We have a requirement to fetch data from a rest api into powerbi and schedule a refresh every night. The rest api support jwt authentication so it needs header with xapikey and access token.
I have managed to write a function in power query to get access token from our auth endpoint and able to inject access token for the rest api call and it works fine with powerbi-desktop. I have published the report to powerbi cloud.
The auth endpoint require username and password, we would not like to store this details in .pbix file and publish to cloud but instead use azure key vault and powerbi to fetch details at runtime.
Please advise ?
Power Automate has a great Azure Vault connector.
You could make a simple 3-action flow:
A post to that URL will json back the secret/credentials.
Now, here is the goofy part - hide that URL in a permissioned location (Onedrive, Sharepoint, etc). Have your pbi pickup from that location, using privileged credentials. Now the URL and the credentials get picked up at runtime, and neither is persisted in PBIX.
I am assuming that there is an available premium PAutomate env in which to spin up that flow, of course. But, given that you already have an azure vault, that seems like a standard PBI+ toolkit to have at that point.
Related
I have a React app where I'm embedding a PowerBI service report with user-owns-data (aka embed-for-organization) method with the help of powerbi-client-React library. like follow.
<PowerBIEmbed
embedConfig = {{
type: "report", // Supported types: report, dashboard, tile, visual and qna
id: "281839f6-4971-4ad3rtt",
tokenType: models.TokenType.Aad
accessToken : "938orie90rekjd-9393"
....some more properties here....
/>
where, models object is imported from powerbi-client library, and <PowerBiEmbed/> from 'powerbi-client-react (dependency).
Currently to get that 'azure ad access token' what I'm doing is-
Signing into my PowerBI account
Going to the browser console, and doing copy(powerbiaccesstoken) and I get my token.
I go into my code and paste it there.
So, now the report is embedded in my React app for at least 1 hour, because that token is only valid for one hour. Thereafter it shows a prompt for the user to sign in with their PowerBI credentials.
Now I have to sign into my PowerBI account again, copy the AAD token, and paste it into my code.
I have a dedicated PowerBI Pro account whose credentials can be used in creating access tokens.
Is there a way for me to do this without copying the token repeatedly? And some JavaScript code on either front-end or back-end do this for me before the access token really expires?
And some javascript code on either front-end or backend do this for me before the access token really expires?
Yes. This must be done from the back-end, as you can't expose the master user credentials to the client. Follow the docs here to get the access token for your master user, and create the embed token from a back-end service.
I have my web application. Now i want to integrate salesforce into my web app so that i can push data from my app to any salesforce org after the authentication(OAuth).
I found 2 ways:
1. Connected Apps
2. via wsdl generation file and use
I created a connected app from my developer account and i authenticated using consumer key, cusumer secret key(from my connected app) and username of user and secret token of the user account.
I tried with another free trail account, It's validating and fetching the details and post data also working.
My question is, shall i deploy my connected app into app exchange, then only i caan use REST APIs ?
generating wsdl and coding around is the better option than the above ?
Is there a option, only one time authentication enough for any number of sessions and use the REST APIs?
Please suggest me a best way to proceed.
You're mixing up a couple of independent issues here.
If you're going to authenticate via OAuth, you must have a Connected App.
A SOAP API login() call requires you to store a username and password, which is undesirable.
There is no way to "permanently" authenticate, i.e., to get a session id that never expires. Your app must always be ready to get a new access token via the OAuth refresh token it obtains and stores (via, for example, the Web Server OAuth flow), or to reauthenticate via JWT flow.
Connected Apps are global metadata in most cases. You don't need to deploy a Connected App into a target org in order to authenticate using its Client Id and Secret into that org. The only exception I'm aware of is if you want to use the JWT flow with a certificate and preauthorized Profiles and Permission Sets.
Based on what you've shared, I don't see any reason for the AppExchange to be involved.
I have an issue with the scheduled refresh function in Power BI. I have published a PBIX file to the web environment of Power BI. As with other PBIX files, I set the scheduled refresh via the on-premises gateway. My PBIX file has data from several sources (MySQL, OData, other Web connectors).
Setting up and connecting the MySQL source to scheduled refresh (via the gateway) works fine. However, when trying to connect the OData source to the gateway, this fails. The message shows that credentials are invalid, "AccessUnauthorized". However, via PBI Desktop there is no need for me to use credentials (as access is via Anonymous, with an API key "Bearer .........").
The following settings are used (in the gateway setup tab):
Type of source: OData
URL: https://tcodata.azurewebsites.net/estimates
Authentication method: Anonymous
Privacy-settings: None
The following code is used in PBI Desktop:
let
apiUrl = "https://tcodata.azurewebsites.net/estimates",
Source = OData.Feed(apiUrl , null, [Implementation="2.0", Headers = #"Authorization"=Text.From(ApiKey)]])
in
Source
The API key refers to ApiKey = Bearer ........(key here)
No real authentication is needed, because it is accessed as Anonymous. However, when setting the scheduled refresh, this does not work (as credentials are said to be invalid).
Help is much appreciated, thanks!
The question was answered on the PowerBI forum:
When refreshing odata source in Power BI service, with the power query code as yours, you don't need to add it under the on-premise gateway, just go to "data setting"->"schedule refresh"->edit credential for that odata source, select "anonymous".
Source
I have a logic app which triggers my HTTP endpoint every 15 minutes. Then the endpoint connects to SharePoint using Rest API and gets the data from specific list which is then added to my db.
But to get the data from SharePoint, i need access token. Do i need to write logic to get access token in the endpoint itself? or is there any to pass access token from my logic app while triggering my endpoint ?
As first answer. Yes, implement logic to get access token in HTTP Endpoint using SharePoint Online REST API.
Through such guides may be 1, 2, 3, 4. I think not exists any ways to pass access token from Azure logic app to your endpoint.
As second answer I can suggest to use SharePoint CSOM object model. To using it just install SharePoint Online Client Components SDK on computer where is your HTTP endpoint located and add Microsoft.SharePoint.Client.dll Microsoft.SharePoint.Client.Runtime.dll libraries as references. There exists good SharepointOnlineCredentials class to give credentials to requests.
Or other ways - you can re-architecture your solution:
Azure Logic Apps if I understood correctly must ask you to set connection to SharePoint by out-of-box features. See this article. I think you can get list items from SharePoint by actions in Azure Logic App and pass data to your HTTP endpoint without any additional access token requests just as method arguments.
If you have access to HTTP Endpoint from SharePoint then you can send data from SharePoint to your endpoint directly, not from Azure logic apps. You can do it from list items form pages, from site workflows or may be some Flow templates.
If you don't have access to HTTP Endpoint from SharePoint then you can create Azure hosted web service and call its methods from SharePoint by any ways. This web service will pass data to your HTTP endpoint as method arguments without any additional authentication. Web service call will be done from JavaScript on list item form save, from SharePoint workflow. May be here to get access token to this Azure web service will be easier then from your HTTP Endpoint to SP.
Are you using Azure SQL Database ? If yes then create connection between SharePoint Online and Azure SQL Database through Business Connectivity Services BCS. Like here or here or here. This allow user get, create, update items in your database inline in SharePoint list by out-of-box features.
Create periodically running code (Console App, PowerShell script, Windows Service). Schedule it on some server in your company. That code will use CSOM SharePoint object model and connect to SharePoint more easier through SharepointOnlineCredentials class, get data and connect to your HTTP Endpoint directly or to your database.
If your database is MS SQL Server located on-premise then you can use this guide to create Business Connectivity Services content types between SharePoint Online and on-premise SQL Server.
You can go some extravagant ways: =)
SharePoint by some ways can send emails with data from list items to some inbox and your HTTP endpoint can get these emails, parse data and perform following steps.
May be you can create Sql Server Integration Service (SSIS) package on some company local MS SQL Server that will send data from SharePoint on periodically basis to your database directly or to your HTTP endpoint directly.
Other ways...
"But to get the data from SharePoint, i need access token. Do i need to write logic to get access token in the endpoint itself?"
Correct, you do need a bearer access token. Where are you hosting the code for your HTTP endpoint? If you can put it in Azure as a Function or web API, then you can implement app-only permissions which will give you the necessary access token.
There are 2 options for doing so:
Granting access via Azure AD App-Only
Granting access using SharePoint App-Only
The first one is a bit more involved, because it requires a client secret AND a self-signed security certificate, but it will allow you permissions to any O365 API. The 2nd one is simpler and will only require the app/client ID and secret, but only allows permissions to the SharePoint Rest API.
The MSDN documentation linked above uses a PowerShell script to generate the security cert, but I prefer Bob German's instructions for manually creating/exporting one. He also includes instructions for registering an Azure AD application for your Azure function in his tutorial.
Coding in ASP.NET 4.0 / javascript/ jQuery/ WebServices
The Scenario
I have an analytics account i have set up at, say, some-name#gmail.com with password as pass123
I also know the table id,say ga:30037474
My question is can I pull data like
// Load the Google data JavaScript client library.
google.load('gdata', '2.x', { packages: ['analytics'] });
// Set the callback function when the library is ready.
google.setOnLoadCallback(init);
function init() {
myService = new google.gdata.analytics.AnalyticsService('charts_sample');
//how do i securely pull data without exposing my credentials if client login is a must
getDataFeed();
}
/**
* Main method to get report data from the Export API.
*/
function getDataFeed() {
myService = new google.gdata.analytics.AnalyticsService('charts_sample');
var myFeedUri = ['https://www.google.com/analytics/feeds/data',
'?start-date=2010-06-01',
'&end-date=2010-06-10',
'&dimensions=ga:day,ga:visitorType',
'&metrics=ga:visits',
'&sort=ga:day',
'&max-results=20',
'&ids=',
'ga:30037474'].join('');
myService.getDataFeed(myFeedUri, handleDataFeed, handleError);
}
Or shall i authenticate the client before this?
If I need to authenticate the client, it would be better if I get some pointers on how to proceed with these two requirements.
1. Cannot authenticate by exposing the user credentials on client side(Need a webservice like thing)
2. When my site loads, it should load up with the analytics data(should not ask for login then and there to pull the analytics data).
Are there any articles anywhere?
Not sure if this answers your question. Based on the content of your question it seems you have a very good handle on the Google Analytics API. But somewhere along the line someone will need to grant access to the Google Analytics data. Using AuthSub this can be accomplished. Basically the user will need to do a one-time login to Google Analytics and "grant" your webservice a long-lived token to access their data. Once this is done you can store this token and associate it with their account, passing it when making data calls to the Google Analytics API.