When the Power BI web app is configured for the app owns data scenario, this code module generates the embedded tokens used by the web app to authenticate with the Power BI Service when embedding reports.
To allow the code module to generate embedded tokens for the Power BI Service it must be configured to authenticate against Azure AD and the Power BI Service must be configured to allow service principals.
To be able to authenticate agains Azure AD the code module must be registered as an application in Azure AD. Details for for how to do this can be found here.
When the application is created in Azure AD it must be configured as follows:
Once the application is registered and configured in Azure AD you need to copy the Application (client) ID and Directory (tenant) ID from the Overview pane as they are needed, along with the secret, to configure the code module.
At the top of the Power BI code module, the variables
TenantId must be set.
ClientId must be set to the Application (client) ID,
ClientSecret to the secret generated, and
to the Directory (tenant) ID.
To be able to grant the service principal for the application registered in Azure AD for the code module access to the Power BI Service it must be a member of an Azure AD security group. Either create a new group and add the service principal to it or add it to an existing one.
Then allow service principals to use Power BI APIs in the Power BI Admin portal and add the security group. Details in step 3 here.
The service principal must then be added as Admin to the workspace that contains the reports it should be able to generate embedded tokens for (See step 5 in the link above).