Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Score big with last-minute savings on the final tickets to FabCon Vienna. Secure your discount

Reply
powerapps_tec
Advocate I
Advocate I

API to switch tenants in an "embed for org" application

‎04-30-2025 07:41 AM

I have an application based on the "Embed for your organization" model. For authentication, on the server-side, it uses Owin and the Microsoft.Identity.Client package. On the client-side, it uses the PowerBI REST API to perform automated dataset refreshes based on parameters supplied.

I need to extend this to work with guest users from other tenants so they can perform these automated refreshes on datasets (in a workspace) within the tenant where they have been created as guests. The manual version of this complete flow works fine. By switching the tenant in Power BI Service, the guest has access to their workspace, and they can change dataset parameters and do manual refreshes.

My question is this: is there a REST API that I can use to switch the tenant from the source to the one where the user is a guest using the tenantId? And would the access token from the source be enough to make this switch? And are there any other constraints and considerations?

I have researched this problem high and low and unfortunately, am unable to find a clean solution without dismantling the current architecture completely. Any help or guidance would be much appreciated!

Many thanks.

Labels:
Message 1 of 13
1,427 Views
0
1 ACCEPTED SOLUTION
powerapps_tec
Advocate I
Advocate I
In response to v-saisrao-msft

‎05-22-2025 01:16 PM

Here is a final update. I was able to upgrade the app to .NET 6.0 and also update all packages to stable versions.
To summarize:
Start with sample app at: Embed Power BI report in a Power BI embedded analytics application for your organization - Power BI and use the tutorial. Use the code provided at Github.
1) If necessary, downgrade node.js/npm to V16.20.2/V8.19.4
2) Target framework .NET 6.0 to remove dependence on out of support .NET 5.0
3) Update Microsoft.AspNetCore.Authentication.JwtBearer: 6.0.12
4) Update Microsoft.AspNetCore.Authentication.OpenIdConnect: 6.0.12
5) Update Microsoft.PowerBI.Api: 4.22.0
6) Update Microsoft.Identity.Web: 3.9.1

I will mark this response as a solution for anyone who is interested. And if anyone needs more info on how to use the REST API in conjunction with the sample, I can provide further details.

Many thanks and best wishes.

View solution in original post

Message 13 of 13
614 Views
12 REPLIES 12
v-saisrao-msft
Community Support
Community Support

‎05-02-2025 12:38 AM

Hi @powerapps_tec,

Thank you for reaching out to the Microsoft Fabric Forum Community.

thank you @lbendlin, for your insights.

To enable guest users to perform automated dataset refreshes in your Power BI solution, you’ll need to acquire an access token for the host tenant (where the datasets and workspaces reside) rather than using a token from the guest’s home tenant. 

Currently, there isn’t a REST API available to switch tenants programmatically in the same way a user can manually switch in Power BI Service. Instead, the solution is to authenticate against the host tenant directly when acquiring access tokens, ensuring that the token is valid for accessing Power BI resources in that tenant. 

This approach should work without dismantling your architecture. If tenant-switching APIs become available, if you get enough votes, they may consider in future. Raise your idea here: 

Fabric Ideas - Microsoft Fabric Community  

For further understanding, please refer to the following Links: 

Embed Power BI content in an embedded analytics application with service principal and an applicatio... 

Public and confidential client apps (MSAL) - Microsoft identity platform | Microsoft Learn

 

If this post helps, then please give us ‘Kudos’ and consider Accept it as a solution to help the other members find it more quickly.

 

Thank you. 

Message 4 of 13
1,306 Views
0
powerapps_tec
Advocate I
Advocate I
In response to v-saisrao-msft

‎05-02-2025 04:26 AM

Hello v-saisrao-msft,
Thank you for your response. Yes, I have tried to access tokens for the host tenant by explicitly setting the tenantId in the the authorityURI. This does not work with ClientApplicationBase.GetAccountAsync, which I need to return the user and then acquire a token for that user. Using service principal rather than a specific user is not an option.

The documentation mentions that ITokenAcquisition.GetAccessTokenForUserAsync can be used to get tokens for guest users. 
https://learn.microsoft.com/en-us/dotnet/api/microsoft.identity.web.itokenacquisition.getaccesstoken... 
For this, I would have to switch from using Microsoft.Identity.Client to Microsoft.Identity.Web, which in turn means rewriting most of the app.

Tenant switching would be the ideal solution, so I will definitely submit the idea as you suggest.

Many thanks.

Message 5 of 13
1,290 Views
0
v-saisrao-msft
Community Support
Community Support
In response to powerapps_tec

‎05-02-2025 04:57 AM

Hi, @powerapps_tec,

Thank you for the confirmation.

 

If this post helps, then please give us ‘Kudos’ and consider Accept it as a solution to help the other members find it more quickly.

 

Thank you

Message 6 of 13
1,281 Views
0
powerapps_tec
Advocate I
Advocate I
In response to v-saisrao-msft

‎05-02-2025 08:09 AM

I'm still interested to know if anyone has used ITokenAcquisition.GetAccessTokenForUserAsync successfully as a means to allow guest users to perform operations on their host workspace objects through the REST API. I am only inferring this possibility from the documentation and have no concrete examples or evidence. I think it is in the interest of the community to keep this discussion open.

Message 7 of 13
1,260 Views
0
v-saisrao-msft
Community Support
Community Support
In response to powerapps_tec

‎05-07-2025 09:57 PM

Hi @powerapps_tec,

Thanks for providing more context on your scenario! I completely understand the challenge you're facing with enabling guest users to perform operations on Power BI resources across different tenants.

I haven't personally used ITokenAcquisition.GetAccessTokenForUserAsync in this specific scenario, but I think it could be worth exploring. It seems like the ideal way to acquire tokens on behalf of a guest user, especially in a multi-tenant setup.

 

Thank you.

Message 8 of 13
1,045 Views
0
powerapps_tec
Advocate I
Advocate I
In response to v-saisrao-msft

‎05-12-2025 01:34 PM

Hello,
This tutorial uses the Micrsoft.Identity.Web with a .NET 5.0 app and works with a guest user. 
https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-organization-app

  1. No tenant switching is required to access workspaces in a host tenant.
  2. I have yet to try the REST API to perform more complex operations.
  3. I had to downgrade versions of node.js/npm to V16.20.2/V8.19.4.
  4. Finally, .NET 5.0 is out of support, so I'm not quite sure if this provides a stable foundation. 

Nevertheless, this is a promising alternative if anyone else is interested!
Many thanks and regards.

Message 9 of 13
976 Views
v-saisrao-msft
Community Support
Community Support
In response to powerapps_tec

‎05-13-2025 02:17 AM

Hi @powerapps_tec,

Thank you for the update.

Message 10 of 13
940 Views
0
powerapps_tec
Advocate I
Advocate I
In response to v-saisrao-msft

‎05-16-2025 12:00 PM

You're welcome! I have also verified that the REST API with Javascript works perfectly for a guest user. That is, the token can be used for dataset refreshes, updating parameters and ofc all read operations. I will try and upgrade the app to a supported version of .NET, but this may take time because there are a number of dependencies. If and when I do, I will definitely post an update here.  

Message 11 of 13
797 Views
0
v-saisrao-msft
Community Support
Community Support
In response to powerapps_tec

‎05-19-2025 01:57 AM

Hi @powerapps_tec,

Thank you for the updates.

Message 12 of 13
677 Views
0
powerapps_tec
Advocate I
Advocate I
In response to v-saisrao-msft

‎05-22-2025 01:16 PM

Here is a final update. I was able to upgrade the app to .NET 6.0 and also update all packages to stable versions.
To summarize:
Start with sample app at: Embed Power BI report in a Power BI embedded analytics application for your organization - Power BI and use the tutorial. Use the code provided at Github.
1) If necessary, downgrade node.js/npm to V16.20.2/V8.19.4
2) Target framework .NET 6.0 to remove dependence on out of support .NET 5.0
3) Update Microsoft.AspNetCore.Authentication.JwtBearer: 6.0.12
4) Update Microsoft.AspNetCore.Authentication.OpenIdConnect: 6.0.12
5) Update Microsoft.PowerBI.Api: 4.22.0
6) Update Microsoft.Identity.Web: 3.9.1

I will mark this response as a solution for anyone who is interested. And if anyone needs more info on how to use the REST API in conjunction with the sample, I can provide further details.

Many thanks and best wishes.

Message 13 of 13
615 Views
lbendlin
Super User
Super User

‎04-30-2025 02:06 PM

i think this is (far) outside the design envelope.  

 

If this is important to you please consider voting for an existing idea or raising a new one at https://ideas.fabric.microsoft.com

Message 2 of 13
1,399 Views
powerapps_tec
Advocate I
Advocate I
In response to lbendlin

‎05-05-2025 04:56 AM

I have submitted this as part of an idea suggestion:
https://community.fabric.microsoft.com/t5/Fabric-Ideas/Cmdlet-and-REST-API-support-for-tenant-switch... 

Message 3 of 13
1,150 Views
0

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All