Can't use a SPN in a PowerBi dashboard to access SharePoint lists
Hoping you can help with an ongoing issue I have. I have a PowerBi dashboard I built using regular account to fetch some SharePoint lists and uploaded it to PowerBi for others to view Now in PowerBi portal I want to change the credential from my account to an SPN. I've read what feels like a thousand articles describing the process to create the SPN 99% all the same. Yet when I go into Powerbi portal, edit the semantic model for the dashboard, click edit credentials, select Service Principal put in the tenant ID the Service principal ID (yes using the app id, in fact I tried everything) the service principal key (the secret) and choose any privacy level it fails 100% of the time. Error is: Failed to update data source credentials: The credentials provided for the SharePoint source are invalid. Same error regardless of what privacy level I choose. I'm sure the secret is correct also. Just for fun I tried the Secret ID and the Object ID in place of the Application ID for the Service principal ID field. All failed same error. I'm sure the secret is correct also. The SPN has Graph sites.read.all, Graph user.read and SharePoint Sites.Read.All api permissions configured. All are consented. Everything seems right but gives me the error failed to retrieve oauth token 100% of the time. Am i missing something else? More API permissions maybe? Do i still need ot actually add the SPN to the Sharepoint site itself even though I has API permissions SharePoint Sites.Read.All? I've done days of research and all I find is lots of people with same or similar issue but not resolution. Is this a bug? Help me I'm desperate to get this fixed or I'm going to have to allow people to bypass MFA across my organization which I cant have.Automating Microsoft 365 with PowerShell Second Edition
The Office 365 for IT Pros team are thrilled to announce the availability of Automating Microsoft 365 with PowerShell (2nd edition). This completely revised 350-page book delivers the most comprehensive coverage of how to use Microsoft Graph APIs and the Microsoft Graph PowerShell SDK with Microsoft 365 workloads (Entra ID, Exchange Online, SharePoint Online, Teams, Planner, and more). Existing subscribers can download the second edition now free of charge. https://office365itpros.com/2025/06/30/automating-microsoft-365-with-powershell2/Effortless Time Tracking in Teams, Outlook and M365 Copilot
How do you stay in the flow of work when tasks move across Teams, Outlook and now M365 Copilot? Many of us already collaborate and manage our day in these Microsoft 365 tools, but logging time often feels like something separate that interrupts our focus. With https://www.klynke.com/ time tracking stays right where your work happens. It runs inside Teams, Outlook and M365 Copilot, creating one consistent and natural experience for logging hours without leaving your workflow. We shared more in our blog: https://www.klynke.com/post/log-time-in-teams-outlook-copilot, and were grateful that Microsoft featured our story in a Tech Community interview: Building Secure SaaS on Microsoft Cloud. A quick look under the hood Microsoft 365 SSO (Entra ID) – Employees sign in with their existing credentials Tenant-based storage and security – Data stays within your Microsoft 365 tenant, under IT control Native experience – Same workflow in Teams, Outlook and M365 Copilot Simple reporting – Export to Excel, Power BI or dashboards How do you currently manage time tracking in Microsoft 365? Would having it built directly into Teams, Outlook and M365 Copilot make a difference in your day? CTO at KlynkeCreating a Service Principal Analysis for a Microsoft 365 Tenant
Understanding the set of registered and enterprise apps active in a Microsoft 365 tenant is important. Attackers can sneak in and plant an app to exfiltrate or otherwise steal data. This article explains how to use PowerShell to create a service principal analysis report that highlights common problems and gives tenant administrators the data needed to manage apps. https://practical365.com/service-principal-analysis-report/Removing Inactive Entra ID User Accounts with PowerShell
The Entra ID Governance solution includes a workflow to detect and remove inactive user accounts. Sounds good, but the same can be done with PowerShell if you want to avoid the cost of Entra ID Governance licenses or want to create a bespoke workflow that’s better suited to the business needs of the organization. Azure Automation would be a good way to process this workflow. https://office365itpros.com/2025/11/17/remove-inactive-user-accounts/How to Check Unexpected Sign-Ins Against Utility Accounts
Utility accounts exist in every Microsoft 365 tenant. These accounts are not intended for normal user activity and include accounts used for Exchange room and shared mailboxes and the break-glass or emergency accounts intended to allow administrators to sign-in if their usual accounts are blocked. This article shows how to use PowerShell and the Microsoft Graph to check sign-in events to ensure that the accounts aren't being accessed. https://practical365.com/check-utility-accounts-break-glass-signins/A Brief History of Soft-Deleted Entra ID Groups
Entra ID has long supported soft-deleted Microsoft 365 Groups. Now support is available to list and restore soft-deleted security groups in both the Entra admin center and cmdlets from the Microsoft Graph PowerShell SDK, so the articles include a script to show how to list and recover deleted Microsoft 365 and security groups. The update is very welcome as it fixes a big recovery gap in the Entra ID story. Too many important security groups have been deleted in error, much to the chagrin of administrators. https://office365itpros.com/2025/11/11/soft-deleted-security-groups/Version 1.5 of the Microsoft 365 User Password and Authentication Report
The Microsoft 365 User Passwords and Authentication report now includes the last used date for authentication methods (when available). The new data is available through the Graph beta API for listing authentication methods and the equivalent Graph PowerShell SDK cmdlet. Another change that might break scripts is a new way to expose the created date for authentication methods. The changing sands of Graph programming… https://office365itpros.com/2025/11/06/authentication-methods-graph-2/Allowing Users to Add Enterprise Apps to Entra ID is a Bad Idea
Enterprise apps can come from a variety of sources. Most are Microsoft 1st party apps, and the rest are ISV apps. It’s easy to add an app without really intending to, which is a good reason to force users through the Entra ID app consent workflow when they want to add an app. Unhappily, I failed the test and added an app in a moment of weakness. Here’s what happened. https://office365itpros.com/2025/10/24/enterprise-apps-my-mistake/
Nested App Authentication (NAA) token to protect middle-tier server
I'm working on an outlook addin and want to use the NAA accesstoken to validate the user on an api running on a php webserver. The addin runs as a taskepane (created with yo office) with the app only manifest. I have setup NAA to do Microsoft graph calls on behalf of the user. I have used this guid to setup NAA (copy/past) https://learn.microsoft.com/en-us/office/dev/add-ins/develop/enable-nested-app-authentication-in-your-add-in I have setup a php server (not in Microsoft infrastruktur) for a simple API, that handlers MySQL calls and app only calls to Microsoft graph. The php api authenticate itself with a client secret from the Azure app registration. Both are working as expected. Can i use the accesstoken from the NAA, to authenticate the user on the php server? If it can be done how do I validate the token?
