Automation, Data Factory, Logic Apps, PowerBI

Managed Identity auth against PowerBi Rest API’s

Leave a comment

on https://learn.microsoft.com/en-us/rest/api/power-bi/ I couldn’t (easily) find if Managed Identities are supported when using the PowerBI rest API, especially the ‘asadmin’ parts.

The documentation also doesn’t really show (or I couldn’t find it), for what audience to request a token. Using a Logic App I eventually got it to work after a lot of trial and error 🙂

managed identity auth for powerbi rest api

For those googling this, I encountered a bunch of these first before finding the right audience of ‘https://api.fabric.microsoft.com/.default’

Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://api.fabrik.microsoft.com was not found in the tenant named XXXXX. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://api.powerbi.com was not found in the tenant named XXX

Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://analysis.windows.net/powerbi/api/.default was not found in the tenant named XXX

Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://analysis.windows.net was not found in the tenant named XXX

Automation, EntraID, Logic Apps, Office 365, Sharepoint Online

Populating Sharepoint Choice Column with Entra Group Names

Leave a comment

If you want to allow users in Sharepoint to select e.g. security groups or teams from a dropdown in a List and don’t want to manually keep that list of choices up to date….this is for you!

I’ve used Power Automate Flow for this specific scenario, but Logic Apps will of course work just as well.

First, define some variables and retrieve all the groups you want to show up in the Choice column:

Then, create a string with all the group’s names using a simple loop:

Then use ‘Send an HTTP request to Sharepoint’ to retrieve current columns (fields) defined in the list if you don’t know the GUID yet. This step is optional and uses GET to the _api/web/Lists/GetById(”)/Fields method.

Finally, use another Send an HTTP request to Sharepoint to Patch the column definition of the Choice column with the new group names.

Note we’re using PATCH for the _api/Web/Lists(guid”)/Fields(guid”) method and that I’m removing the trailing comma (,) from the data we’re patching in.

Also note that if you’re not using multiple choice but single choice you’ll need to adjust the SP.FieldMultiChoice and 15 values.

Data Factory, EntraID, Identity, Sharepoint Online

Sharepoint Online and Azure Datafactory using Managed Identity

Leave a comment

Let’s face it, Microsoft’s documentation on using Sharepoint as a data source (or sink) in ADF is pretty bad. And it doesn’t even describe how to use the Managed Identity of ADF, who still wants to register separate app credentials? Noooooo you don’t.

So here’s an example how to use Managed Identity to read a json file from a given SpO site, using minimal permissions given to ADF.

  1. Enable MI in datafactory, I’m assuming you know how to do this.
  2. Give ADF Sites.Selected Graph permissions, e.g. like this:
Param(
    [Parameter(Mandatory=$true)][String]$displayName="{NAMEOFADFINSTANCE}",
    [Parameter(Mandatory=$true)][String]$role="Sites.Selected"
)
Connect-AzureAD 
$Msi = (Get-AzureADServicePrincipal -Filter "displayName eq '$displayName'")
Start-Sleep -Seconds 10
$baseSPN = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
$AppRole = $baseSPN.AppRoles | Where-Object {$_.Value -eq $role -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $Msi.ObjectId -PrincipalId $Msi.ObjectId -ResourceId $baseSPN.ObjectId -Id $AppRole.Id
$Msi.AppId
  1. Go to https://yourtenant.sharepoint.com/sites/yoursite/_api/site/id and copy the Edm Guid:
get sharepoint site ID / guid
  1. Go to https://developer.microsoft.com/en-us/graph/graph-explorer. Log in at the top right using a user with sufficient permissions (Sites.FullControl.All), set the mode to POST, add the EDM guid in the URL and create the request body as follows (the id in the body can be found back in step 2, $Msi.AppId)
authorize managed identity on sharepoint site
  1. Create a REST linked service in ADF with Managed Identity auth:
create graph rest linked identity
  1. Create data source in ADF of type REST
  1. Replace the “uri” with the direct url of the file you want to read (or use an alternative method). Example uri:
    https://graph.microsoft.com/v1.0/sites/ee614b6d-de15-4101-1c12-14e4cd3186a9/drive/root:/General/Input_files/test.json:/content
Azure, Logic Apps, Sharepoint Online

Failed to retrieve dynamic inputs in a logic app

Leave a comment

For those unfortunate enough to also have an admin rename/move their Sharepoint site….you’ll be seeing errors in your logic app until you fix the URL. Sharing for those googling:

Failed to retrieve dynamic inputs. Error details: 'Resource provider 'Microsoft.Web' returned a redirect response with status code '308'. This response was blocked due to security concerns.'

Error executing the api <list url>. More diagnostic information: x-ms-client-request-id is xyz.

Unable to initialize operation

Unable to initialize operation details for swagger based operation - Get_item. Error details - Incomplete information for operation 'Get_item'

-2147024891, System.UnauthorizedAccessExceptionAccess is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Automation, Azure, Azure Virtual Desktop, Powershell

Multi threading in ADDRS

Leave a comment

I’ve added basic multi-threading to ADDRS: https://www.powershellgallery.com/packages/ADDRS/1.1.8

This solely ensures that the most compute intensive task (caching sizes/performance) is not repeated between jobs. You’ll still have to handle running multiple jobs using your own preferred method, e.g. foreach -parallel, runspaces or start-job. Example:


$scriptBlock = {
    Param(
        $vm,
        $measurePeriodHours,
        $workspace,
        $token
    )
    import-module ADDRS -force
    Login-AzAccount -AccessToken $token.Token -AccountId $token.UserId -Tenant $token.TenantId
    set-vmRightSize -doNotCheckForRecentResize -targetVMName $vm.Name -domain "lieben.nu" -measurePeriodHours $measurePeriodHours -workspaceId $workspace.CustomerId -Verbose -maintenanceWindowStartHour 22 -maintenanceWindowLengthInHours 3 -maintenanceWindowDay 6
}

Microsoft 365, Azure, Automation & Code