I am working to create an embed token for an on prem ssas connection. With the ultimate goal of passing the security through so that I can use the role security in ssas in power bi.
however, my first step is generating the initial embed token. As I am new to embed this is turning into an ordeal.
I was able to successfully create an embed token using the below code for a regular Power BI dataset with RLS.
I have taken the below steps to setup my security:
Created an Application Registration in Azure AD with the below permissions
I then added power bi embed to the workspace as an admin as well as to the gateway:
I am using the below code to generate my embed token. I was able to get this to work with a regular dataset with RLS. However, i am getting a forbidden error when I try to generate it with my Power BI dataset that is directquery to ssas on prem.
private static bool useEmbedToken = true;
private static bool useRLS = true;
private static string authorityUrl = "https://login.microsoftonline.com/organizations/";
private static string resourceUrl = "https://analysis.windows.net/powerbi/api";
private static string apiUrl = "https://api.powerbi.com/";
private static string tenantId = "TENANT"; //Working
private static Guid groupId = Guid.Parse("GROUP");
private static Guid reportId = Guid.Parse("REPORT");//
private static Guid datasetId = Guid.Parse("DATASET"); //
// **** Update the Client ID and Secret within Secrets.cs ****
private static ClientCredential credential = null;
private static AuthenticationResult authenticationResult = null;
private static TokenCredentials tokenCredentials = null;
static void Main(string[] args)
{
try
{
// Create a user password cradentials.
credential = new ClientCredential(Secrets.ClientID, Secrets.ClientSecret);
// Authenticate using created credentials
Authorize().Wait();
using (var client = new PowerBIClient(new Uri(apiUrl), tokenCredentials))
{
#region Embed Token
EmbedToken embedToken = null;
if (useEmbedToken && !useRLS)
{
}
}
else if (useEmbedToken && useRLS)
{
// **** With RLS ****
var rls = new EffectiveIdentity(username: "USER@Company.com", new List<string> { datasetId.ToString() });
var rolesList = new List<string>();
rolesList.Add("Role");
rls.Roles = rolesList;
embedToken = client.Reports.GenerateTokenInGroup(groupId, reportId,
new GenerateTokenRequest(accessLevel: "View", datasetId: datasetId.ToString(), rls));
}
with the error received:
Microsoft.Rest.HttpOperationException
HResult=0x80131500
Message=Operation returned an invalid status code 'Forbidden'
Source=Microsoft.PowerBI.Api
StackTrace:
at Microsoft.PowerBI.Api.ReportsOperations.<GenerateTokenInGroupWithHttpMessagesAsync>d__34.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.PowerBI.Api.ReportsOperationsExtensions.<GenerateTokenInGroupAsync>d__95.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.PowerBI.Api.ReportsOperationsExtensions.GenerateTokenInGroup(IReportsOperations operations, Guid groupId, Guid reportId, GenerateTokenRequest requestParameters)
at EmbedAPISample.Program.Main(String[] args) in C:\Users\user\OneDrive\Documents\Projects\Power BI\Embed-API-Sample-master\Embed-API-Sample-master\EmbedAPISample\Program.cs:line 111
Helpful resources
Join our Fabric User Panel
Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.
Power BI Monthly Update - February 2026
Check out the February 2026 Power BI update to learn about new features.
FabCon Atlanta 2026
Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.
