Power BI Embed Token Generation - User Not Authorized

Question

I am working with a customer who wants to embed a Power BI report in their externally-hosted e-commerce website. The idea is that the report will show the user how much they have spent to date, along with some other metrics. The report will filter the content of the report based on the identity of the user and the user should not be required to sign in to Power BI.

I have set up a Power BI Embedded capacity and have been following the steps outlined here: https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal and here: https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-sample-for-customers?tabs=net-core

So far, I have created the Service Principal and granted the following Power BI API permissions:

In Power BI I have enabled the settings that will allow the Service Principal to call REST APIs and in addition have enabled the setting to allow access to Admin APIs:

The Service Principal is in a security group which has Admin access to a workspace associated with the PBI Embedded capacity, and in the workspace we have published a dummy report that does not contain any row-level security requirements - the idea being that if we can successfully embed this report, then we will then try it with a report containing RLS.

The dataset for the report is in a separate workspace which is not on the Power BI Embedded capacity. But I have granted the Service Principal Contributor access on that workspace too.

We can successfully obtain a Bearer token for the Service Principal and invoke some REST API calls to e.g. get a list of workspaces. But we are having problems generating the token we need to embed the report in the web app.

Initially, when we were calling the GenerateToken API we were getting an HTTP401 "PowerBINotAuthorizedException". However, after including the dataset ID in the request, I'm now getting an HTTP403 "User not authorized" error.

We are using the "Reports - GenerateTokenInGroup" API call as documented here: https://learn.microsoft.com/en-us/rest/api/power-bi/embed-token/reports-generate-token-in-group

The format of the request is as follows:

POST https://api.powerbi.com/v1.0/myorg/groups/{workspaceId}/reports/{reportId}/GenerateToken

My questions are:

1. Does it matter that the report dataset is in a workspace that is not on the Power BI Embedded capacity? If so, should I publish the dataset to the Embedded capacity?
2. Does the fact that the dataset does not currently contain any RLS roles mean that the identity part of the request is not needed? If so, how can I embed the report without specifying a user identity and not requiring the user to sign in?
3. What step(s) are we missing to successfully embed the report?

Answer 1

OK so I have found the answer to this and it was the fact that the request contained an identity which wasn't needed because the dataset and report does not have any row-level security in it. If I omit the identity element completely from the request, I get a valid token back.

Request body:

{ "accessLevel": "View", "allowSaveAs": "false" }

Response:

Additionally, I obtained the token with the dataset in it's original workspace which is not on the Power BI Embedded capacity, although the Service Principal does need to be given permissions on the workspace containing the dataset (I gave Contributor access).

Finally, granting the Service Principal access to the read-only Admin APIs is NOT required.