Power BI code module

When the Power BI web app is configured for the app owns data scenario, this code module generates the embedded tokens used by the web app to authenticate with the Power BI Service when embedding reports.

To allow the code module to generate embedded tokens for the Power BI Service it must be configured to authenticate against Azure AD and the Power BI Service must be configured to allow service principals.

Register application in Azure AD

To be able to authenticate agains Azure AD the code module must be registered as an application in Azure AD. Details for for how to do this can be found here.

When the application is created in Azure AD it must be configured as follows:

  • API permissions pane: The application needs the Dataset.Read.All and Report.Read.All permissions for Power BI Service
  • Certificates & secrets pane: Create a new secret; give it a name and copy the value. Details for this can be found here

Once the application is registered and configured in Azure AD you need to copy the Application (client) ID and Directory (tenant) ID from the Overview pane as they are needed, along with the secret, to configure the code module.

Configure authentication in code module

At the top of the Power BI code module, the variables ClientId, ClientSecret and TenantId must be set. The ClientId must be set to the Application (client) ID, ClientSecret to the secret generated, and TenantId to the Directory (tenant) ID.

private static readonly string TenantId = "00000000-0000-0000-0000-000000000000"; private static readonly string ClientId = "00000000-0000-0000-0000-000000000000"; private static readonly string ClientSecret = "[insert client secret]";

Configure Power BI Service

To be able to grant the service principal for the application registered in Azure AD for the code module access to the Power BI Service it must be a member of an Azure AD security group. Either create a new group and add the service principal to it or add it to an existing one.

Then allow service principals to use Power BI APIs in the Power BI Admin portal and add the security group. Details in step 3 here.

The service principal must then be added as Admin to the workspace that contains the reports it should be able to generate embedded tokens for (See step 5 in the link above).