How to Get Bearer Token for Power BI REST API

To use the Power BI REST API for tasks like embedding reports or managing your workspace, you first need to prove you have permission. This is done with a special kind of key called an Azure Active Directory (Azure AD) bearer token. This article provides a clear, step-by-step guide on how to get this token for two common scenarios: embedding dashboards for your external users and for users within your own company.

Graphed

Build AI Agents for Marketing

Build virtual employees that run your go to market. Connect your data sources, deploy autonomous agents, and grow your company.

Build Your First Agent

What is a Bearer Token and Why Do You Need One?

Think of a bearer token as a secure, temporary key. When you send a request to the Power BI API, you include this token in the "Authorization" header. The API inspects the token to verify your identity and check if you have the necessary permissions to perform the requested action, such as viewing a report or listing datasets.

This token-based system is a standard security practice called OAuth 2.0. It ensures that only authorized users and applications can access your data. Microsoft uses its identity platform, Microsoft Entra ID (formerly Azure Active Directory), to manage this entire process.

There are two primary models for interacting with the Power BI API, and how you get a token differs significantly between them:

• App Owns Data (Embed for Your Customers): This is for when you're showing Power BI content to external users who don’t have Power BI accounts. Your application signs in to Power BI using its own identity (a "service principal"), retrieves the report, and displays it inside your web app or portal. The end-user never needs to know Power BI is involved.
• User Owns Data (Embed for Your Organization): This is for internal use when your employees, who all have Power BI Pro licenses, access reports through an internal application like SharePoint or Microsoft Teams. The application gets a token on behalf of the signed-in user, and the data they see is based on their own Power BI permissions.

We'll cover both, starting with the more involved but powerful "App Owns Data" method.

Before You Begin: Prerequisites

To follow along with these steps, make sure you have the following ready. Getting these sorted out first will save you a lot of time later.

• A Power BI Pro or Premium Per User (PPU) license. The account you use for setup needs admin permissions.
• A Microsoft Azure subscription. Don't worry, you can start with a free subscription. This is where you will register your application.
• A Power BI tenant with capacity. For embedding reports for customers, you need dedicated capacity, which is available through a Power BI Premium (P SKU), Fabric (F SKU), or a Power BI Embedded (A SKU) license. You can create an 'A' SKU in Azure for testing.
• Administrator Rights. You'll need either Global Admin rights in your Azure AD tenant or at least Power BI Service Administrator rights to configure some of the necessary settings.
• An API Testing Tool: We'll use Postman in our examples, but you can also use PowerShell, cURL, or write code in your favorite language.

AI Agents for Marketing

Crash Course

Graphed

Free PDF · the crash course

AI Agents for Marketing Crash Course

Learn how to deploy AI marketing agents across your go-to-market — the best tools, prompts, and workflows to turn your data into autonomous execution without writing code.

Download the PDF

Method 1: Get a Token for App Owns Data

This method doesn't use a regular user login. Instead, it uses a non-interactive sign-in for your application, known as a service principal. Follow these steps carefully to set it up correctly.

Step 1: Register an Application in Microsoft Entra ID (Azure AD)

First, you need to register a new application in your Azure tenant. This creates an identity for your app so it can interact with the Power BI service.

1. Sign in to the Azure Portal.
2. Search for and select Microsoft Entra ID.
3. Under the "Manage" section in the left pane, click on App registrations, then click + New registration.
4. Give your application a clear name, like Power BI Reporting App.
5. For "Supported account types," select Accounts in this organizational directory only. This is the most secure option for this scenario.
6. You can leave the "Redirect URI" section blank for now.
7. Click Register.

Once created, you'll be taken to your application's overview page. Take a moment to copy two important values you will need later. Treat these like passwords:

• Application (client) ID
• Directory (tenant) ID

Step 2: Create a Client Secret

A client secret is a password that your application uses to prove its identity when requesting a token.

1. In your new app registration's menu, click on Certificates & secrets.
2. Click the + New client secret button.
3. Give it a short description (e.g., WebAppSecret) and choose an expiration period.
4. Click Add.

Extremely Important: Immediately copy the new secret's "Value." This is the only time it will ever be displayed in full. Store it somewhere safe with your Client ID and Tenant ID.

Step 3: Create a Security Group for API Access

The best practice is to grant API permissions to a group rather than directly to the service principal. This makes management easier in the long run.

1. Go back to your Microsoft Entra ID home page in the Azure Portal.
2. Under "Manage," click Groups, then + New group.
3. Set the "Group type" to Security.
4. Give the group a clear name, such as Power BI API Access Group.
5. Click Create.
6. Once created, open the group and add the application you registered in Step 1 as a member. Search for the app by its name, select it, and click Add.

This adds your app's identity (the service principal) to the security group.

Step 4: Enable Service Principal Access in the Power BI Admin Portal

Now, you need to tell Power BI to allow service principals from the specific security group you just created to use the API.

1. Log into your Power BI service (app.powerbi.com) with an admin account.
2. Go to Settings > Admin portal.
3. In the "Tenant settings" tab, scroll down to the "Developer settings" section.
4. Find the setting titled "Allow service principals to use Power BI APIs."
5. Enable it and select the option for Specific security groups.
6. Search for and add the security group you created in Step 3 (Power BI API Access Group).
7. Click Apply. It may take up to 15 minutes for this setting to take effect.

Graphed

Build AI Agents for Marketing

Build virtual employees that run your go to market. Connect your data sources, deploy autonomous agents, and grow your company.

Build Your First Agent

Step 5: Grant Your App Access to a Power BI Workspace

Your app now has general permission to contact the Power BI API, but it doesn't have access to any content yet. You must grant it explicit access to each workspace it needs to pull reports from.

1. In the Power BI service, navigate to the workspace containing the reports you want to embed.
2. Click the three dots (...) next to the workspace name and select Workspace access.
3. In the side panel, search for the name of the application you registered in Azure (e.g., Power BI Reporting App).
4. Assign it at least a Member role. Assigning the Admin role gives it more comprehensive permissions within that workspace.

With that, the setup is complete! Let's get the token.

Step 6: Request the Token with Postman

Now you can finally use your app's credentials to request an access token.

1. Open Postman and create a new request.
2. Set the method to POST.
3. Set the Request URL to:
4. Go to the Body tab and select x-www-form-urlencoded. Add the following key-value pairs:
5. Click Send.

If everything was successful, you will receive a JSON response containing your bearer token in the access_token field. This token is what you'll use to make authenticated calls to the Power BI REST API.

Method 2: Get a Token for User Owns Data

For internal applications where users sign in with their own Power BI accounts, the process is different. The application helps the user get a token, but the token represents the logged-in user, not the application itself.

The Quick Way via Browser (For Testing Only)

If you just need a temporary token for quick API testing in Postman, you can grab one directly from your browser session. Warning: Don't use this method in a production application. The token is short-lived and tied to your personal session.

1. Open Google Chrome and sign in to app.powerbi.com.
2. Open the Developer Tools (press F12).
3. Go to the Network tab.
4. In the filter box, type /reports to filter the network traffic.
5. Click on any Power BI report to open it.
6. In the DevTools network log, click on one of the new requests that appears.
7. In the panel that opens, look at the Headers tab. Scroll down to "Request Headers" and find the Authorization header.
8. It will look like Authorization: Bearer eyJ0eX.... Your token is the long string of text that comes after "Bearer". Copy the entire token (without the word "Bearer").

You can now paste this token directly into the Authorization header of your Postman requests to test API endpoints under your user account.

AI Agents for Marketing

Crash Course

Graphed

Free PDF · the crash course

AI Agents for Marketing Crash Course

Learn how to deploy AI marketing agents across your go-to-market — the best tools, prompts, and workflows to turn your data into autonomous execution without writing code.

Download the PDF

The Programmatic Way via MSAL

For a real internal application, you should use the Microsoft Authentication Library (MSAL) for your chosen programming language (e.g., MSAL.js for JavaScript, MSAL.NET for C#, etc.).

The "user-owns-data" flow is delegated, meaning your app acts on behalf of the user. Here’s the general concept:

1. Your application initiates an interactive login flow.
2. The MSAL library redirects the user to the standard Microsoft sign-in page.
3. The user logs in with their credentials and provides consent for your application to access the Power BI service on their behalf (the first time they use it).
4. After a successful login, the user is redirected back to your application with an authorization code.
5. MSAL uses this code to silently acquire an access token in the background. It also handles refreshing the token when it expires.

Using MSAL abstracts away all the complexity of redirects, token management, and secure storage, making it the correct way to handle authentication for this scenario.

Using Your Bearer Token in an API Call

Once you have your token (from either method), using it is easy. All you need to do is add it to the HTTP headers of your API request.

Let's retrieve a list of dashboards from a workspace using Postman:

1. Create a new request in Postman.
2. Set the method to GET.
3. Set the URL to:
4. Go to the Headers tab and add a new header:
5. Click Send.

You should see a successful 200 OK response with a list of all dashboards in that workspace that your identity (your user or your service principal) has access to.

Final Thoughts

Learning how to get a bearer token is the first and most critical step to unlocking the full power of the Power BI REST API. While the initial setup for an app-owns-data scenario involves several steps across Azure and the Power BI admin portal, it provides a secure and scalable foundation for embedding analytics in any application.

While mastering API automation gives you fine-tuned control over your reporting, there are times you just need to connect all your data and see what's happening without the manual effort. We designed Graphed for exactly this purpose. Our platform connects directly to your marketing and sales sources - like Google Analytics, Shopify, and Salesforce - and lets you use plain English to generate live dashboards. Instead of managing bearer tokens and API limits, you can get instant visibility into your performance and focus on insights, not setup.