This is the follow up to January’s Part 1: Integrating R with Web Applications. In that article I reviewed several open-source and commercial options for integrating R into web applications. In this post, I will 1) share how to register an application in Azure Active Directory for OAuth 2.0 web app authentication. Then in the next article in this series, I will 2) walk through the Power BI Developer REST API and 3) wrap up by showing you how I combined PowerBI.com and R together in PHP.
Authenticating with Power BI REST APIs
Power BI REST APIs in the Public Preview today require Azure Active Directory for authentication. Power BI REST API calls are made on behalf of an authenticated user by passing a token in the “Authorization” header that is acquired through Azure Active Directory.
OAuth 2.0 is a commonly used, open standard for authorization. It provides client applications secure delegated access to server resources on behalf of a resource owner without sharing credentials. If you have worked with Twitter, LinkedIN or other web app APIs, OAuth may already be familiar to you. If you’d like to know more about this type of authentication, please review the OAuth article on MSDN and Power BI Authentication docs.
How Authentication Works
Access to web APIs in Azure Active Directory is implemented by using the OAuth 2.0 Authorization Code Grant flow. In that flow, the user delegates access to a client application. The transaction is protected and mediated by a code grant, which is exchanged for an access token. The client application never sees the user’s credentials and the user agent never sees the access token.
- The client application starts the flow by redirecting the user agent to the Azure Active Directory authorization endpoint. The user authenticates and consents, if consent is required.
- The Azure Active Directory authorization endpoint redirects the user agent back to the client application with an authorization code. The user agent returns authorization code to the client application’s redirect URI.
- The client application requests an access token from the Azure Active Directory token issuance endpoint. It presents the authorization code to prove that the user has consented.
- The Azure Active Directory token issuance endpoint returns an access token and a refresh token. The refresh token can be used to request additional access tokens.
- The client application uses the access token to authenticate to the Web API.
- After authenticating the client application, the web API returns the requested data.
Setting up Azure Active Directory
Before I can pass R results from my PHP and OpenCPU R web application for use in PowerBI.com, I need to register my web app. You will need to do this step too. Registering allows your application access to the Power BI REST APIs. To register an app in Azure Active Directory, go to Azure and sign in with your account.
If your organization is already using Azure Active Directory, you will see it listed in the All Items list on the first screen after you log in. If you see a Directory in that list, go ahead skip the paragraphs on creating a new Azure Active Directory instance.
To create Active Directory on Azure, click the New button on the bottom of the page and select Directory. A screen will be displayed allowing you to provide details for the new Active Directory.
Enter in the desired directory name and domain name. Then choose your Region.
At this point, you can click on Active Directory name to see available settings for further configuration.
If you did create a new Azure Active Directory account, you will also need at least one Power BI user in your tenant to assign API permissions. To create a new Power BI organizational user, sign up at: Get started with Power BI.
Registering an Application in Azure
Now navigate to Azure Active Directory and click it, the splash page will be shown. Choose Applications on the top menu. On the bottom menu, click Add.
Enter in the name of your application and then choose web application and/or web API in the options and click the arrow button.
Now enter your Sign-In URL and an App ID URI. The Sign-In URL is the web page that you will use to log in to your application. An App ID URI is a logical identifier, it does not need to resolve to a web address. App ID URI is presented by your app when sending a single sign-on request to Azure Active Directory that in turn sends the sign-on response (a SAML token) to your web app via the Reply URL that was provided during app registration. For more information on these settings, check out the MSDN article on Application and Service Principal Objects. Lastly don’t forget to enter a redirect URI in the Application information page for your web app and click the complete icon. This is where Azure Active Directory will send the response to an OAuth 2.0 request.
Now navigate to your application page and choose Configure to get your client ID. Save the client ID value. You will need to copy that value to your web app code to communicate with your Power BI environment when using the Power BI REST API.
Then in the Configuration page, click Add Application to assign permissions.
In the Permissions to other applications page, choose Power BI Service and click the complete icon. In the permissions to other applications group, choose all Delegated Permissions and click Save. At this point you have completed the steps to register an Azure application.
To view or edit your application settings in the future, you can simply choose Active Directory application, choose Configure and select the settings you want to see or change.
Let the Integration Fun Begin
Now that you have an app registered with Azure Active Directory and a client ID, you can start playing with the Power BI REST API samples provided at https://github.com/powerbi or build your own web app like I did for this series. In the next post, I will 2) walk through the Power BI Developer REST API and 3) wrap up by showing you how I combined these two cool solutions together in PHP.
Working with Azure, OAuth and APIs may seem like a bit of a technical stretch for BI professionals. In the hybrid-data world that we live in today, cloud app and REST API integration are both fantastic skills to add to your repertoire. Hybrid BI is already mainstream today with apps like Google Analytics, Dynamics, Salesforce, Marketo and so on that are often combined with on-premises data sources in analytics applications. It is not a waste of your time to learn how to use these technologies.