What causes PowerBINotAuthorizedException?

Incorrect or mismatched workspace (group) ID passed in the embed configuration. The Azure AD app or service principal lacks access to the target Power BI workspace. Embed token was generated for a different workspace than the one being accessed. The workspace has been deleted or the user has been removed from it since the token was issued

How do I fix PowerBINotAuthorizedException?

Step 1: Verify the workspace (group) ID in your embed configuration matches the actual workspace ID shown in the Power BI Service URL or Admin portal.. Step 2: Confirm the service principal or user account used to generate the embed token is a member of the target workspace with at least Viewer permissions.. Step 3: Regenerate the embed token, ensuring the token scope explicitly includes the correct workspace ID and report ID.. Step 4: If using app-owns-data embedding, verify the Azure AD app has the 'Read All Reports' and 'Read All Datasets' API permissions and that admin consent has been granted.. Step 5: Test access by calling the Power BI REST API GET /groups/{groupId}/reports directly with the same credentials to isolate whether the issue is the token or the configuration.

High severityauthentication

Power BI Refresh Error:
PowerBINotAuthorizedException

What does this error mean?

The embedding request was rejected with a 401 Unauthorized error, typically because the workspace group ID is wrong or the token does not grant access to the specified group. The report cannot be loaded until authorization is resolved.

Common causes

1Incorrect or mismatched workspace (group) ID passed in the embed configuration
2The Azure AD app or service principal lacks access to the target Power BI workspace
3Embed token was generated for a different workspace than the one being accessed
4The workspace has been deleted or the user has been removed from it since the token was issued

How to fix it

1Step 1: Verify the workspace (group) ID in your embed configuration matches the actual workspace ID shown in the Power BI Service URL or Admin portal.
2Step 2: Confirm the service principal or user account used to generate the embed token is a member of the target workspace with at least Viewer permissions.
3Step 3: Regenerate the embed token, ensuring the token scope explicitly includes the correct workspace ID and report ID.
4Step 4: If using app-owns-data embedding, verify the Azure AD app has the 'Read All Reports' and 'Read All Datasets' API permissions and that admin consent has been granted.
5Step 5: Test access by calling the Power BI REST API GET /groups/{groupId}/reports directly with the same credentials to isolate whether the issue is the token or the configuration.

Frequently asked questions

Can an expired token also cause PowerBINotAuthorizedException?

No — expired tokens raise a separate TokenExpired error (HTTP 403). PowerBINotAuthorizedException specifically signals that the token is structurally valid but the identity it represents is not authorized for the requested workspace or group.

Does this error affect all users or only specific ones?

It typically affects all users of the embedded application because the group ID and token generation logic are centralized in the app's back end. If a single user's per-user token is scoped incorrectly, only that user is affected.