthorized: Error while retrieving Embed URL
Unauthorized:
RequestId: 0b143776-bc54-492e-80bc-5401ecf32fd3
Which I can't figure out why
it seems that I'm unable to get the token and 401 is return in pbiembedservice.py as the api response (last line):
class PbiEmbedService:
def get_embed_params_for_single_report(self, workspace_id, report_id, additional_dataset_id=None):
'''Get embed params for a report and a workspace
Args:
workspace_id (str): Workspace Id
report_id (str): Report Id
additional_dataset_id (str, optional): Dataset Id different than the one bound to the report. Defaults to None.
Returns:
EmbedConfig: Embed token and Embed URL
'''
report_url = f'https://api.powerbi.com/v1.0/myorg/groups/{workspace_id}/reports/{report_id}'
api_response = requests.get(report_url, headers=self.get_request_header())
Other posts were not very helpful, can someone help me with that
I figured out what was the issue. I needed to add the registered app in ADD (service principal) to a security group, and then add it in Power BI Admin Portal -> Tenant setting -> Developer tap -> add it to the security group.

Error generating embed token for editable Power BI Embedded dashboard

I am using a Powershell script to generate an embed token for a Power BI dashboard:
Login-PowerBI
$url = "https://api.powerbi.com/v1.0/myorg/groups/395ce617-f2b9-xyz/dashboards/084c9cc4-xyz/GenerateToken"
$body = "{ 'accessLevel': 'View' }"
$response = Invoke-PowerBIRestMethod -Url $url -Body $body -Method Post -ErrorAction "Stop"
$response
$json = $response | ConvertFrom-Json
$json.token
This works, however I was hoping to make the dashboard editable by changing the accessLebel like this:
$body = "{ 'accessLevel': 'Edit' }"
Instead of generating a token, an error is thrown indicating Bad Request, but with no other detail. How can I determine how the request should be created? Are dashboards even editable like reports are? (I can generate edit tokens for reports with no issue) I can't find a code sample for that, and I note the online sample doesn't allow you to edit dashboards like you are able to with reports: https://microsoft.github.io/PowerBI-JavaScript/demo/v2-demo/index.html
You got the error Bad request because accessLevel: Edit is not supported for dashboards.
The accessLevel supported for Generate EmbedToken for dashboard in the group is only View.
Create and Edit accessLevel is available only for reports.
Refer to this link: https://learn.microsoft.com/en-us/rest/api/power-bi/embedtoken/dashboards_generatetokeningroup#tokenaccesslevel
You can use the Try it feature there to see how the REST API calls are made.

Using PowerShell to send data from SQL Server to service via SOAP

I'm fairly new to PowerShell and brand new (as in, today) to web services and SOAP. A vendor gave us documentation on their web service API that allows the creation of user accounts. I'm trying to use PowerShell to pull our users from SQL Server and send the data to their service. We will need to add users on an ongoing basis.
Below is a pared-down version of what I came up with and it actually seems to work; the vendor told me to include a dry_run parameter while testing and I'm getting a dry_run_success from the response_type.
My question is: Is this even close to being the appropriate way to do it with PowerShell?
# Open ADO.NET Connection to database
$dbConn = New-Object Data.SqlClient.SqlConnection;
$dbConn.ConnectionString = "Data Source=mydbserver;User ID=someuserid;Password=mypassword;Initial Catalog=mydatabase";
$dbConn.Open();
$sql = "select * from mytable";
$dbSqlCmd = New-Object Data.SqlClient.SqlCommand $sql, $dbConn;
$dbRd = $dbSqlCmd.ExecuteReader();
# Create a Web Service Proxy
$proxy = New-WebServiceProxy -Uri https://somedomain.com/service/wsdl
$namespace = $proxy.GetType().NameSpace
$param = New-Object($namespace + ".somemethod")
# Loop through records from SQL and invoke the web service
While ($dbRd.Read())
{
$param.user_id = $dbRd.GetString(0)
$param.password = $dbRd.GetString(1)
$param.display_name = $dbRd.GetString(2)
$request = $proxy.TheMethod($param)
if ($request.response_type -eq 'error')
{
$request.error.extended_error_text
}
}
# Clean up
$dbRd.Close();
$dbSqlCmd.Dispose();
$dbConn.Close();
A couple things you could improve:
Don't use select * in your SQL queries. Always specify the fields you need, in the order you need. As written, if someone were to restructure the table such that the user ID wasn't the first column, you'd have a mess on your hands because you're accessing the fields by their ordinal number
You're apparently storing those passwords in plaintext in your database. Anyone with access to your database knows the credentials for every one of your users. This is a very bad thing. Resolving this could be a very big discussion.
Your code keeps the database connection open until the script completes. Given the scope here, it's probably not going to cause a major problem, but your database access strategy should be to get in, get your data, get out & disconnect as quickly as possible.
$sql = "select user_id, password, display_name from mytable";
$QueryCmd = $dbConn();
$QueryCmd.CommandText = $sql;
$SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter;
$QueryCmd.Connection = $dbConn;
$SqlAdapter.SelectCommand = $QueryCmd;
$DataSet = New-Object System.Data.DataSet;
$SqlAdapter.Fill($DataSet)
$dbConn.Close();
$dbConn.Dispose();
$MyResults = $DataSet.Tables[0];
$MyResults | foreach-object {
$param.user_id = $_.user_id;
$param.password = $_.password;
$param.display_name = $_.display_name;
$request = $proxy.TheMethod($param);
if ($request.response_type -eq 'error')
{
$request.error.extended_error_text;
}
}