Embedding PowerBi Report On Java Web Application

Nosyke22 · ‎04-15-2025

I am trying to Embed a report on powerbi on my web application using Java. So anytime i request an access token from azure and send to powerbi it tells me 401 unauthorized. I decoded the token and in the roles i saw only the Tenant.Read.All permission which was an application permission that was available for me to chose was showing and the other permissions which were delegated did not show. I am trying to use my service principal to authenticate but application permissions showing for me dont have the other permissions such as Report.Read.All, Dataset.Read.All e.t.c that i require. Is that an issue from my azure or is that how it is if its how the permissions are how can i now use my service principal to authenticate. I also created a security group and added my app registration to the security group to some particular permissions required on the powerbi admin portal i dont know if that is the right step. The pictures i will attach are pictures of the things i have done and error i am recieving.

I will need someones help please ,

Nosike Franklim

v-bmanikante · ‎04-15-2025

Hi @Nosyke22 ,

Thank you for reaching out to Microsoft Fabric Community Forum.

@lbendlin Thank you for your quick response.

>>>>Embedding Power BI Report Using AAD Token – Step-by-Step Guide
This guide helps you embed a Power BI report using an AAD token (Azure Active Directory) in a web application using jquery.js and powerbi.js. It assumes that:

You already have a Native Azure AD application registered

Necessary Power BI API permissions have been granted

-->Step 1: Create and Configure Azure AD App
A. Register a Native App
Register a Native App in Azure AD as explained here:
>> Register an app with Azure --https://learn.microsoft.com/en-us/power-bi/developer/embedded/register-app

B. Get clientId
Go to Azure Active Directory → App registrations → Your App, and copy the Application (client) ID.
This is the clientId used for AAD token generation.

C. Set Required Permissions
Under API Permissions:

Ensure that Power BI Service is added

Enable these permissions:

View All Reports

View All Dashboards (Preview)

View Users Groups

Make sure the user generating the AAD token is a member of the Power BI workspace containing the report.

-->Step 2: AAD Token Generation (Server-Side)
Use a backend service (Java, Node.js, etc.) to generate the AAD token.
Sample (Java-based) logic:

AuthenticationResult authResult = authenticationContext.acquireToken(
resourceId, // e.g., "https://analysis.windows.net/powerbi/api"
clientId,
username,
password,
null
).get();
Return the following two values from your REST endpoint:

accessToken

expiresAtStr (used to check if token needs to be refreshed)

-->Step 3: HTML Setup (JSP)
Embed this in your JSP page:

<div id="reportContainer" class="reportContainer"></div>
-->Step 4: Fetch and Manage AAD Token (Client-Side)
Use AngularJS or jQuery to call the backend and manage the token lifecycle:

var aadToken = { accessToken: '', expiresAtStr: '' };

-->Step 5: Configure Power BI Embed and Load Report
Once the token is fetched, use it to embed the report:

var config = {
type: 'report',
tokenType: powerbi.models.TokenType.Aad, // 0 for AAD
accessToken: aadToken.accessToken,
embedUrl: txtEmbedUrl, // e.g., "https://app.powerbi.com/reportEmbed?reportId=..."
permissions: powerbi.models.Permissions.All, // or 7
viewMode: powerbi.models.ViewMode.View,
settings: {
filterPaneEnabled: false,
navContentPaneEnabled: false,
useCustomSaveAsDialog: false
}
};

var $reportContainer = $('#reportContainer');
var report = powerbi.embed($reportContainer.get(0), config);

If this post helps, then please consider Accepting as solution to help the other members find it more quickly, don't forget to give a "Kudos" – I’d truly appreciate it!

Regards,
B Manikanteswara Reddy

Nosyke22 · ‎04-16-2025

This is for embedding for customers where my entra application does the authentication what i am trying to know is if i use delegated permissions rather than application permissions is it correct cause my jwt token is only returning the application permission i gave the entra app rather than the delegated ones

v-bmanikante · ‎04-17-2025

Hello @Nosyke22 ,

You can try the following,

If you are trying to embed reports for internal users, you need to:

Use delegated permissions, Authenticate using a user context (i.e., Authorization Code Flow or ROPC — username/password)

If you are embedding for external users (customers) via Service Principal, then:

You need to request application permissions like Report.Read.All, Dataset.Read.All, etc.

These permissions must be granted by a Power BI Admin in the Power BI Admin portal.

Go to Admin Portal > Tenant Settings > Developer settings

Enable "Allow service principals to use Power BI APIs"

Add your SPN or security group under "Apply to specific security groups"

Then assign the service principal Viewer / Member role in the target workspace.

If our response addressed, please mark it as Accept as solution and click Yes if you found it helpful.

Regards,
B Manikanteswara Reddy

Nosyke22

So this is where the problem is for me on my azure only delegated permissions show

Report.Read.All, Dataset.Read.All, etc.

The only application permission showing under powerbi service is tenant.read.all and tenant.read.write.all

Why is that so?

v-bmanikante

Hi @Nosyke22 ,

The issue you're facing , where only Tenant.Read.All shows up under application permissions for Power BI, is actually a known limitation in some tenants.

Here’s what’s happening and how to resolve it:

The full set of application permissions (like Report.Read.All, Dataset.Read.All, etc.) sometimes don’t show up by default in Azure when adding the Power BI API. This depends on how Microsoft has enabled Power BI API access for your tenant.

To resolve this:

Make sure the Power BI Service Admin goes to the Power BI Admin Portal

Under Tenant Settings → Developer Settings, enable:

“Allow service principals to use Power BI APIs”

Add your app or security group under “Apply to specific security groups”

--> If you’ve already done that and the permissions still don’t show, you’ll likely need to open a support ticket with Microsoft. They can help enable the full permission set for your tenant.

Below is the link to create Microsoft support ticket:
https://learn.microsoft.com/en-us/power-bi/support/create-support-ticket

If this post helps, then please consider Accepting as solution to help the other members find it more quickly, don't forget to give a "Kudos" – I’d truly appreciate it!

Regards,
B Manikanteswara Reddy

lbendlin · ‎04-15-2025

Embed for internal users or Embed for customers? The documentation is pretty complete, Power BI embedded analytics overview - Power BI | Microsoft Learn

Nosyke22 · ‎04-16-2025

This is for embedding for customers where my entra application does the authentication what i am trying to know is if i use delegated permissions rather than application permissions is it correct cause my jwt token is only returning the application permission i gave the entra app rather than the delegated ones

Embedding PowerBi Report On Java Web Application

Helpful resources

Power BI Monthly Update - April 2025

NEW! Community Notebooks Gallery

Fabric Community Update - April 2025

How to Get Your Question Answered Quickly