PowerBI OpenID authentication (Azure AD)

@Vincent Doppenberg @Anne Buit We encounter the same error. Is this a similar kind of issue as with the AWS SNS authentication, in the sense that a very particular response header is expected (see https://learn.microsoft.com/en-us/power-bi/connect-data/desktop-troubleshoot-odata#credential-type-not-supported)?

If so, would you be so kind to support this particular scenario as well?

Hello Arie,

It is similar in a way, but I don’t think it will be quite as simple to solve. We will have to look into this. I will respond to this topic when I know more. 

@Vincent Doppenberg Alright, we'll await further information. A solution might work for more Power Query-related products by the way: https://learn.microsoft.com/en-us/power-query/connectors/odatafeed

Hello Andre,

We currently do not support the “organizational account” login method, we will look into supporting this in a future release.

We do support Basic authentication, see tab 'Basis' in the Dutch version of PowerBI. Enter the credentials into the “user name” and “password” field and you can access the data from Indicium.

Also, as commented by Arie V, we will support the OData feed from next release using the OData service document endpoint, you will find more information about this in the release notes of the next release

This is very unfortunate as we are exclusively using the OpenID authentication. 

Effectively this means we cannot use PowerBI with personal accounts (unless we give users a second account, something we want to avoid at all cost). That means doubling the maintenance on data permissions etc.

Please consider putting this on backlog as this would make the OpenID authentication fully featured.

@Sjoerd Tiemens I have the same issue/request as @AndreKemmeren and a solution would mean we should be able to use Organizational accounts. Not sure what difference you see there, but will await the Release Notes for next Indicium version.

Hi Andre and Arie,

I wanted to provide some background on why Organizational accounts need some more work to support. Here is why:

Adding support for Power BI (or Excel) required adding support for an OData Service document, which we are finishing now. This was a necessary step to enable integration.

Using the Organizational account is a bit more difficult, it has not much to do with our OpenID implementation.

When using the browser to login with, for instance Microsoft as the OpenID provider it uses the Authorization Code Flow. You sign into Microsoft and get redirected back to Indicium. Indicium receives a code and uses that code to do an extra call to Microsoft to get the user identity (and an access token to call an endpoint to optionally receive more user info). After this process we can check if the user is in IAM and we will return a cookie, so the user is logged in.

When using Power BI with Organizational account, this works a bit different. Power BI sends a request which we can distinguish with a specific header. We must return a special www-authenticate header to make Power BI show a login dialog. After the login, it does not go back to Indicium but instead calls Indicium with an access token created by Microsoft.

So, this is very different from using the JWT tokens created by Indicium, they contain different information, are signed with a key from Microsoft and map differently to an IAM login. That is why it is more difficult to integrate.

We are still interested in adding support, it needs more work and Authentication/Authorization is something we need to give more thought.

I hope this gives some insights why it has not been added this time.