Embedded analytics access tokens

APPLIES TO:  App owns data  User owns data

Consuming Power BI content (such as reports, dashboards and tiles) requires an access token. Depending on your solution, this token can be either an Microsoft Entra token, an embed token, or both.

In the embed for your customers solution, the application generates an embed token that grants your web users access to Power BI content.

Note

When you use the embed for your customers solution, you can use any authentication method to allow access to your web app.

In the embed for your organization solution, your web app users authenticate against Microsoft Entra ID by using their own credentials. Your customers have access to the Power BI content that they have permission to access on the Power BI service.

Microsoft Entra token

For both embed for your customers and embed for your organization solutions, you need an Microsoft Entra token. The Microsoft Entra token is required for all REST API operations, and it expires after an hour.

• In the embed for your customers solution, the Microsoft Entra token is used to generate the embed token.

• In the embed for your organization solution, the Microsoft Entra token is used to access Power BI.

You can acquire a Microsoft Entra token in one of the following ways:

• Use the external Postman tool to acquire a token. For more information, see this Power BI Community thread. The request URL for a service principal must be https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token, but for a master user, it can be either https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token or https://login.microsoftonline.com/common/oauth2/token.

• Follow the sample solutions at PowerBI-Developer-Samples. For example:

  • For Embed for your customers see this AadService.cs file. Find the authorityUrl and scopeBase at AppOwnsData/Web.config.

  • For Embed for your organization see this OwinOpenIdConnect.cs file. Find authorityUrl at UserOwnsData/Web.config.

  Note

  You can find the authorityUrl and scopeBase values for some sovereign clouds in Embed content in your app for government and national/regional clouds.

Embed token

When you use the embed for your customers solution, your web app needs to know which Power BI content a user can access. Use the embed token REST APIs to generate an embed token, which specifies the following information:

• The content your web app user can access

• The web app user's access level (view, create, or edit)

For more information, see Considerations when generating an embed token.

Authentication flows

This section describes the different authentication flows for the embed for your customers and embed for your organization solutions.

Embed for your customers

The embed for your customers solution uses a non-interactive authentication flow. In an embed for your customers solution, users don't sign in to Microsoft Entra ID to access Power BI. Instead, your web app uses a reserved Microsoft Entra identity to authenticate against Microsoft Entra ID and generate the embed token. The reserved identity can be either a service principal or a master user:

• Service principal Your web app uses the Microsoft Entra service principal object to authenticate against Microsoft Entra ID and get an app-only Microsoft Entra token. This app-only authentication method is recommended by Microsoft Entra ID.

  When using a service principal, you need to enable Power BI APIs access in the Power BI service admin settings. Enabling access allows your web app to access the Power BI REST APIs. To use API operations on a workspace, the service principal needs to be a member or an admin of the workspace.

• Master user Your web app uses a user account to authenticate against Microsoft Entra ID and get the Microsoft Entra token. The master user account needs to have a Power BI Pro or a Premium Per User (PPU) license.

  When you use a master user account, you need to define your app's delegated permissions (also known as scopes). The master user or tenant admin has to give consent to use these permissions when using the Power BI REST APIs.

After successful authentication against Microsoft Entra ID, your web app generates an embed token to allow its users to access specific Power BI content.

Note

• To embed by using the embed for your customers solution, you need a capacity with an A, EM, or P SKU.
• To move to production, you need a capacity.

The following diagram shows the authentication flow for the embed for your customers solution.

1. The web app user authenticates against your web app with your authentication method.

2. Your web app uses a service principal or a master user to authenticate against Microsoft Entra ID.

3. Your web app gets an Microsoft Entra token from Microsoft Entra ID and uses it to access Power BI REST APIs. The authentication method you choose gives access to the Power BI REST APIS, which depends on if the authentication method is either a service principal or a master user.

4. Your web app calls an Embed Token REST API operation and requests the embed token. The embed token specifies which Power BI content can be embedded.

5. The REST API returns the embed token to your web app.

6. The web app passes the embed token to the user's web browser.

7. The web app user uses the embed token to access Power BI.

Embed for your organization

The embed for your organization solution uses an interactive authentication flow. The web app users authenticate against Microsoft Entra ID by using their own Power BI credentials. They need to consent to the API permissions that were set when the app was registered with Microsoft Entra ID. A Microsoft Permissions requested dialog window asks users to grant these permissions. After consent is granted, the user can embed the Power BI content that the user has access to.

Note

• The embed for your organization solution doesn't support A SKUs.

• To move to production, you'll need one of the following configurations:

  • All users with Pro licenses.
  • All users with PPU licenses.
  • A capacity or Fabric F64 or greater capacity. This configuration allows all users to have free licenses.

This diagram shows an example of the authentication flow for the embed for your organization solution.

1. The web app user accesses the web app.

2. The web app redirects the web app user to Microsoft Entra ID.

3. The web app user authenticates against Microsoft Entra ID by using their Power BI credentials.

4. Microsoft Entra ID redirects the web app user back to the web app with the Microsoft Entra token. In an implicit grant scenario, the access token is returned to the user's browser.

5. The web app passes the Microsoft Entra token to the user's web browser.

6. Your Power BI web app uses the Microsoft Entra token to embed Power BI content, such as reports and dashboards, which the web app user has permission to access.

Related content

• Considerations when generating an embed token
• Capacity and SKUs in Power BI embedded analytics

More questions? Try asking the Power BI Community