How to Get Embed Token for Power BI Report
Sharing your Power BI reports securely can feel like a complex puzzle, but it all comes down to one key piece: the embed token. This article guides you through exactly how to generate a Power BI embed token, step-by-step, taking the mystery out of the process for good.
What is a Power BI Embed Token?
Think of a Power BI embed token as a temporary, single-use key that unlocks a specific report for a specific user. It's a short-lived authorization code that tells Power BI: "Hey, this user has permission to view this report for the next hour."
This is crucial for securely embedding reports into your own websites, customer portals, or applications. Instead of sharing your Power BI credentials or using the insecure "Publish to web" option, the embed token gives you precise control over who sees your data and for how long.
The primary use case for embed tokens is a scenario Microsoft calls "App owns data" (or "embedding for your customers"). This is perfect for SaaS companies, portals, and businesses who want to provide analytics to external users who don't have Power BI licenses. Your application authenticates against Power BI using a master identity (called a service principal), and then generates unique tokens for each end-user session.
Prerequisites: What You’ll Need First
Before you can start generating tokens, you need a few things in place. Make sure you have the following ready to go:
- A Power BI Pro or Premium Per User (PPU) license: You need this to publish content and set up workspaces.
- A Power BI tenant with content: You’ll need a report published to a Power BI workspace that you want to embed. Importantly, this cannot be your personal "My Workspace."
- An Azure account with permissions: You must have privileges within Microsoft Azure to register an application. If you aren't an admin, you may need to ask your IT team for help with this step.
- A dedicated Power BI Workspace: It's best practice to create a separate workspace for your embedded content to keep things organized and secure.
Free PDF · the crash course
AI Agents for Marketing Crash Course
Learn how to deploy AI marketing agents across your go-to-market — the best tools, prompts, and workflows to turn your data into autonomous execution without writing code.
Step-by-Step: How to Generate an Embed Token
Generating an embed token is a multi-step process that involves setting up identities in both Azure and Power BI. Follow these steps carefully, and you'll have a repeatable process for embedding your reports.
Step 1: Register an Application in Microsoft Azure
First, you need to create an identity for your application in Azure Active Directory (Azure AD). This app registration will act as the "master user" that authenticates with Power BI to generate tokens on behalf of your users.
- Navigate to the Azure portal and sign in.
- In the search bar, type "App registrations" and select it from the services list.
- Click on "+ New registration."
- Give your application a clear name, like "Sales Dashboard Embed App."
- For "Supported account types," choose "Accounts in this organizational directory only." This is the most common and secure option for internal or customer-facing applications.
- Leave the "Redirect URI" section blank for now. Click "Register."
Once created, you will be taken to your app's main page. Find the Application (client) ID and Directory (tenant) ID. Copy them both down and save them in a secure place - you'll need them later.
Step 2: Create a Client Secret
The client secret is essentially the password for your new Azure application. Your application will use its Client ID and this Secret to prove its identity.
- From your app registration's page in Azure, click on "Certificates & secrets" in the left-hand menu.
- Click "+ New client secret."
- Give it a short description (e.g., "PowerBIEmbedSecret") and choose an expiration period.
- Click "Add."
This is the most important part of this step: Immediately after you click add, the secret value will be displayed. Copy this value and store it securely with your Client ID and Tenant ID. Once you navigate away from this page, you will never be able to see it again. If you lose it, you’ll have to create a new one.
Step 3: Enable Power BI Service Access
To use this new "app" identity (called a Service Principal), you first have to tell your Power BI tenant to trust it. You'll do this in the Power BI Admin portal by creating a security group and adding your new app to it.
Create a Security Group in Azure AD
- In the Azure portal, search for and navigate to "Azure Active Directory."
- Select "Groups" from the left menu, then click "+ New group."
- Set the "Group type" to "Security."
- Give the group a name, like "Power BI Embedded App Principals."
- Click "Create."
- Once created, find your new group, open it, and click on "Members," then "+ Add members."
- Search for the name of the Azure app you created in Step 1 and add it to the group.
Enable Service Principal Access in Power BI
- Log into your Power BI home at app.powerbi.com.
- Click the settings gear icon (⚙️) in the top-right corner and go to "Admin portal."
- Select "Tenant settings" and scroll down to the "Developer settings" section.
- Find the setting "Allow service principals to use Power BI APIs" and enable it.
- Choose "Specific security groups" and search for the security group you just created.
- Click "Apply." It may take up to 15 minutes for this change to take effect.
Step 4: Grant Your App Access to a Power BI Workspace
Now, you need to give your new app permission to see the content inside the Power BI workspace you want to embed reports from.
- Go to the workspace containing the report you want to embed.
- Click the "Access" button at the top right of the workspace view.
- In the side panel, type in the name of your Azure app from Step 1.
- Assign it a role of at least Member so it can view content. You can grant Contributor or Admin roles if the app also needs to publish or manage content.
- Click "Add."
Step 5: Putting It All Together for the Token
You've now done all the setup. The final step is to use the credentials you gathered to make an API request that generates the token. This is typically done programmatically in your application's backend code, but let's break down the logic of how it works.
The process is a two-step "dance":
- Authenticate with Azure AD: Your app sends its Client ID, Tenant ID, and Client Secret to Microsoft's authentication endpoint. In return, it gets back a temporary Azure AD access token. This proves to Microsoft "this is a legitimate app."
- Request a Power BI Embed Token: Your app then makes a call to the Power BI REST API. It includes the Azure AD access token in the header as authorization, and in the request body, it specifies which report it wants access to. Power BI verifies the Azure token and that the app has access to the requested report, then returns a new, short-lived Power BI embed token.
Finally, your backend passes this Power BI embed token to the frontend of your application. The front-end client (using the Power BI JavaScript SDK) uses this token to render the report securely for that user session.
To call the Power BI API, you'll need two more pieces of information: the Workspace ID (also called Group ID) and the Report ID. You can get these directly from the URL when you have a report open in the Power BI service:
https://app.powerbi.com/groups/WORKSPACE_ID_HERE/reports/REPORT_ID_HERE/
With those IDs, the API call to generate the token looks something like this:
POST https://api.powerbi.com/v1.0/myorg/groups/{workspaceId}/reports/{reportId}/GenerateToken
Authorization: Bearer [Your_Azure_AD_Access_Token]
{ "accessLevel": "View" }
While this requires code to implement, following the foundational setup steps above is the hardest part. You've essentially created the 'keys' and configured the 'locks', now any developer can use those keys to get the embed tokens they need.
Free PDF · the crash course
AI Agents for Marketing Crash Course
Learn how to deploy AI marketing agents across your go-to-market — the best tools, prompts, and workflows to turn your data into autonomous execution without writing code.
Final Thoughts
While there are several administrative hoops to jump through, setting up an Azure application and corresponding permissions is the standard, secure way to embed Power BI reports within your own applications. This process ensures your master credentials are never exposed and gives you granular control over data access, providing a professional and safe analytics experience for your users.
Handling API authentication and secure token management for various platforms can get complicated, fast. We believe getting insights from your data shouldn't involve fighting with API docs or complex admin settings. At Graphed, we automate all of that complex connectivity in the background. You just connect your data sources - like Google Analytics, Salesforce, or Shopify - and our AI data analyst handles the secure authentication and live data streaming, so you can just ask questions in plain English to build and share dashboards in seconds, not hours.
Related Articles
Facebook Ads for Clinics: The Complete 2026 Strategy Guide
Learn how to use Facebook Ads for Clinics to grow your patient base in 2026. Complete guide covers targeting, campaign types, and compliance requirements.
Facebook Ads for Salons: The Complete 2026 Strategy Guide
Learn how to run profitable Facebook ads for hair salons and beauty spas in 2026. This comprehensive guide covers targeting, ad creation, budgeting, and proven strategies to attract more clients.
Facebook Ads For Beauty Salons: The Complete 2026 Strategy Guide
Learn the proven Facebook ad strategies that successful beauty salons are using to attract new clients, increase repeat bookings, and grow their revenue in 2026.