diff --git a/doc/powerBI.md b/doc/powerBI.md
index ba6c0aab9..6f525582e 100644
--- a/doc/powerBI.md
+++ b/doc/powerBI.md
@@ -628,14 +628,15 @@ instance. Open the "_Configuration_" blade
 (_Azure Portal_ > _Static Web Apps_ > _[name of your webapp]_ > _Configuration_), and add the environment variables
 below:
 
-| Parameter name           | Value description                                                          |
-| ------------------------ | -------------------------------------------------------------------------- |
-| `POWER_BI_SCOPE`         | "https://analysis.windows.net/powerbi/api/.default"                        |
-| `POWER_BI_CLIENT_ID`     | client id of the webapp app registration (visible in the _Overview_ blade) |
-| `POWER_BI_WORKSPACE_ID`  | id of the Power BI workspace containing your reports                       |
-| `POWER_BI_AUTHORITY_URI` | "https://login.microsoftonline.com/common/v2.0"                            |
-| `POWER_BI_CLIENT_SECRET` | a client secret generated in your app registration for PowerBI             |
-| `POWER_BI_TENANT_ID`     | tenant id of your app registration (visible in the _Overview_ blade)       |
+| Parameter name           | Value description                                                                     |
+| ------------------------ | ------------------------------------------------------------------------------------- |
+| `POWER_BI_SCOPE`         | "https://analysis.windows.net/powerbi/api/.default"                                   |
+| `POWER_BI_CLIENT_ID`     | client id of the webapp app registration (visible in the _Overview_ blade)            |
+| `POWER_BI_WORKSPACE_ID`  | id of the Power BI workspace containing your reports                                  |
+| `POWER_BI_AUTHORITY_URI` | "https://login.microsoftonline.com/common/v2.0"                                       |
+| `POWER_BI_CLIENT_SECRET` | a client secret generated in your app registration for PowerBI                        |
+| `POWER_BI_TENANT_ID`     | tenant id of your app registration (visible in the _Overview_ blade)                  |
+| `CSM_API_TOKEN_AUDIENCE` | (optional) if defined, queries whose token don't match this audience will be rejected |
 
 The value for `POWER_BI_WORKSPACE_ID` can be found in the PowerBI service URL: when your report is opened, the workspace
 id is visible after `/groups/` in the URL (e.g. "https://app.powerbi.com/groups/YOUR_WORKSPACE_ID/").
@@ -643,6 +644,9 @@ id is visible after `/groups/` in the URL (e.g. "https://app.powerbi.com/groups/
 For `POWER_BI_CLIENT_SECRET`, you can create a new client secret from
 _Azure Portal_ > _App Registrations_ > _[name of your webapp app registration]_ > _Certificates & secrets_.
 
+`CSM_API_TOKEN_AUDIENCE` is optional but strongly recommended. It increases security by checking the audience field in
+the user access token. The expected value is the **application id** of the Cosmo Tech API enterprise application.
+
 #### Azure Function configuration for local run
 
 If you want to run the Azure Function locally to visualize the embedded dashboards from a local webapp, you first need
@@ -660,7 +664,8 @@ JSON file. Create a _**local.settings.json**_ file in the **api** folder with th
     "POWER_BI_WORKSPACE_ID": "INSERT POWER BI WORKSPACE ID HERE",
     "POWER_BI_AUTHORITY_URI": "https://login.microsoftonline.com/common/v2.0",
     "POWER_BI_CLIENT_SECRET": "INSERT CLIENT SECRET HERE",
-    "POWER_BI_TENANT_ID": "INSERT TENANT ID HERE"
+    "POWER_BI_TENANT_ID": "INSERT TENANT ID HERE",
+    "CSM_API_TOKEN_AUDIENCE": "INSERT EXPECTED TOKEN AUDIENCE HERE"
   }
 }
 ```