Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
APPLIES TO: 
App owns data 
User owns data
The token-based identity allows an ISV to use a Microsoft Entra access token to pass the identity of a customer to an Azure SQL database managed in the customer's tenant.
ISV customers that keep and manage their data in Azure SQL Database can keep their data secure in their tenant when integrating with Power BI Embedded in the ISV app.
When generating the embed token, specify the identity of the user in Azure SQL by passing that user's Microsoft Entra access token for the Azure SQL server. The access token is then used to pull only the relevant data for that user from Azure SQL, for that specific session.
Important
App-owns-data SSO limitations:
- In App-owns-data scenarios (service principal or master user authentication), SSO for DirectQuery datasources is only supported with Azure SQL Database.
- When generating an embed token with SSO, you must provide an
IdentityBlobfor every datasource that has SSO enabled. Omitting the IdentityBlob causes token generation or query execution to fail.
Set up token-based identity
The token-based identity only works for DirectQuery models on a capacity connected to an Azure SQL Database that's configured to allow Microsoft Entra authentication. The semantic model's data source must be configured to use end users' OAuth2 credentials, to use a token-based identity. Learn more about Microsoft Entra authentication for Azure SQL Database.
Before configuring token-based identity, verify:
- Your DirectQuery data source is Azure SQL Database (the only supported SSO datasource for App-owns-data scenarios).
- The Azure SQL Database is configured for Microsoft Entra authentication.
- You have the user's Microsoft Entra access token for the Azure SQL server to pass as the
IdentityBlob.
From the Power BI portal, select Semantic model > More Options (three dots) > Settings > Data source credentials > Edit credentials.
Check the OAuth2 option box.
Generate an identity token
To create an access token for Azure SQL, the app must have Access Azure SQL DB and Data Warehouse delegated permission to Azure SQL Database API on the Microsoft Entra app registration configuration in the Azure portal.
Authenticate and acquire a token for the user from the Azure AD v2 endpoint for the following scope: https://database.windows.net/.default
See the following MSAL code samples for help:
- Code samples for Microsoft identity platform authentication and authorization - Microsoft Entra | Microsoft Learn
- Microsoft identity platform and OAuth 2.0 authorization code flow
Generate embed token
To Embed a report with token-based identity, generate an embed token that contains the token base identity of the desired ISV user. See the following examples for generating embed tokens for different scenarios.
Note
You must include a datasourceIdentities entry with a valid identityBlob for each Azure SQL datasource that has SSO enabled. If any SSO-enabled datasource is missing its identityBlob, the embed token generation call will fail or query execution will return an error.
- Power BI report with SSO
- Paginated report with SSO
- Power BI report with SSO and RLS on the semantic model
- Paginated report connected to Power BI semantic model with RLS, and SSO data source that is connected with DirectQuery to another Power BI dataset
{
"datasets": [
{
"id": "66ba5010-xxxx-xxxx-xxxx-f2bf0125abeb",
}
],
"reports": [
{
"allowEdit": false,
"id": "9e6da541-xxxx-xxxx-xxxx-7d9442827cce"
}
],
"datasourceIdentities": [
{
"identityBlob": "eyJ…",
"datasources": [
{
"datasourceType": "Sql",
"connectionDetails": {
"server": "YourServerName.database.windows.net",
"database": "YourDataBaseName"
}
}
]
}
]
}
The following example shows an embedded Power BI report with SSO and RLS applied to the dataset:
