

我注册了一个原生应用程序(用于Power BI推送操作)并添加了必要的API权限。


I've registered a native app (for Power BI push operation) and added the necessary API permissions.
Global admin granted the consent. But the access token method fails.


equivalent PS script used to get access token

$ authUrl =" https://login.windows.net/common/oauth2/token"

$ body = @ {

" resource" ="https://analysis.windows.net/powerbi/api&quot ;;

" client_id" ="myclientid";

" grant_type" =" password";

" username" =" myuser";

" password" =" mypass";

" scope" ="openid"


$ authResponse = Invoke-RestMethod -Uri $ authUrl -Method POST -Body $ body

$authUrl = "https://login.windows.net/common/oauth2/token"
$body = @{
"resource" = "https://analysis.windows.net/powerbi/api";
"client_id" = "myclientid";
"grant_type" = "password";
"username" = "myuser";
"password" = "mypass";
"scope" = "openid"
$authResponse = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body

$ authResponse.access_token



Invoke- RestMethod:{" error":" invalid_grant"," error_description":" AADSTS50126:用户名或密码无效。

Invoke-RestMethod : {"error":"invalid_grant","error_description":"AADSTS50126: Invalid username or password.

使用的主帐户从Windows活动目录服务器同步到Azure AD。

The master account used is synchronised to Azure AD from windows active directory server.

(整个方法在Azure AD本身上创建主帐户的不同租户中工作正常。

(The whole approach  works fine in a different tenant where the master account is create on Azure AD itself.


Blocked around this issue for a while. Any quick help is appreciated. Thanks in advance.


听起来您处于这样的情况:您可以使用Azure AD和本地AD进行混合设置。这种情况无法正常运行。

It sounds like you are in a situation where you have a hybrid setup with Azure AD and on-prem AD. And this is the scenario that doesn't work properly.


The scenario that does work is when your account is created on the cloud.


This is because the ROPC (password) flow doesn't work in certain situations.

来自文章:  https://joonasw.net/view/ropc-grant-flow-in-azure-ad

From article : https://joonasw.net/view/ropc-grant-flow-in-azure-ad

在示例应用程序中,创建了一个自定义登录页面,该页面使用用户的凭据以及应用程序的凭据调用Azure AD的令牌端点。示例应用程序位于GitHub上:  https://github.com/juunas11/7-deadly-sins-in-azure-ad-app-development/tree/master/RopcLogin

In the sample app a custom login page is made that calls Azure AD's token endpoint with the user's credentials as well as the app's credentials. The sample app is on GitHub: https://github.com/juunas11/7-deadly-sins-in-azure-ad-app-development/tree/master/RopcLogin. The approach there does work for regular cloud-only users (local and guest).

但是,  它不适用于:

  • 具有多重身份验证的用户
  • 未同意所需范围的用户
  • 密码已过期的用户
  • 从内部部署AD同步的用户
  • 个人Microsoft或Google帐户