Access Tokens

In order to access any Power BI content from an external application (sometimes referred to as embedding), an access token must be requested from Azure. The details for requesting a token depend on the security configuration for the Azure tenant as well as the way in which users are to be accessing content in Power BI.

For details, visit the following link.

Application

In order to make calls to Power BI from outside Power BI, an application must be registered with Azure. Permissions and scopes can be defined for the external application as well as the API client id and client secrets needed to access Power BI.

For details, visit the following link.

Endpoint

To create an access token, a post request is sent to the following end point requesting access to a resource where tenantId is the id of the Azure tenant.

https://login.microsoftonline.com/{tenantId}/oauth2/token

One or more of the following data is posted in the request based on application requirements.

Resource

This value is always https://analysis.windows.net/powerbi/api

Grant type

When using Power BI in external applications, the user accessing content is either a customer or a member of your organization. To put this in other Power BI terms, either the app owns the data or the user owns the data.

For more on these two different options, visit the following link.

When Power BI is accessed by customers, a service principal is given access to content. That "user" is then authenticated and given an access token using the client_credentials grant type.

When using Power BI with internal employees, users can use their own credentials to request an access token. Here, the password grant type is used.

Sample

All the material discussed in this section has been implemented in the sample application that comes with the WireBootstrap for Power BI. This sample is a good example of how to generate tokens in order to use Power BI in external applications.

Request a Token

In the project, the TokensController class at \Controllers\TokensController.cs contains a method called GetAccessToken that can be called by clients to retrieve a token from Power BI.

The following in an excerpt from the call to this method from \index.js in the sample.

const accessToken = await fetch("/tokens/GetAccessToken");
const response = await accessToken.json();
const token = response.access_token;

Create a Token

On the server, GetAccessToken reads the values for the token request from appsettings.json, makes the call to Power BI, and returns the token to the client.

Below is an excerpt from appsettings.json with the variables needed for the call to generate a token. Replace the brackets [] with the actual values needed to connect to your Azure AD application.

{
  "AppTenantId": "[Your Azure Tenant ID]",
  "AuthTokenUrl": "https://login.microsoftonline.com/{AppTenantId}/oauth2/token",
  "Resource": "https://analysis.windows.net/powerbi/api",
  "ClientId": "[Client ID the Azure AD app]",
  "ClientSecret": "[Client Secret for the Azure AD app]",
  "User": "[Optional - User name if using 'password' grant type]",
  "Password": "[Optional - Password if using 'password' grant type]"
}

PreviousInstallation NextData Connector

Last updated 2 years ago