I have posted recently about issues with generating embed tokens for Power BI Embedded reports (see Power BI Embed Token Generation – User Not Authorized).
My customer has Power BI Embedded A1 capacity, we have set up Service Principal access as per the “App Owns Data” model and the aim is to publish a report to an external e-commerce website that allows users to view a report without the need to sign in (as the user will already have been authenticated in the website).
The report is hosted in a workspace on the Embedded capacity and the Service Principal is in a group that has admin access to the workspace. We have also enabled the relevant API access settings in the Power BI tenant.
The underlying dataset for the report was hosted in a Power BI Pro workspace, and so we had to give the Service Principal Contributor access to that workspace too. This enabled us to successfully get an embed token via the GenerateToken endpoint:
POST
https://api.powerbi.com/v1.0/myorg/groups/{workspaceId}/reports/{reportId}/GenerateToken
And passing in the body of the request:
Where username is a unique ID that identifies the client associated with the logged-in user – this ID is used in the row-level security DAX formula to filter the client table so that the user sees only their own company data.
So far so good. The only problem was that the rendered report had a grey banner on it, saying “this is a free trial version, to remove this label, a capacity must be purchased.”
The “Learn more” link takes you to this page: https://learn.microsoft.com/en-us/power-bi/developer/embedded/move-to-production
After reading that article, I realised that we needed to move the workspace containing the underlying dataset to the Embedded capacity. That has been done, and the report has been updated and republished.
However, now we cannot get an embed token. Our requests are failing with an HTTP403 error:
Nothing has changed except the location of the dataset. I have followed the troubleshooting steps outlined here: https://learn.microsoft.com/en-gb/power-bi/developer/embedded/embedded-troubleshoot but without success.
What is missing here?
The Service Principal is NOT the capacity administrator (does it need to be?) and does not have a Power BI license assigned to it (should it have one?).
The Service Principal is currently in the Admin role on both workspaces.
If you want to embed with the “App Owns Data” scenario, you should generate the token with a different body.
const myHeaders = new Headers()
myHeaders.append('Content-Type', 'application/json')
myHeaders.append('Authorization', `Bearer ${authenticationToken}`)
let body = JSON.stringify({
resource: 'https://analysis.windows.net/powerbi/api'
})
if (rowLevelRole) {
body = JSON.stringify({
resource: 'https://analysis.windows.net/powerbi/api',
identities: [
{
username: email,
roles: [rowLevelRole],
datasets: [datasetId]
}
]
})
}
const requestOptions = {
method: 'POST',
headers: myHeaders,
body: body
}
const fetchResponse = await fetch(
`https://api.powerbi.com/v1.0/myorg/groups/${workspaceId}/reports/${reportId}/GenerateToken`,
requestOptions
)
Notice that if you just need to generate the token, you only need
resource: 'https://analysis.windows.net/powerbi/api'
in the body.
The service principal can be a member in the workspace where you have the semantic model and reports. It doesn’t need to be admin.
The service principal doesn’t need any role in the capacity either. Unless you want to programmatically manage the capacity too. i.e. stop or resume the capacity.
Hope this helps
vmiha is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.