Embed Token - Reports GenerateTokenInGroup

Generates an embed token to view or edit the specified report from the specified workspace.
This API is relevant only to 'App owns data' embed scenario.

Required scope: (all of the below)

  • Report.ReadWrite.All or Report.Read.All
  • Dataset.ReadWrite.All or Dataset.Read.All
  • Content.Create - required only if allowSaveAs specified in GenerateTokenRequest

To set the permissions scope, see Register an app.

Restrictions

Generating Embed Token with RLS may not work for AS Azure or AS OnPrem live connection reports for several minutes after a Rebind.

POST https://api.powerbi.com/v1.0/myorg/groups/{groupId}/reports/{reportId}/GenerateToken

URI Parameters

Name In Required Type Description
groupId
path True
  • string
uuid

The workspace id

reportId
path True
  • string
uuid

The report id

Request Body

Name Type Description
accessLevel

Required access level for EmbedToken generation

allowSaveAs
  • boolean

Indicates an embedded report can be saved as a new report. Default value is 'false'. Only applies when generating EmbedToken for report embedding.

datasetId
  • string

Dataset id for report creation. Only applies when generating EmbedToken for report creation.

identities

List of identities to use for RLS rules. Specifying identities is not supported when generating EmbedToken for dataset embedding.

Responses

Name Type Description
200 OK

OK

Examples

Generate report EmbedToken for editing, using EffectiveIdentity
Generate report EmbedToken for view and allow saving as new report
Generate report EmbedToken using EffectiveIdentity with IdentityBlob
Generate report EmbedToken using EffectiveIdentity with multiple roles
Generate report EmbedToken with EffectiveIdentity
Generate report EmbedToken with EffectiveIdentity (Using CustomData for Azure AS)

Generate report EmbedToken for editing, using EffectiveIdentity

Sample Request

POST https://api.powerbi.com/v1.0/myorg/groups/f089354e-8366-4e18-aea3-4cb4a3a50b48/reports/5b218778-e7a5-4d73-8187-f10824047715/GenerateToken
{
  "accessLevel": "Edit",
  "identities": [
    {
      "username": "john@contoso.com",
      "roles": [
        "sales"
      ],
      "datasets": [
        "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
      ]
    }
  ]
}

Sample Response

{
  "token": "H4sI....AAA=",
  "tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
  "expiration": "2018-07-29T17:58:19Z"
}

Generate report EmbedToken for view and allow saving as new report

Sample Request

POST https://api.powerbi.com/v1.0/myorg/groups/f089354e-8366-4e18-aea3-4cb4a3a50b48/reports/5b218778-e7a5-4d73-8187-f10824047715/GenerateToken
{
  "accessLevel": "View",
  "allowSaveAs": "true"
}

Sample Response

{
  "token": "H4sI....AAA=",
  "tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
  "expiration": "2018-07-29T17:58:19Z"
}

Generate report EmbedToken using EffectiveIdentity with IdentityBlob

Sample Request

POST https://api.powerbi.com/v1.0/myorg/groups/f089354e-8366-4e18-aea3-4cb4a3a50b48/reports/5b218778-e7a5-4d73-8187-f10824047715/GenerateToken
{
  "accessLevel": "View",
  "identities": [
    {
      "datasets": [
        "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
      ],
      "identityBlob": {
        "value": "eyJ0eX....AAA="
      }
    }
  ]
}

Sample Response

{
  "token": "H4sI....AAA=",
  "tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
  "expiration": "2018-07-29T17:58:19Z"
}

Generate report EmbedToken using EffectiveIdentity with multiple roles

Sample Request

POST https://api.powerbi.com/v1.0/myorg/groups/f089354e-8366-4e18-aea3-4cb4a3a50b48/reports/5b218778-e7a5-4d73-8187-f10824047715/GenerateToken
{
  "accessLevel": "View",
  "identities": [
    {
      "username": "john@contoso.com",
      "roles": [
        "sales",
        "marketing"
      ],
      "datasets": [
        "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
      ]
    }
  ]
}

Sample Response

{
  "token": "H4sI....AAA=",
  "tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
  "expiration": "2018-07-29T17:58:19Z"
}

Generate report EmbedToken with EffectiveIdentity

Sample Request

POST https://api.powerbi.com/v1.0/myorg/groups/f089354e-8366-4e18-aea3-4cb4a3a50b48/reports/5b218778-e7a5-4d73-8187-f10824047715/GenerateToken
{
  "accessLevel": "View",
  "identities": [
    {
      "username": "john@contoso.com",
      "roles": [
        "sales"
      ],
      "datasets": [
        "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
      ]
    }
  ]
}

Sample Response

{
  "token": "H4sI....AAA=",
  "tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
  "expiration": "2018-07-29T17:58:19Z"
}

Generate report EmbedToken with EffectiveIdentity (Using CustomData for Azure AS)

Sample Request

POST https://api.powerbi.com/v1.0/myorg/groups/f089354e-8366-4e18-aea3-4cb4a3a50b48/reports/5b218778-e7a5-4d73-8187-f10824047715/GenerateToken
{
  "accessLevel": "View",
  "identities": [
    {
      "username": "john@contoso.com",
      "customData": "john_contoso.com",
      "roles": [
        "sales"
      ],
      "datasets": [
        "cfafbeb1-8037-4d0c-896e-a46fb27ff229"
      ]
    }
  ]
}

Sample Response

{
  "token": "H4sI....AAA=",
  "tokenId": "49ae3742-54c0-4c29-af52-619ff93b5c80",
  "expiration": "2018-07-29T17:58:19Z"
}

Definitions

EffectiveIdentity

The identity the generated token should reflect, for more details see this article

EmbedToken

Power BI embed token

GenerateTokenRequest

Power BI Generate Token Request

IdentityBlob

Preview feature: A blob to specify identity for EmbedToken generation. Only supported for datasets with Direct Query connection to SQL Azure

TokenAccessLevel

Required access level for EmbedToken generation

EffectiveIdentity

The identity the generated token should reflect, for more details see this article

Name Type Description
customData
  • string

The value of customdata to be used for applying RLS rules. Only supported for live connections to Azure Analysis Services.

datasets
  • string[]

An array of datasets for which this identity applies

identityBlob

Preview feature: The identity blob representing the identity that the generated token should reflect

roles
  • string[]

An array of roles reflected by a token when applying RLS rules (identity can contain up to 50 roles, role can be composed of any character besides ',' and must be up to 50 characters)

username
  • string

The effective username reflected by a token for applying RLS rules (For OnPrem model, username can be composed of alpha-numerical characters or any of the following characters '.', '-', '_', '!', '#', '^', '~', '\', '@', also username cannot contain spaces. For Cloud model, username can be composed of all ASCII characters. username must be up to 256 characters)

EmbedToken

Power BI embed token

Name Type Description
expiration
  • string

Expiration time of token. In UTC.

token
  • string

Embed token

tokenId
  • string

Unique token Id. Can be used to correlate operations that use this token with the generate operation through audit logs.

GenerateTokenRequest

Power BI Generate Token Request

Name Type Description
accessLevel

Required access level for EmbedToken generation

allowSaveAs
  • boolean

Indicates an embedded report can be saved as a new report. Default value is 'false'. Only applies when generating EmbedToken for report embedding.

datasetId
  • string

Dataset id for report creation. Only applies when generating EmbedToken for report creation.

identities

List of identities to use for RLS rules. Specifying identities is not supported when generating EmbedToken for dataset embedding.

IdentityBlob

Preview feature: A blob to specify identity for EmbedToken generation. Only supported for datasets with Direct Query connection to SQL Azure

Name Type Description
value
  • string

OAuth2 access token for SQL Azure

TokenAccessLevel

Required access level for EmbedToken generation

Name Type Description
Create
  • string

Indicates that the generated EmbedToken should grant Creation permissions, only applies when generating EmbedToken for report creation

Edit
  • string

Indicates that the generated EmbedToken should grant Viewing and Editing permissions, only applies when generating EmbedToken for report embedding

View
  • string

Indicates that the generated EmbedToken should grant only Viewing permissions