How to Get Access Token for Power BI Report

Getting a Power BI report to show up inside your own application can feel like a puzzle, and a common piece people get stuck on is the "access token." This special key is what proves to Power BI that your app has permission to display its data. In this guide, we'll walk you through exactly what an access token is, the main ways to get one, and provide step-by-step instructions so you can get your reports embedded successfully.

Graphed

Build AI Agents for Marketing

Build virtual employees that run your go to market. Connect your data sources, deploy autonomous agents, and grow your company.

Build Your First Agent

So, What is a Power BI Access Token, Anyway?

Think of a Power BI access token as a secure, temporary key. It’s a long string of text that your application presents to Power BI's servers to prove it's been authenticated and is authorized to access specific resources, like reports, dashboards, or datasets.

It’s not a permanent password. Instead, it’s a credential issued by Azure Active Directory (Azure AD) that's only valid for a short period (typically one hour). This short lifespan is a security feature, preventing a compromised token from being used forever.

You need an access token for a few key reasons:

• Embedding Analytics: When you embed a Power BI report in your app, the token is your ticket to load and display it securely.
• Programmatic Access: If you're using Power BI REST APIs to automate tasks like refreshing a dataset or managing workspaces, the token authenticates every API call.
• Security and Control: Tokens are tied to specific permissions (called "scopes"). This means a token might allow an app to read a report but not write new data, giving you granular control over what your application can do.

Choosing Your Path: User vs. Application Authentication

Before you get a token, you need to decide which authentication method to use. This choice determines who is authenticating with Power BI - a specific user or your application itself. There are two main patterns:

AI Agents for Marketing

Crash Course

Graphed

Free PDF · the crash course

AI Agents for Marketing Crash Course

Learn how to deploy AI marketing agents across your go-to-market — the best tools, prompts, and workflows to turn your data into autonomous execution without writing code.

Download the PDF

1. For Users: The "Master User" Method (Delegated Permissions)

This approach involves using a single Power BI Pro or Premium Per User (PPU) license account, often called a "master user," to authenticate on behalf of your application. When your app needs to display a report, it uses the credentials of this master user account to get an access token and interact with Power BI.

• Best for: Internal applications, development environments, and scenarios where you want all application users to see the same data through one Power BI user's permissions.
• Pros: Simpler to conceptualize and set up initially.
• Cons: Relies on a single user's credentials (what if they leave the company?), requires a paid license for that account, and can pose a security risk if the credentials are not managed carefully.

2. For Applications: The "Service Principal" Method (Application Permissions)

This is the modern, recommended approach for production applications, especially for SaaS products where you’re embedding reports for your own customers. Instead of a user account, you register your application in Azure AD, creating an identity for the app itself, known as a service principal. This service principal is then granted its own permissions within Power BI.

• Best for: Production applications, multi-tenant solutions, and automating backend processes.
• Pros: More secure as it doesn’t rely on a user's password. It's an independent identity, making management much cleaner. It doesn’t consume a Power BI license.
• Cons: It involves a few more setup steps, including configuring permissions in both Azure AD and the Power BI admin portal.

Step-by-Step: Getting a Token with a Master User

If you're just starting or building an internal tool, the master user method can be a quick way to get going. This method relies on an interactive login, so it's perfect for testing or manually running scripts.

The easiest path here involves using a PowerShell module that handles the complex flows behind the scenes.

Step 1: Install the Power BI Module

First, open PowerShell on your machine and run the following command to install the necessary tools: Install-Module -Name Microsoft.PowerBi.Api

Step 2: Log In to Power BI

Next, run this command. It will open a browser window and prompt you to log in with your master user account credentials. Login-PowerBI This interactive login is what generates the token securely without you needing to handle passwords in your script.

Graphed

Build AI Agents for Marketing

Build virtual employees that run your go to market. Connect your data sources, deploy autonomous agents, and grow your company.

Build Your First Agent

Step 3: Retrieve Your Access Token

Once you are successfully logged in, getting the access token is as simple as running one more command: Get-PowerBIAccessToken PowerShell will print out the full access token. You can copy this token and use it to make API calls or for embedding tests right away. Keep in mind, this token will expire in about an hour.

Step-by-Step: Getting a Token with a Service Principal

This is the professional-grade method for building robust applications. We will register an application in Azure AD and use its credentials to request a token non-interactively.

Prerequisite: Enable Service Principal Access in Power BI

Before you start, a Power BI admin needs to enable this feature. This is a critical step that’s easy to miss.

1. Navigate to the Power BI Admin Portal (look for the gear icon, then "Admin portal").
2. Go to Tenant settings and scroll down to Developer settings.
3. Find the setting titled "Allow service principals to use Power BI APIs" and enable it. You can enable it for your entire organization or specific security groups.

Step 1: Register an Application in Azure

Your application needs an identity to authenticate with. This is done with an "app registration" in Azure AD.

1. Log in to the Azure Portal (portal.azure.com).
2. Search for and select Azure Active Directory.
3. In the left menu, select App registrations, then click + New registration.
4. Give your app a meaningful name (e.g., "My Reporting App"). For this method, you can leave the other settings as their default values. Click Register. Once created, you'll be on the app's overview page. Take note of the Application (client) ID and Directory (tenant) ID. You will need these soon.

Step 2: Create a Client Secret

A client secret is essentially the application’s password.

1. In your new app registration, go to Certificates & secrets in the left menu.
2. Click on the Client secrets tab and then + New client secret.
3. Add a description (e.g., "App reporting token") and choose an expiration period.
4. After clicking Add, a new secret will be created. The Value is the secret itself. Copy this value immediately and store it somewhere safe, like a password manager. It will be hidden forever after you navigate away from this page.

Step 3: Grant Workspace Access

Your service principal identity now exists, but it has no permission within Power BI yet. You must grant it access to the specific workspace containing the report you want to embed.

1. Go to the Power BI workspace you need.
2. Click on Access.
3. Search for the name of your app registration (e.g., "My Reporting App").
4. Grant it at least Viewer access (or Member/Admin if needed). Click Add.

Step 4: Request the Access Token via API

Now you have everything you need to request the token. The most common tool for this is Postman, cURL, or any code that can make HTTP requests. You’ll be making a POST request to the following endpoint: https://login.microsoftonline.com/{your_tenant_id}/oauth2/v2.0/token Make sure to replace {your_tenant_id} with the Directory ID you copied earlier.

You need to send the following information in the request body, typically as x-www-form-urlencoded data:

• grant_type: client_credentials (This tells Azure AD you're using application credentials, not a user's password).
• client_id: Your Application (client) ID.
• client_secret: The secret value you copied.
• scope: https://analysis.windows.net/powerbi/api/.default (This specifically asks for permissions to the Power BI API).

If all details are correct, Azure AD will respond with a JSON object containing your access_token.

AI Agents for Marketing

Crash Course

Graphed

Free PDF · the crash course

AI Agents for Marketing Crash Course

Learn how to deploy AI marketing agents across your go-to-market — the best tools, prompts, and workflows to turn your data into autonomous execution without writing code.

Download the PDF

How to Use Your Hard-Earned Token

Once you have the token string, you’ll typically use it in one of two ways:

1. In API Calls: When you make requests to the Power BI REST API, you’ll include it in the request header like this: Authorization: Bearer <your_very_long_access_token>
2. In Power BI Embedding: When using the Power BI client-side SDKs (like powerbi-client for JavaScript), you pass the token in the configuration object. It will look something like this:

let embedConfig = { type: 'report', id: reportId, embedUrl: embedUrl, accessToken: your_access_token_from_api, tokenType: models.TokenType.Aad, // ... other settings },

Common Pitfalls and Troubleshooting

• Authorization Failed: This is a classic. Double-check that your service principal has been given access to the Power BI workspace. Also, ensure the admin has enabled service principal access in tenant settings.
• Invalid Credentials: You’re likely using the wrong client ID, tenant ID, or client secret. Perform the "double-check dance" with the values from your Azure AD app registration. Remember to use the client secret's value, not its ID.
• Token Expired: Access tokens typically last for one hour. Production applications shouldn't stop working after an hour. Your backend code needs to be smart enough to request a new token automatically before the current one expires or when it gets an "expired" error.

Final Thoughts

Securing access to Power BI reports is a necessary step, and getting comfortable with Azure AD app registrations and an access token flow is essential for anyone developing applications with embedded analytics. By choosing between the master user and service principal methods, you can tailor your authentication process to fit the scale and security needs of your project.

While the Power BI embedding process is powerful, setting up all the authentication can feel overly complex when all you want is to securely share real-time reports from sources like Shopify, Google Analytics, or your CRM. We built Graphed because we wanted to create dashboards without the boilerplate of managing OAuth flows and Azure credentials. We connect directly to your marketing and sales platforms, handle all the data syncing and security, and let you create beautiful, shareable dashboards just by asking questions in plain English - no API token management required.