azure - 尝试获取 Power BI 事件事件(审核日志)时出现 401 错误

Question

我正在尝试使用服务主体获取 Power BI 审核日志。

我遵循在https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal#add-a-service-principal-or-security-group-by-using-powershell中创建Azure主体嵌入Power BI内容的每一步。

1.创建应用

2.创建 secret

将应用添加到组中

授予应用所有权限

租户.Read.All、租户.ReadWrite.All;Report.ReadWrite.All、Report.Read.All、Dataset.Read.All;Auditlog.Read.All;工作区.Read.All;工作区.ReadWrite.All;和许多其他许可。

在 Power BI 管理门户中启用“允许服务主体使用 Power BI API”和“启用应用中的内容”。

我可以获得访问 token 并运行一些 API 调用，例如:

“https://api.powerbi.com/v1.0/myorg/groups”和 “https://api.powerbi.com/v1.0/myorg/groups/{groupId}/reports”

但是当尝试获取事件事件时

"https://api.powerbi.com/v1.0/myorg/admin/activityevents?startDateTime='2023-02-13T07:55:00.000Z'&endDateTime='2023-02-13T08:55:00.000Z'&$filter=Activity" and 
"https://api.powerbi.com/v1.0/myorg/admin/activityevents?startDateTime='" + activityDate + "T00:00:00'&endDateTime='" + activityDate + "T23:59:59'"

• 收到 401 错误。

或者发布此请求“https://api.powerbi.com/v1.0/myorg/datasets/{datasetId}/refreshes”得到 403 错误。 我的Python脚本如下:

TENANT_ID = '1eb27ef3-976f-4600-a791-*******'
CLIENT_ID = 'd5376b05-a655-463b-ae9f-*******'
CLIENT_SECRET = '**************************'
SCOPE_BASE = ['https://analysis.windows.net/powerbi/api/.default']
AUTHORITY_URL = 'https://login.microsoftonline.com/organizations'
try:
    authority = AUTHORITY_URL.replace('organizations', TENANT_ID)
    clientapp = msal.ConfidentialClientApplication(CLIENT_ID, client_credential=CLIENT_SECRET, authority=authority)
    response = clientapp.acquire_token_for_client(scopes=SCOPE_BASE)
    try:
        access_token = response['access_token']
        activityDate = date.today() - timedelta(days=1)
        activityDate = activityDate.strftime("%Y-%m-%d")

        url = "https://api.powerbi.com/v1.0/myorg/admin/activityevents?startDateTime='" + activityDate + "T00:00:00'&endDateTime='" + activityDate + "T23:59:59'"
        header = {'Content-Type':'application/json', 'Authorization':f'Bearer {access_token}'}
        api_call = requests.get(url=url, headers=header)
        print(api_call)
        print(api_call.json())

    except KeyError:
        raise Exception(response['error_description'])

except Exception as ex:
    raise Exception('Error retrieving Access token\n' + str(ex))

Answer 1

如果你看documentation ，它指出:

When running under service prinicipal authentication, an app must not have any admin-consent required premissions for Power BI set on it in the Azure portal.

以及所需的范围:

Must not be present when authentication via a service principal is used.

因此，删除同意并删除应用程序中的所有权限，它应该可以工作。