This is a very useful discussion, especially regarding the apps that my company develops, which are typically Windows services running on some headless datacenter server that doesn't usually have user interaction or a gui.
Consider a simple example: you have a service running that collects performance monitor stats from one or more servers and you want to ship those off via direct push to Power BI. You might have a UI available when you installed the app, but it's not something that you'll be able to or want to return to in order to update a token.
Many of the approaches mentioned below are good, but are now outdated:
- AcquireTokenByRefreshToken() that
describes is no longer implemented in ADAL 3. - The user name/password AAD flow that
mentions is no longer supported in ADAL3 (UserCredential class doesn't contain passwords any longer), although you can still access it by using ADAL 2. However username/password can be problematic, because we've seen that AAD may require additional authenication steps (2FA, or smart cards in the case of Microsoft, etc.) which is I'm sure why MSFT dropped it from ADAL3.
I may be missing some alternative approaches, so if there's a better way to handle authentication, please let me know. I'm new to Power BI 
.
In the ideal case, a Power BI app would require user authentication/acceptance to the rights requested at install time. And from that point on, it would not require any additional user interaction via a GUI. Users could terminate access by removing the application from their accepted application list.
In the case of AAD applications, it functions pretty much like this. Our app requires admin-level approval to add them to the organizational application list, but from that point on we can access AAD without further prompting. If this was applied to Power BI, I'm sure there would be some additional work/thinking required because:
- Just because an app was added to an organization doesn't imply that that app should have access to all Power BI workspaces. Perhaps a workspace needs a token that can be supplied to external applications to use in an http request.
- Sometimes having to request an admin to add an application to an organization can be troublesome, especially if the application is really only for one user's workspace. Ideally a user could allow access for a single user's application without admin interaction.
So my ask in this message is to help me clear up my understanding on what is possible and the recommended approach for apps like mine today. Also, want to raise this issue again now that the technology has evolved to see what if anything is on the roadmap.