Skip to main content
Open

PowerBI OpenID authentication (Azure AD)

Related products:Indicium Service Tier
  • October 17, 2022
  • 9 replies
  • 200 views

AndreKemmeren
Captain

We are using Azure AD as authentication method for Universal however it is currently not possible to use that same authentication method to connect PowerBI to the oData endpoints.

It would be very nice to be able to do so, currently you get this error when clicking “Aanmelden”

 

Did this topic help you find an answer to your question?

9 replies

Arie V
Community Manager
Forum|alt.badge.img+12
  • Community Manager
  • 975 replies
  • October 24, 2022

@Vincent Doppenberg @Anne Buit We encounter the same error. Is this a similar kind of issue as with the AWS SNS authentication, in the sense that a very particular response header is expected (see https://learn.microsoft.com/en-us/power-bi/connect-data/desktop-troubleshoot-odata#credential-type-not-supported)?

If so, would you be so kind to support this particular scenario as well?


Forum|alt.badge.img+4

Hello Arie,

It is similar in a way, but I don’t think it will be quite as simple to solve. We will have to look into this. I will respond to this topic when I know more. 


Mark Jongeling
Administrator
Forum|alt.badge.img+23
NewUnder review

Arie V
Community Manager
Forum|alt.badge.img+12
  • Community Manager
  • 975 replies
  • October 25, 2022

@Vincent Doppenberg Alright, we'll await further information. A solution might work for more Power Query-related products by the way: https://learn.microsoft.com/en-us/power-query/connectors/odatafeed

 


Forum|alt.badge.img

Hello Andre,

 

We currently do not support the “organizational account” login method, we will look into supporting this in a future release.

We do support Basic authentication, see tab 'Basis' in the Dutch version of PowerBI. Enter the credentials into the “user name” and “password” field and you can access the data from Indicium.

 

 

Also, as commented by Arie V, we will support the OData feed from next release using the OData service document endpoint, you will find more information about this in the release notes of the next release


AndreKemmeren
Captain
Forum|alt.badge.img+3
  • Author
  • Captain
  • 36 replies
  • November 23, 2022

This is very unfortunate as we are exclusively using the OpenID authentication. 

 

Effectively this means we cannot use PowerBI with personal accounts (unless we give users a second account, something we want to avoid at all cost). That means doubling the maintenance on data permissions etc.

Please consider putting this on backlog as this would make the OpenID authentication fully featured.


Mark Jongeling
Administrator
Forum|alt.badge.img+23
Under reviewOpen

Arie V
Community Manager
Forum|alt.badge.img+12
  • Community Manager
  • 975 replies
  • November 23, 2022

@Sjoerd Tiemens I have the same issue/request as @AndreKemmeren and a solution would mean we should be able to use Organizational accounts. Not sure what difference you see there, but will await the Release Notes for next Indicium version.


Forum|alt.badge.img+3

Hi Andre and Arie,

I wanted to provide some background on why Organizational accounts need some more work to support. Here is why:

Adding support for Power BI (or Excel) required adding support for an OData Service document, which we are finishing now. This was a necessary step to enable integration.

Using the Organizational account is a bit more difficult, it has not much to do with our OpenID implementation.

When using the browser to login with, for instance Microsoft as the OpenID provider it uses the Authorization Code Flow. You sign into Microsoft and get redirected back to Indicium. Indicium receives a code and uses that code to do an extra call to Microsoft to get the user identity (and an access token to call an endpoint to optionally receive more user info). After this process we can check if the user is in IAM and we will return a cookie, so the user is logged in.

When using Power BI with Organizational account, this works a bit different. Power BI sends a request which we can distinguish with a specific header. We must return a special www-authenticate header to make Power BI show a login dialog. After the login, it does not go back to Indicium but instead calls Indicium with an access token created by Microsoft.

So, this is very different from using the JWT tokens created by Indicium, they contain different information, are signed with a key from Microsoft and map differently to an IAM login. That is why it is more difficult to integrate.

We are still interested in adding support, it needs more work and Authentication/Authorization is something we need to give more thought.

I hope this gives some insights why it has not been added this time.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings