How to Generate an Embed Token in Power BI
Embedding your Power BI reports and dashboards into other applications is a powerful way to share insights, but doing it securely requires something called an embed token. This token acts as a temporary, specific key that tells Power BI who is trying to access the content and what they're allowed to see. This guide will walk you through exactly how to generate these tokens for different scenarios, from quick development tests to full-scale production applications.
What is a Power BI Embed Token and Why Do You Need One?
Think of an embed token as a secure, short-term pass to view a specific Power BI report or dashboard. Instead of giving an application your master username and password, you generate a unique token that grants temporary, limited access. This is fundamental for security and control.
An embed token defines three key things:
- Which content the user can access (e.g., this specific report and its underlying dataset).
- What permissions the user has (e.g., view-only or can they edit the report).
- How long the access is valid for (tokens have a built-in expiration).
This process is central to the two main ways of embedding Power BI content:
- Embed for your organization (User-owns-data): This is for internal applications. Employees log in with their own Power BI credentials. The embed token is generated based on their permissions.
- Embed for your customers (App-owns-data): This is for external-facing applications, like a SaaS platform showing analytics to customers who do not have Power BI accounts. The application authenticates to Power BI using its own identity (a Service Principal), not the end-user's.
In both cases, a token is the key that unlocks the door. For this guide, we'll focus heavily on the "Embed for your customers" model, as it's the more common and robust scenario for production apps.
Prerequisites: Getting Your Ducks in a Row
Before you can generate a token, you need a few things set up in the Power BI and Azure ecosystems. This might seem like a lot, but you only have to do it once.
- A Power BI Pro license: Your development account needs at least a Pro license to publish and manage content.
- Power BI Premium or Embedded Capacity: For the "embed for customers" model, the workspace containing your content needs to be on a Premium (P-SKU) or Embedded (A-SKU) capacity. This is required for embedding content for non-Power BI users.
- An Azure AD (Entra ID) Tenant: If you use Office 365 or Azure, you already have one.
- Content in a Workspace: You need a published Power BI report or dashboard ready to be embedded.
- A registered Application in Azure AD: This will serve as the identity of your application.
Method 1: Generating a Token for Quick Testing
Sometimes you just need to get a token quickly to test an embed setting or see how the rendering will look, especially when developing for internal use ("embed for your organization"). The easiest way to do this is with the Power BI REST API's interactive "Try It" tool.
Warning: This method uses your own user credentials to generate the token and is not suitable for production.
Step-by-Step Guide Using Power BI REST API Docs:
- Find Your IDs: You'll need the Workspace ID (also known as Group ID), Report ID, and Dataset ID of the content you want to embed. You can find these IDs directly in the URL when you have a report open in Power BI Service.
The URL will look something like this:
app.powerbi.com/groups/<strong>[WorkspaceID]</strong>/reports/<strong>[ReportID]</strong>/... - Go to the API Documentation: Navigate to the Microsoft Power BI REST API reference for generating an embed token.
- Sign In and Try It: Click the green "Try it" button. You will be prompted to sign in with your Power BI Pro account.
- Configure the Request Body: You'll see a JSON request body. To generate a basic view-only token for a report, it should look like this. A POST request needs to be made on
https://api.powerbi.com/v1.0/myorg/generateToken:
{
"datasets": [
{
"id": "YOUR_DATASET_ID_HERE"
}
],
"reports": [
{
"id": "YOUR_REPORT_ID_HERE"
}
]
}Replace the placeholder IDs with the actual IDs you found in step 1. Also, you need to specify your Workspace ID where it asks for the groupId.
- Run the Request: Click the "Run" button at the bottom. If successful, you'll get a response code of 200, and the response body will contain your embed token.
The JSON response will include the token, the tokenId, and an expiration timestamp. This token value is what you would pass into your client-side code to embed the report.
Method 2: Generating a Token for Production ("Embed for your customers")
In a real-world application, your app's backend server will be responsible for generating tokens. The recommended and most secure way to do this is with a Service Principal — a non-human identity for your application.
Step 1: Set Up Your Service Principal in Azure AD
First, your application needs an identity it can use to authenticate with Microsoft's APIs.
- Go to the Azure Portal and find "Azure Active Directory" (now Microsoft Entra ID).
- Navigate to "App registrations" and click "New registration".
- Give your application a name (e.g., "My SaaS Analytics App") and click Register. Leave other options as defaults.
- After creation, on the app's overview page, copy the Application (client) ID and the Directory (tenant) ID. You'll need these later.
- Go to the "Certificates & secrets" tab. Click "New client secret", give it a description, select an expiration, and click Add.
- Immediately copy the value of the client secret and store it securely (e.g., in Azure Key Vault). It will disappear once you navigate away.
Step 2: Grant Power BI Permissions
- Turn on API access in Power BI:
- Grant Workspace Access:
Step 3: Write Code to Generate the Token
With setup complete, you can write server-side code to authenticate and request an embed token. Here's an example in Python:
import requests
import json
import msal
# Your Service Principal info
TENANT_ID = 'YOUR_TENANT_ID'
CLIENT_ID = 'YOUR_CLIENT_ID'
CLIENT_SECRET = 'YOUR_CLIENT_SECRET'
# Your Power BI content info
WORKSPACE_ID = 'YOUR_WORKSPACE_ID'
REPORT_ID = 'YOUR_REPORT_ID'
DATASET_ID = 'YOUR_DATASET_ID' # Often the same as the Report ID
# 1. Authenticate against Azure AD to get an AAD Token
authority = f'https://login.microsoftonline.com/{TENANT_ID}'
scope = ['https://analysis.windows.net/powerbi/api/.default']
app = msal.ConfidentialClientApplication(CLIENT_ID, authority=authority, client_credential=CLIENT_SECRET)
result = app.acquire_token_for_client(scopes=scope)
if 'access_token' not in result:
print("Failed to get AAD token")
print(result.get('error_description'))
exit()
aad_token = result['access_token']
print("Successfully acquired AAD Token")
# 2. Call the Power BI API to get an Embed Token
embed_token_url = 'https://api.powerbi.com/v1.0/myorg/GenerateToken'
headers = {
'Content-Type': 'application/json',
'Authorization': f'Bearer {aad_token}'
}
body = {
"datasets": [{"id": DATASET_ID}],
"reports": [{"id": REPORT_ID, "allowEdit": False}]
# Add "targetWorkspaces": [{"id": WORKSPACE_ID}] if needed
}
response = requests.post(embed_token_url, headers=headers, data=json.dumps(body))
if response.status_code == 200:
embed_info = response.json()
print("Successfully generated Embed Token:")
print(embed_info['token'])
else:
print(f"Error generating embed token: {response.text}")This script authenticates with Azure AD, then calls the Power BI API to generate an embed token suitable for embedding in your application.
Taking it Further with Row-Level Security (RLS)
One of the most powerful features enabled by token generation is Row-Level Security (RLS). This allows you to use the same report for all your customers but dynamically filter data so they only see what belongs to them.
To implement RLS, you add an identities block to your token request. This tells Power BI which RLS rule to apply for this user.
Your request body would then look like this:
{
"datasets": [{"id": "YOUR_DATASET_ID_HERE"}],
"reports": [{"id": "YOUR_REPORT_ID_HERE"}],
"identities": [
{
"username": "customer_123",
"roles": ["Customer"],
"datasets": ["YOUR_DATASET_ID_HERE"]
}
]
}In this example, your Power BI DAX model would have a role named "Customer" with a rule filtering data based on the username, ensuring 'customer_123' only sees their own data.
Final Thoughts
Generating a Power BI embed token is a multi-step process, but it's central to bringing your data analytics into custom applications securely and effectively. By choosing the right method—a quick API call for testing or a robust Service Principal flow for production—you can control exactly how users interact with your valuable data insights while maintaining strict security standards.
Setting up reporting logic in tools like Power BI can be incredibly powerful but often requires a steep learning curve and significant technical setup. At Graphed, we simplify this process by connecting directly to your data sources like Google Analytics, Shopify, and Salesforce. Instead of writing code to generate tokens and manage capacities, you can ask questions in plain English to build real-time, shareable dashboards in seconds. This allows everyone on your team, regardless of technical skill, to get the answers they need without the reporting bottlenecks.
Related Articles
What SEO Tools Work with Google Analytics?
Discover which SEO tools integrate seamlessly with Google Analytics to provide a comprehensive view of your site's performance. Optimize your SEO strategy now!
Looker Studio vs Metabase: Which BI Tool Actually Fits Your Team?
Looker Studio and Metabase both help you turn raw data into dashboards, but they take completely different approaches. This guide breaks down where each tool fits, what they are good at, and which one matches your actual workflow.
How to Create a Photo Album in Meta Business Suite
How to create a photo album in Meta Business Suite — step-by-step guide to organizing Facebook and Instagram photos into albums for your business page.