Embedded analytics access tokens

APPLIES TO:  App owns data  User owns data

Consuming Power BI content (such as reports, dashboards and tiles) requires an access token. Depending on your solution, this token can be either an Microsoft Entra token, an embed token, or both.

In the embed for your customers solution, the application generates an embed token that grants your web users access to Power BI content.

Note

When you use the embed for your customers solution, you can use any authentication method to allow access to your web app.

In the embed for your organization solution, your web app users authenticate against Microsoft Entra ID by using their own credentials. Your customers have access to the Power BI content that they have permission to access on the Power BI service.

Microsoft Entra token

For both embed for your customers and embed for your organization solutions, you need an Microsoft Entra token. The Microsoft Entra token is required for all REST API operations, and it expires after an hour.

  • In the embed for your customers solution, the Microsoft Entra token is used to generate the embed token.

  • In the embed for your organization solution, the Microsoft Entra token is used to access Power BI.

You can acquire a Microsoft Entra token in one of the following ways:

Embed token

When you use the embed for your customers solution, your web app needs to know which Power BI content a user can access. Use the embed token REST APIs to generate an embed token, which specifies the following information:

  • The content your web app user can access

  • The web app user's access level (view, create, or edit)

For more information, see Considerations when generating an embed token.

Authentication flows

This section describes the different authentication flows for the embed for your customers and embed for your organization solutions.

The embed for your customers solution uses a non-interactive authentication flow. In an embed for your customers solution, users don't sign in to Microsoft Entra ID to access Power BI. Instead, your web app uses a reserved Microsoft Entra identity to authenticate against Microsoft Entra ID and generate the embed token. The reserved identity can be either a service principal or a master user:

  • Service principal Your web app uses the Microsoft Entra service principal object to authenticate against Microsoft Entra ID and get an app-only Microsoft Entra token. This app-only authentication method is recommended by Microsoft Entra ID.

    When using a service principal, you need to enable Power BI APIs access in the Power BI service admin settings. Enabling access allows your web app to access the Power BI REST APIs. To use API operations on a workspace, the service principal needs to be a member or an admin of the workspace.

  • Master user Your web app uses a user account to authenticate against Microsoft Entra ID and get the Microsoft Entra token. The master user account needs to have a Power BI Pro or a Premium Per User (PPU) license.

    When you use a master user account, you need to define your app's delegated permissions (also known as scopes). The master user or tenant admin has to give consent to use these permissions when using the Power BI REST APIs.

After successful authentication against Microsoft Entra ID, your web app generates an embed token to allow its users to access specific Power BI content.

Note

  • To embed by using the embed for your customers solution, you need a capacity with an A, EM, or P SKU.
  • To move to production, you need a capacity.

The following diagram shows the authentication flow for the embed for your customers solution.

Diagram of the authentication flow in an embed for your customers Power BI embedded analytics solution.

  1. The web app user authenticates against your web app with your authentication method.

  2. Your web app uses a service principal or a master user to authenticate against Microsoft Entra ID.

  3. Your web app gets an Microsoft Entra token from Microsoft Entra ID and uses it to access Power BI REST APIs. The authentication method you choose gives access to the Power BI REST APIS, which depends on if the authentication method is either a service principal or a master user.

  4. Your web app calls an Embed Token REST API operation and requests the embed token. The embed token specifies which Power BI content can be embedded.

  5. The REST API returns the embed token to your web app.

  6. The web app passes the embed token to the user's web browser.

  7. The web app user uses the embed token to access Power BI.

More questions? Try asking the Power BI Community