Re: Embed for your Organization (User Owns Data) -...

ejk0226 · ‎09-24-2025

I’m getting a 403 Forbidden response. The response header X-PowerBI-Error-Info reports InvalidToken. I’ve tried various asp.net core code samples.

Entra app registration api permission has delegated authority configured for Power Bi Services.

The web app C# configures services like so:

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
   .AddMicrosoftIdentityWebApp(configuration, "AzureAd")
   .EnableTokenAcquisitionToCallDownstreamApi(configuration.GetSection("PowerBi:RequiredScopes").Get<string[]>())
   .AddInMemoryTokenCaches();

The C# call:

var httpClientFactory = _httpClientFactory; // from Dependancy Injection;
var tokenAcquisition = _tokenAcquisition; // from Dependancy Injection
string[] scopes = {
		"https://analysis.windows.net/powerbi/api/Workspace.Read.All",
		"https://analysis.windows.net/powerbi/api/Dashboard.Read.All",
		"https://analysis.windows.net/powerbi/api/Report.Read.All",
		"https://analysis.windows.net/powerbi/api/PaginatedReport.Read.All"
	};

var accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);

var client = httpClientFactory.CreateClient();
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accessToken);
var response = await client.GetAsync("https://api.powerbigov.us/v1.0/myorg/reports");

Is it the accessToken? What content within the token should I be looking at? The oid/name in the token is correct.

"aud": "https://analysis.windows.net/powerbi/api"

"scp": "Dashboard.Read.All PaginatedReport.Read.All Report.Read.All Workspace.Read.All"

The Power BI admin says these are the Developer settings. My understanding is these settings relate to Embed for you Customer.

I'm trying to use Embed for Org because all the users in my workspace will be intenal and they already have Power BI Pro licenses. I don't need/want to pay extra for capacity to support Embed for you Customer. Are there more Tenant settings I need to look for?

Then I found some wording on https://learn.microsoft.com/en-us/rest/api/power-bi/#using-a-service-principal

Does that mean either use Service Principal or Scopes but not both for the tentant?

How exactly do I embed Power BI reports in C# web app such that there is no need to pay for extra capacity related to Embed for your Customer?

v-echaithra

Hi @ejk0226 ,

Thank you @DataNinja777 for your inputs.

I hope the information provided is helpful. I wanted to check whether you were able to resolve the issue with the provided solutions. Please let us know if you need any further assistance.

Thank you.

ejk0226

It was helpful as far as identifying a disconnect between gov and commerical. I replied to @DataNinja777 to see how to claim token from gov cloud.

DataNinja777

Hi @ejk0226 ,

The 403 Forbidden / InvalidToken error is occurring because you are calling the Power BI US Government (GCC) API endpoint at https://api.powerbigov.us, but your application is configured to get tokens for the standard commercial cloud. Your token's audience (aud) claim, https://analysis.windows.net/powerbi/api, is correct for the commercial service. Because the government and commercial clouds are completely separate environments, a token issued for one is invalid in the other, leading to the rejection. The fix is to change the API endpoint in your code to the commercial URL.

Your overall strategy of using the "Embed for your organization" (User owns data) model is correct for your goal of embedding content for internal, licensed users without incurring extra capacity costs. The Power BI admin settings and documentation you found regarding service principals are not relevant to your implementation. Those apply to the "Embed for your customer" (App owns data) model, which uses a different authentication flow. Your method, which uses GetAccessTokenForUserAsync, correctly relies on delegated user permissions (scopes), where the signed-in user's own license and permissions grant access to the content.

To resolve the error, you only need to modify the URL in your GetAsync call. The rest of your token acquisition logic and scope definition is correct for your scenario.

var accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);

var client = httpClientFactory.CreateClient();
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accessToken);

// Change the URL from "api.powerbigov.us" to "api.powerbi.com"
var response = await client.GetAsync("https://api.powerbi.com/v1.0/myorg/reports"); 

response.EnsureSuccessStatusCode();

Best regards,

ejk0226

This is helpful. However, can I go in the other direction by configuring my application to get tokens from the government cloud? How/where do I switch that? The reports I'm after are hosted on https://app.powerbigov.us/home. This is where I have a Pro license and report users also have Pro licenses.

I can navigate to commerical https://app.powerbi.com/home with my gov credentials. It shows I have a Free account type with no reports. When I do as you suggest and change my endoint then yes I get a response. It's an empty list of reports because I have no reports hosted there but at least it's a 200 OK instead of error.

Reading into what you describe, it sounds like I need to get different tokens. The tokens defined (https://analysis.windows.net/powerbi/api/) came from me going into the Entra App registration (https://portal.azure.com/) and adding API permissions. I only see Power BI Service and no gov option. A quick good search pointed me to a Gov azure portal at https://portal.azure.us/ however that tells me by org/domain is not registered.

Embed for your Organization (User Owns Data) - C#, Forbidden, Invalid Token

Helpful resources

Power BI Monthly Update - September 2025

FabCon Atlanta 2026

FabCon is coming to Atlanta

Embed for your Organization (User Owns Data) - C#, Forbidden, Invalid Token

Helpful resources

Power BI Monthly Update - September 2025

FabCon Atlanta 2026