Embedded analytics access tokens

✔️ App owns data ✔️ User owns data

Consuming Power BI content (such as reports, dashboards and tiles) requires an access token. Depending on your solution, this token can be either an Azure AD token, an embed token, or both.

In the embed for your customers solution, your web app users are granted access to Power BI content according to the embed token generated by your application.

Note

When using the embed for your customers solution, you can use any authentication method to allow access to your web app.

In the embed for your organization solution, your web app users authenticate against Azure AD using their own credentials. They'll then have access to the Power BI content they have permission to access on Power BI service.

Azure AD token

For both embed for your customers and embed for your organization solutions, you need an Azure AD token. This token is required for all REST API operations, and it expires after an hour.

  • In the embed for your customers scenario, the Azure AD token is used to generate the embed token.

  • In the embed for your organization scenario, the Azure AD token is used to access Power BI.

Embed token

When you're using the embed for your customers solution, your web app needs to know which Power BI content its user can access. Use the embed token REST APIs, to generate an embed token, which specifies the following information:

  • Which content your web app user can access.

  • The web app user's access level (view, create, or edit).

For more information, see Considerations when generating an embed token.

Authentication flows

This section describes the different authentication flows for the embed for your customers and embed for your organization embedding solutions.

The embed for your customers solution uses a non-interactive authentication flow. Users don't sign in to Azure AD to access Power BI. Instead, your web app uses a reserved Azure AD identity to authenticate against Azure AD, and generate the embed token. The reserved identity can be either a service principal or a master user:

  • Service principal

    Your web app uses the Azure AD service principal object to authenticate against Azure AD and get an app-only Azure AD token. This app-only authentication method is recommended by Azure AD.

    When using a service principal, you need to enable Power BI APIs access in the Power BI service admin settings. Enabling access allows your web app to access the Power BI REST APIs. To use API operations on a workspace, the service principal needs to be a member or admin of the workspace.

  • Master user Your web app uses a user account to authenticate against Azure AD and get the Azure AD token. The master user needs to have a Power BI Pro or a Premium Per User (PPU) license.

    When using a master user, you need to define your app's delegated permissions (also known as scopes). The master user or tenant admin has to give consent to use these permissions when using the Power BI REST APIs.

After successful authentication against Azure AD, your web app will generate an embed token to allow its users to access specific Power BI content.

Note

  • To embed using the embed for your customers solution, you need a capacity with an A, EM, or P SKU.
  • To move to production you need a capacity.

The following diagram shows the authentication flow for the embed for your customers solution.

A diagram of the authentication flow in an embed for your customers Power BI embedded analytics solution.

  1. Web app user authenticates against your web app (with your authentication method).

  2. Your web app uses a service principal or a master user to authenticate against Azure AD.

  3. Your web app gets an Azure AD token from Azure AD, and uses it to access Power BI REST APIs. Access to the Power BI REST APIs is given according to your authentication method, which is either service principal or master user.

  4. Your web app calls an Embed Token REST API operation, requesting the embed token. The embed token specifies which Power BI content can be embedded.

  5. The REST API returns the embed token to your web app.

  6. The web app passes the embed token to the user's web browser.

  7. The web app user uses the embed token to access Power BI.

Next steps

More questions? Try asking the Power BI Community