semantic-link-labs icon indicating copy to clipboard operation
semantic-link-labs copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Issue running sempy_labs.run_model_bpa_bulk in a notebook with the run notebook on demand API using with Azure DevOps

Open kevchant opened this issue 9 months ago • 2 comments

When trying to run sempy_labs.run_model_bpa_bulk in a notebook with the run notebook on demand API using with Azure DevOpsI get interesting issues.

If I run the notebook in the context of the service principal the notebook fails and I get the below error in the notebook logs: FabricHTTPException: 401 Unauthorized for url: https://api.powerbi.com/powerbi/globalservice/v201606/clusterdetails

When I try and run it as a Microsoft Entra user with MFA disabled the notebook starts to run and it looks like it has suceeded at first. But then I go into the notebook history and view th stdout I see the below error: 🔴 Model BPA failed for the 'blah blah' semantic model within the 'Something' workspace. MWC token validation failed: Invalid Token type, expected ServiceToken but got AadBasedToken

I have tried various methods of authenticating to resolve this. So far, the only way I have managed to get it working so far in Azure DevOps is to create a new variable for the bearer token. Then go into Edge Developer mode and get the interactive bearer token and add that as the variable.

Obviously this is not ideal, is there an alternative solution to resolve this?

kevchant avatar Feb 13 '25 22:02 kevchant

How are you calling the run on demand notebook api? Please share your code.

m-kovalsky avatar Feb 14 '25 07:02 m-kovalsky

Sure, first I am connecting via Connect-AzAccount, for example the below for a service principal:

Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $(tenantId)

Then I am getting a bearer token with Get-AzAccessToke:

$fabricToken = (Get-AzAccessToken -ResourceUrl $(resourceUrl)).Token

I then create relevant header and body information to pass through a paramter (yes I have tested without the body information in case wondering):

          $startnotebookUrl = "https://api.fabric.microsoft.com/v1/workspaces/$(BPAworkspaceId)/items/$(notebookId)/jobs/instances?jobType=RunNotebook"
          
          $headers = @{
          "Authorization" = "Bearer $fabricToken"
          "Content-Type"  = "application/json"
          }

          $body = @{
              executionData = @{
                parameters = @{
                  workspace_name = $branchName
                }
              }
          } | ConvertTo-Json

I then call Invoke-RestMethod:

Invoke-RestMethod -Uri $startnotebookUrl -Headers $headers -Method POST -Body $body -ResponseHeadersVariable headers

This all starts the notebook, regardless of service principal or a special Entra account with MFA disabled.

Service principal clearly works as passed through the ID and secret in postman. If I log in with the special Entra account I can run the whole notebook.

Will work as a regular Entra user is I pass in the interactive Bearer token as a variable instead as below:

$fabricToken = "$(bearerToken)"

kevchant avatar Feb 14 '25 11:02 kevchant