What causes LoadReportFailed?

The access token passed to the embed configuration is malformed, expired, or generated for a different resource or audience than the one being embedded. A mismatch between the embed token type and the embedding scenario — for example, using a user-delegated token for an 'embed for your customers' (app-owns-data) scenario that requires a service principal token. The Report ID in the embed configuration does not match the report that the token was generated for, causing authorization to fail at the cluster routing level. The embedded application is using a hardcoded or cached token that has expired (tokens are typically valid for 1 hour) without implementing a token refresh mechanism

How do I fix LoadReportFailed?

Step 1: Decode the access token at jwt.ms or jwt.io and verify the 'aud' (audience), 'exp' (expiration), and embedded report/workspace identifiers match your current embed configuration exactly. Step 2: Confirm the token generation method matches your embedding scenario — use GenerateTokenInGroup for app-owns-data with service principal, and ensure the tokenType in the embed config is set to 'Embed' not 'Aad'. Step 3: Verify the reportId passed to the powerbi.embed() call exactly matches the report GUID used when calling the Power BI REST API GenerateToken endpoint. Step 4: Implement token expiry handling in your application — listen for the tokenExpired event from the Power BI JavaScript SDK and call setAccessToken() with a freshly generated token before the current one expires. Step 5: Check that the service principal or master user account generating the token has at least Viewer access to the workspace containing the report being embedded

Critical severityauthentication

Power BI Refresh Error:
LoadReportFailed

What does this error mean?

LoadReportFailed with a 403 status code means the Power BI Embedded client could not initialize the report, typically because the access token is invalid or the embed token type does not match the embedding scenario. The detailed message 'Couldn't resolve cluster' indicates a token-level misconfiguration preventing routing to the correct Power BI backend.

Common causes

1The access token passed to the embed configuration is malformed, expired, or generated for a different resource or audience than the one being embedded
2A mismatch between the embed token type and the embedding scenario — for example, using a user-delegated token for an 'embed for your customers' (app-owns-data) scenario that requires a service principal token
3The Report ID in the embed configuration does not match the report that the token was generated for, causing authorization to fail at the cluster routing level
4The embedded application is using a hardcoded or cached token that has expired (tokens are typically valid for 1 hour) without implementing a token refresh mechanism

How to fix it

1Step 1: Decode the access token at jwt.ms or jwt.io and verify the 'aud' (audience), 'exp' (expiration), and embedded report/workspace identifiers match your current embed configuration exactly
2Step 2: Confirm the token generation method matches your embedding scenario — use GenerateTokenInGroup for app-owns-data with service principal, and ensure the tokenType in the embed config is set to 'Embed' not 'Aad'
3Step 3: Verify the reportId passed to the powerbi.embed() call exactly matches the report GUID used when calling the Power BI REST API GenerateToken endpoint
4Step 4: Implement token expiry handling in your application — listen for the tokenExpired event from the Power BI JavaScript SDK and call setAccessToken() with a freshly generated token before the current one expires
5Step 5: Check that the service principal or master user account generating the token has at least Viewer access to the workspace containing the report being embedded

Frequently asked questions

What is the difference between 'embed for your customers' and 'embed for your organization' and why does it affect which token I use?

In 'embed for your customers' (app-owns-data), your application authenticates using a service principal or master user and generates a Power BI embed token via the REST API — the end user never authenticates to Power BI directly. In 'embed for your organization' (user-owns-data), the end user's own Azure AD token is used. Mixing these models causes token type mismatches that produce LoadReportFailed errors.

How do I prevent LoadReportFailed caused by token expiry in a long-running session?

Implement the tokenExpired event listener in the Power BI JavaScript SDK. When the event fires, call your backend to generate a new embed token and pass it to the embedded report via report.setAccessToken(newToken). Power BI embed tokens expire after 1 hour by default, so long user sessions require this refresh mechanism.