Embedded analytics application tokens

To consume Power BI content you need an access token. Depending on your solution, this token can be either an Azure AD token or an embed token.

If you're using the embed for your customers solution, your web app users will be granted access to Power BI content (such as reports, dashboards and tiles), according to the embed token that was generated by your application.

Note

When using the embed for your customers solution, you can use any authentication method to allow access to your web app.

If you're using the embed for your organization solution, your web app users will be authenticating against Azure AD using their own credentials. Your app users will have access to the Power BI content they can access on Power BI service.

Azure AD token

For both embed for your customers and embed for your organization solutions, you need an Azure AD token. This token is required for all REST API operations, and it expires after an hour.

  • In the embed for your customers, the Azure AD token is used to generate the embed token.

  • In the embed for your organization, the Azure AD token is used to access Power BI.

Embed token

When you're using the embed for your customers solution, your web app needs to know which Power BI content its user can access. Use the embed token REST APIs, to generate an embed token, which specifies the following:

  • Which content your web app user can access.

  • The web app user's access level (view, create, or edit).

For more information, see Considerations when generating an embed token.

Authentication flows

This section describes the authentication flows for the embed for your customers and embed for your organization embedding solutions.

Embed for your customers

The Embed for your customers solution uses a non-interactive authentication flow. Users do not need to sign in to Azure AD, to access Power BI. Instead, your web app uses a reserved Azure AD identity to authenticate against Azure AD, and generate the embed token. The reserved identity can be one of the following:

  • Service principal

    Your web app uses the Azure AD service principal object to authenticate against Azure AD and get an app-only Azure AD token. This is an app-only authentication method, which is recommended by Azure AD.

    When using a service principal, you need to enable Power BI APIs access in the Power BI service admin settings. This allows your web app to access the Power BI REST APIs. To use API operations on a workspace, the service principal needs to be a member or admin of the workspace.

  • Master user

    Your web app uses a user account to authenticate against Azure AD and get the Azure AD token. The master user needs to have a Power BI Pro or a Premium Per User (PPU) license.

    When using a master user you'll need to define your app's delegated permissions (also known as scopes). The master user or tenant admin is required to grant consent for using these permissions using the Power BI REST APIs.

After successful authentication against Azure AD, your web app will generate an embed token to allow its users to access specific Power BI content.

Note

  • To embed using the embed for your customers solution, you'll need a capacity with an A, EM, or P SKU.
  • To move to production you'll need a capacity.

The following diagram shows the authentication flow for the embed for your customers solution.

A diagram of the authentication flow in an embed for your customers Power B I embedded analytics solution.

  1. Web app user authenticates against your web app (with your authentication method).

  2. Your web app uses a service principal or a master user to authenticate against Azure AD.

  3. Your web app gets an Azure AD token from Azure AD, and uses it to access Power BI REST APIs. Access to the Power BI REST APIs is given according to your authentication method, which is either service principal or master user.

  4. Your web app calls an Embed Token REST API operation, requesting the embed token. The embed token specifies which Power BI content can be embedded.

  5. The REST API returns the embed token to your web app.

  6. The web app passes the embed token to the user's web browser.

  7. The web app user uses the embed token to access Power BI.

Embed for your organization

The Embed for your organization solution uses an interactive authentication flow. Your users authenticate against Azure AD using their Power BI credentials. Users need to grant consent to the API permissions that were set when registering the app with Azure AD. Consent is granted in the Microsoft Permissions requested dialog pop-up window. After consent is granted, Power BI content such as reports and dashboards that the web app user has access to, can be embedded.

Screenshot showing the Microsoft permissions requested pop-up window which asks customers to grant permissions for accessing Power B I.

Note

  • The embed for your organization solution doesn't support A SKUs.
  • To move to production you'll need one of the following configurations:
    • All users with Pro licenses.
    • All users with PPU licenses.
    • A capacity. This configuration allows all users to have free licenses.

This diagram shows an example of the authentication flow for the embed for your organization solution.

A diagram of the authentication flow in an embed for your organization Power B I embedded analytics solution.

  1. Web app user accesses the web app.

  2. The web app redirects the web app user to Azure AD.

  3. The web app user authenticates against Azure AD using his Power BI credentials.

  4. Azure AD redirects the web app user back to the web app with the Azure AD token (in an implicit grant scenario, the access token is returned to the user's browser).

  5. The web app passes the Azure AD token to the user's web browser.

  6. Your Power BI web app uses the Azure AD token to embed Power BI content such as reports and dashboards, which the web app user has rights to access.

Next steps