Re: Embed for your Organization (User Owns Data) -...

ejk0226 · ‎09-24-2025

I’m getting a 403 Forbidden response. The response header X-PowerBI-Error-Info reports InvalidToken. I’ve tried various asp.net core code samples.

Entra app registration api permission has delegated authority configured for Power Bi Services.

The web app C# configures services like so:

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
   .AddMicrosoftIdentityWebApp(configuration, "AzureAd")
   .EnableTokenAcquisitionToCallDownstreamApi(configuration.GetSection("PowerBi:RequiredScopes").Get<string[]>())
   .AddInMemoryTokenCaches();

The C# call:

var httpClientFactory = _httpClientFactory; // from Dependancy Injection;
var tokenAcquisition = _tokenAcquisition; // from Dependancy Injection
string[] scopes = {
		"https://analysis.windows.net/powerbi/api/Workspace.Read.All",
		"https://analysis.windows.net/powerbi/api/Dashboard.Read.All",
		"https://analysis.windows.net/powerbi/api/Report.Read.All",
		"https://analysis.windows.net/powerbi/api/PaginatedReport.Read.All"
	};

var accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);

var client = httpClientFactory.CreateClient();
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accessToken);
var response = await client.GetAsync("https://api.powerbigov.us/v1.0/myorg/reports");

Is it the accessToken? What content within the token should I be looking at? The oid/name in the token is correct.

"aud": "https://analysis.windows.net/powerbi/api"

"scp": "Dashboard.Read.All PaginatedReport.Read.All Report.Read.All Workspace.Read.All"

The Power BI admin says these are the Developer settings. My understanding is these settings relate to Embed for you Customer.

I'm trying to use Embed for Org because all the users in my workspace will be intenal and they already have Power BI Pro licenses. I don't need/want to pay extra for capacity to support Embed for you Customer. Are there more Tenant settings I need to look for?

Then I found some wording on https://learn.microsoft.com/en-us/rest/api/power-bi/#using-a-service-principal

Does that mean either use Service Principal or Scopes but not both for the tentant?

How exactly do I embed Power BI reports in C# web app such that there is no need to pay for extra capacity related to Embed for your Customer?

ejk0226

@DataNinja777 Thank you for the additional suggestion however there is a new error. I changed the AzureAd Instance to .us instead of .com. After starting the app and logging in I get error "MsalUiRequiredException: AADSTS90051: Invalid Delegation Token. Invalid national Cloud ID (0) is specified.". Searching didn't find much. This site https://learn.microsoft.com/en-us/entra/identity-platform/authentication-national-cloud seems to link the use of https://login.microsoftonline.us/ with app registration from portal.azure.us. But as previously stated my org doesn't use portal.azure.us. Article also states how to lookup the app endpoint #application-endpoints and that reports using https://login.microsoftonline.com.

v-echaithra

Hi @ejk0226 ,

Thank you @DataNinja777 for your inputs.

I hope the information provided is helpful. I wanted to check whether you were able to resolve the issue with the provided solutions. Please let us know if you need any further assistance.

Thank you.

ejk0226

It was helpful as far as identifying a disconnect between gov and commerical. I replied to @DataNinja777 to see how to claim token from gov cloud.

DataNinja777 · ‎09-28-2025

Hi @ejk0226 ,

The 403 Forbidden / InvalidToken error is occurring because you are calling the Power BI US Government (GCC) API endpoint at https://api.powerbigov.us, but your application is configured to get tokens for the standard commercial cloud. Your token's audience (aud) claim, https://analysis.windows.net/powerbi/api, is correct for the commercial service. Because the government and commercial clouds are completely separate environments, a token issued for one is invalid in the other, leading to the rejection. The fix is to change the API endpoint in your code to the commercial URL.

Your overall strategy of using the "Embed for your organization" (User owns data) model is correct for your goal of embedding content for internal, licensed users without incurring extra capacity costs. The Power BI admin settings and documentation you found regarding service principals are not relevant to your implementation. Those apply to the "Embed for your customer" (App owns data) model, which uses a different authentication flow. Your method, which uses GetAccessTokenForUserAsync, correctly relies on delegated user permissions (scopes), where the signed-in user's own license and permissions grant access to the content.

To resolve the error, you only need to modify the URL in your GetAsync call. The rest of your token acquisition logic and scope definition is correct for your scenario.

var accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);

var client = httpClientFactory.CreateClient();
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accessToken);

// Change the URL from "api.powerbigov.us" to "api.powerbi.com"
var response = await client.GetAsync("https://api.powerbi.com/v1.0/myorg/reports"); 

response.EnsureSuccessStatusCode();

Best regards,

ejk0226

This is helpful. However, can I go in the other direction by configuring my application to get tokens from the government cloud? How/where do I switch that? The reports I'm after are hosted on https://app.powerbigov.us/home. This is where I have a Pro license and report users also have Pro licenses.

I can navigate to commerical https://app.powerbi.com/home with my gov credentials. It shows I have a Free account type with no reports. When I do as you suggest and change my endoint then yes I get a response. It's an empty list of reports because I have no reports hosted there but at least it's a 200 OK instead of error.

Reading into what you describe, it sounds like I need to get different tokens. The tokens defined (https://analysis.windows.net/powerbi/api/) came from me going into the Entra App registration (https://portal.azure.com/) and adding API permissions. I only see Power BI Service and no gov option. A quick good search pointed me to a Gov azure portal at https://portal.azure.us/ however that tells me by org/domain is not registered.

DataNinja777

Hi @ejk0226 ,

Thank you for the clarification. You're absolutely right to go in the other direction since your reports and licenses are in the government cloud. Your diagnosis is spot on: you need to get a token issued from the government cloud's identity provider. The reason your current code gets a commercial token is because the Microsoft Identity library defaults to the commercial Azure endpoints. You can fix this by explicitly telling your application to authenticate against the US Government endpoint instead.

You can accomplish this with a small change in your appsettings.json file. You do not need a separate app registration in the Azure Government portal (portal.azure.us); your existing registration is fine. You simply need to change the "Instance" for your Azure AD configuration from the commercial endpoint to the government endpoint. You should change the configuration from this:

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "TenantId": "[your-tenant-id]",
  "ClientId": "[your-client-id]",
  //... other settings
}

...to this, noting the change in the URL:

"AzureAd": {
  "Instance": "https://login.microsoftonline.us/",
  "TenantId": "[your-tenant-id]",
  "ClientId": "[your-client-id]",
  //... other settings
}

By changing the instance to https://login.microsoftonline.us/, you are telling the AddMicrosoftIdentityWebApp service to use the US Government authority for all token requests. This will produce a token that is valid for government cloud resources. With this configuration change in place, your C# code for calling the API should remain exactly as it was in your original post, as the powerbigov.us endpoint is now the correct one to use with your new government-issued token.

// This URL is now correct because you'll have a gov-issued token
var response = await client.GetAsync("https://api.powerbigov.us/v1.0/myorg/reports");

The scopes you defined are also correct and do not need to be changed. The resource URL, https://analysis.windows.net/powerbi/api, is the same for both commercial and government clouds. The key difference, which your configuration change will fix, is the issuer of the token.

Best regards,