Possible to consume AAD authenticated Azure functions from Power Bi and Power Apps?

Question

In Power Bi we get this error when trying to make a web connection:

"We couldn't authenticate with the credentials provided. Please try again"

The Azure function app is registered in our AAD . The function is a C# httptrigger with this code:

using System.Net;
using System.Net.Http;
using System.Security.Claims;
using System.Threading.Tasks;
public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
{
// parse query parameter
ClaimsIdentity userClaimsId = ClaimsPrincipal.Current.Identity as ClaimsIdentity;
    var claims = userClaimsId.FindAll(ClaimTypes.Upn);
    var groups = userClaimsId.Claims.Where(x => x.Type.Equals("groups")).ToList();
    var upns = userClaimsId.Claims.ToList();
    var roles = userClaimsId.Claims.Where(x => x.Type.Equals("upn")).ToList();
    return  req.CreateResponse(HttpStatusCode.OK, groups);
}

We are attempting to connect from Power Bi Desktop via the Get Data > Web option using an organizational account in our same AAD. When we call the function from browser it prompts for login and seems to return data.

Can you turn this into a question and make it more specific about where the failure is coming from? 1. Is that error coming from PowerBI or from your Azure Function? 2. I'm assuming your azure function is an http trigger? Can you invoke it explicitly (outside of PowerBI) via Fiddler/Postman. 3. How exactly are you invoking Functions? A webhook? An M connector? — Mike S, Jan 26 '18 at 01:37
Question details added. C# trigger. Tested and works from browser and Postman. — Hell.Bent, Jan 26 '18 at 11:56
When you say it works from browser and Postman - are the browser and Postman requesting the data using the Organizational account credentials? — Taterhead, Jan 26 '18 at 13:23
yes. when called the first time it prompts for authentication and then returns data — Hell.Bent, Jan 27 '18 at 14:05

score 7 · Accepted Answer · answered Feb 01 '18 at 16:23

7

The token that Power BI Desktop obtains from AAD when you sign in with an organizational account is for the https://yourfunction.azurewebsites.net audience. But when you configure AAD authentication for your Azure Function App, by default the audience configured is https://yourfunction.azurewebsites.net/.auth/login/aad/callback. That's why you receive an access denied.

So you can go to the AAD authentication settings of your Azure Function App, click AAD > Advanced > and enter the new allowed token audience there (see below, marked in red). Make sure to click OK, and to save the changes.

answered Feb 01 '18 at 16:23

andresm53

1,693
4
14

By chance have you ever connected to AAD secured Azure function like this from Power Apps? – Hell.Bent Feb 04 '18 at 12:39
I'm glad it worked. In regards to Power Apps, I never did it, but I would start here https://docs.microsoft.com/en-us/azure/azure-functions/functions-powerapps-scenario or here docs.microsoft.com/en-us/connectors/custom-connectors – andresm53 Feb 05 '18 at 14:19

Possible to consume AAD authenticated Azure functions from Power Bi and Power Apps?

1 Answers1