0

I already have found other similar issues on Stack Overflow, but still have issue to retrieving the embed token in Node.js, with the message:

2025-03-07T08:31:35.098660921Z Error: Failed to get embed token: 401 Unauthorized -
2025-03-07T08:31:35.098716024Z     at /app/src/services/PowerBIService.ts:135:13
2025-03-07T08:31:35.098722924Z     at Generator.next (<anonymous>)
2025-03-07T08:31:35.098728225Z     at fulfilled (/app/src/services/PowerBIService.ts:5:58)
2025-03-07T08:31:35.098733225Z     at processTicksAndRejections (node:internal/process/task_queues:95:5)

I already:

  • Created a Workspace in PowerBI
  • Assigned to the Workspace all the necessary API Authorizations
  • Created a new App in Azure
  • Given the PowerBI Authorization on the Azure App
  • Created a Security Group with the App (service principal)
  • Assigned as Admin role that Security Group to the PowerBI's Workspace
  • Enabled all the necessary stuffs on Admin Portal of PowerBI, Tenant Settings

The method I Created is this, I use ClientSecretCredentials with the Tenant ID, Client ID and Client Secret of the app:

async function getPowerBIEmbedResponse(
  reportId: string,
  datasetId: string,
  groupId: string
): Promise<any> {
  Logger.info("Inside getPowerBIEmbedResponse");

  try {
    const credential = new ClientSecretCredential(
      "bbbb", // Tenant ID
      "aaaa", // App Registration client ID
      "abcd" // Client secret
    );

    const tokenResponse = await credential.getToken(
      "https://analysis.windows.net/powerbi/api/.default"
    );

    // const tokenResponse = await credential.getToken(
    //   "https://graph.microsoft.com/.default"
    // );

    if (!tokenResponse || !tokenResponse.token) {
      throw new Error("Failed to retrieve Azure access token.");
    }

    Logger.info("Token obtained successfully");
    const accessToken = tokenResponse.token;

    const url = `https://api.powerbi.com/v1.0/myorg/groups/${groupId}/reports/${reportId}/GenerateToken`;
    // https://api.powerbi.com/v1.0/myorg/GenerateToken

    const response = await fetch(url, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
        Authorization: `Bearer ${accessToken}`,
      },
      body: JSON.stringify({
        accessLevel: "View",
        datasetId: datasetId,
      }),
    });

    if (!response.ok) {
      const errorText = await response.text();
      Logger.error(`Error response body: ${errorText}`);
      throw new Error(
        `Failed to get embed token: ${response.status} ${response.statusText} - ${errorText}`
      );
    }

    const data = await response.json();
    return data;
  } catch (error) {
    Logger.error(`Exception in getPowerBIEmbedResponse: ${error.message}`);
    throw error;
  }

Of course I send the reportID, datasetID and groupID of the report I want to obtain the embedToken. Why I still have the issue? I tried to get the Bearer token with both the url you can see in the code (one is commented), but still. I suppose there is another way to obtain the Bearer token used to retrieve the Embed Token

Improve this question
11
  • Check this stackoverflow.com/questions/79394771/…
    – Rukmini
    Commented Mar 7 at 11:20
  • As I said, I already checked other Stack Overflow's responses and I already did all of those steps, including enable the stuffs in Admin Portal. I think the issue is how to I retrieve Bearer token
    – Giacomo Brunetta
    Commented Mar 7 at 11:23
  • Did you add the service principal under Power BI workspace as Admin or Contributor?
    – Rukmini
    Commented Mar 7 at 13:58
  • Yes I did! Actually I can't add the service principal itself, but I added it in a securty group and I added it as admin. I was trying also to get this call on postman to retrieve the bearer token: login.microsoftonline.com/[tenant id]/oauth2/token and this that use the bearer token to get the embed token: api.powerbi.com/v1.0/myorg/groups/[group id]/reports/[report id]/GenerateToken But still the same issue. Now I noticed that I miss "Tenant" api permission, so I added, but the issue still
    – Giacomo Brunetta
    Commented Mar 7 at 15:04
  • Are you okay to generate token with use interactive flow?
    – Rukmini
    Commented Mar 7 at 15:28

2 Answers 2

Reset to default
2

I tried to call GenerateToken API for the existing/old workspace and got the same error:

POST https://api.powerbi.com/v1.0/myorg/groups/GroupID/reports/ReportID/GenerateToken

{
  "accessLevel": "View",
  "allowSaveAs": "true"
}

enter image description here

To resolve the error, you need to create a new workspace, as some APIs for service principal authentication only work with new Power BI workspaces.

Create a Microsoft Entra ID application and grant application type Tenant.ReadWrite.All type API permission:

enter image description here

Make sure to add the Service Principal as Admin to the newly created workspace:

enter image description here

Also make sure to enable the option Service principals can use Fabric APIs to the entire organization or specific security groups based on your requirement:

enter image description here

For sample, I generate access token by using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id: ClientID
client_secret: Secret
scope: https://analysis.windows.net/powerbi/api/.default
grant_type: client_credentials

enter image description here

I am able to call the API successfully for the new created workspace:

POST https://api.powerbi.com/v1.0/myorg/groups/GroupID/reports/ReportID/GenerateToken

{
  "accessLevel": "View",
  "allowSaveAs": "true"
}

enter image description here

Hence alternatively create new workspace and check.

Improve this answer
5
  • Hi. As I said, I already did those steps and actually the error was different. However I checked that the issue was because I was using another client id and secret, now the error is: { "error": { "code": "InvalidRequest", "message": "Creating embed token with effective identity requires dataset to be provided" } }
    – Giacomo Brunetta
    Commented Mar 10 at 9:20
  • Did you try the same in Postman?
    – Rukmini
    Commented Mar 10 at 9:21
  • yes, I already texted in the question that I did all of this..by the way, thank you, I've found the solution by myself and I will post it :) I appreciated your help
    – Giacomo Brunetta
    Commented Mar 10 at 9:23
  • 1
    Glad to know you resolved the issue, you can post the answer and accept it as it will help the commnuity:)
    – Rukmini
    Commented Mar 10 at 9:24
  • 1
    Done, I posted the answer to the issue :)
    – Giacomo Brunetta
    Commented Mar 10 at 9:32
0

Fixed and tested using Postman. Executing this POST API:

https://api.powerbi.com/v1.0/myorg/groups/[groupID]/reports/[reportID]/GenerateToken

with body:

{
  "accessLevel": "View",
  "identities": [
    {
      "username": "username",
      "roles": []
    }
  ],
  "datasets": [
    {
      "id": "[datasetID]"
    }
  ]
}

I had 2 issues:

  • The first issue was related to the client_id and secret I was using to create the Bearer token needed for it, I used the one of the wrong Service Principal

  • Then, I had this issue:

{
    "error": {
        "code": "InvalidRequest",
        "message": "Creating embed token with effective identity requires dataset to be provided"
    }
}

and this was related to the body I sent. Effective Identity was not supported for the dataset chosen, it is used only for Row Level Security (RLS), meaning that I had to remove it and keep this body:

{
  "accessLevel": "View",
  "datasets": [
    {
      "id": "[datasetID]"
    }
  ]
}
Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.