Implementing Secure Multitenant Power BI Embedded Reports
February 9, 2024

This article describes how to develop a multitenancy application that embeds Power BI content while achieving the highest levels of scalability, performance, and security.

Multitenancy refers to the ability to serve multiple customers or tenants while isolating their data and customizations securely. This is crucial when you’re building an application that serves different clients, and you need to keep their data separate.
You can achieve Power BI embedding by using two different embedding scenarios: Embed for your organization and Embed for your customer.

 

Embed for Your Organization:

It is also know as User own data. This type of application is used when the company wants to embed visualisations for its internal users.

The end user who’s connected to the system will have access to the visualizations permitted for them. Data privacy will be maintained through the direct management of row-level security by Power BI. To access the embedded visualizations, the user is required to be authenticated through Azure Active Directory. If they’re not already logged in, they’ll be prompted with a Microsoft login form before gaining access to the visualizations.

Embed for your customer:

It is also known as the app’s data. It is used if the application we are developing needs to embed Power BI visualizations for external users.

The application will perform authentication without requiring interactive user input. Instead, it will use our company’s authentication method, employing a service principal or a master user for the authentication process.

Here are some key points related to multitenant Power BI Embedded reports:

  1. Tenant Isolation: In a multitenant environment, each customer or tenant’s data and customizations are kept separate. This ensures that Tenant A cannot access or view the data of Tenant B.
  2. Authentication and Authorization: Power BI Embedded provides authentication and authorization mechanisms to ensure that the right users can access their respective data. It often involves integrating Azure Active Directory for user management.
  3. Row-Level Security: Row-level security in Power BI allows you to restrict data access within a report based on a user’s role or profile. In a multitenant scenario, you can configure row-level security to filter data specific to each tenant.
  4. Custom Branding: You can customize the appearance of embedded reports to match the branding and user experience of your application. This ensures that the embedded reports seamlessly integrate with your product.
  5. Resource Management: Multitenant Power BI Embedded solutions require resource management to allocate and control the resources each tenant can use. Azure provides tools and APIs for this purpose.
  6. Scalability and Performance: As your application serves multiple tenants, scalability and performance are critical. You need to monitor and optimize the performance of your Power BI Embedded reports to provide a seamless experience to all tenants.
  7. Usage Metrics: It’s essential to monitor how each tenant is using your embedded reports. Usage metrics can help you understand the impact of your reports and make necessary improvements.
  8. Licensing and Billing: Consider how you’ll handle licensing and billing for each tenant using your application. Power BI offers various licensing options, and you need to align them with your pricing structure.

 

Prerequisites:

  • Power BI PRO account.
  • Azure Active Directory Tenant.
  • Azure Active Directory (AD) application.

To enable your Azure AD application to interact with necessary services, you must configure specific API permissions. In this case:

Microsoft Graph:

        Permission: Read (This allows the application to sign in and access basic user information).

Power BI Service:

  • Permission: Read.All (Enables the application to view all reports in the Power BI Service).
  • Optional: Dashboard.Read.All (If you want to embed dashboards, this permission is required).

You can simplify the application registration process by using a dedicated tool: [Power BI Embedded Setup Tool. This tool automates the creation of the application with the required options, streamlining the setup.

Additionally, it’s essential to configure a redirect URI in Azure AD. This URI serves as the destination where the user is redirected after successful authentication. This step ensures a secure and seamless flow after the user signs in.

Procedural Overview:

  1. Configure the necessary API permissions (Microsoft Graph and Power BI Service).
  2. Utilize automated application registration.
  3. Set up a redirect URI in Azure AD to manage the redirection of users after authentication.

 

Power BI Client Library:

Microsoft offers a JavaScript Client library called the Power BI-client library, designed for direct interaction with Power BI. To incorporate it into a JavaScript project, you can conveniently install it via NPM using the following command:

npm install –save powerbi-client

For .NET projects, the library is accessible through NuGet, and you can install it using the following command:

         Install-Package Microsoft.PowerBI.JavaScript

 

This library plays a crucial role in embedding and interacting with Power BI from within a JavaScript application. It’s instrumental in executing steps 3 and 4 outlined in the architecture overview section.

By leveraging this library, you can not only embed reports but also perform various actions such as applying filters and slicers, navigating through different report pages, presenting Q&A results, displaying specific visuals, and more. Its versatility makes it a comprehensive tool for seamlessly integrating Power BI features into your JavaScript applications.

Embedding Power BI Reports in Web Applications:

To seamlessly integrate a Power BI report into a web application, follow these steps using the Power BI Client library. First, create a designated container in your HTML page where the report will be embedded:

<div id=“reportContainer”></div>

Next, use the following JavaScript code to implement the embedding:
// Function to embed Power BI report
function embedPowerBIReport(msalAccessToken, reportId) {
const config = {
type: ‘report’,
permissions: pbi.models.Permissions.Read,
tokenType: pbi.models.TokenType.Aad,
accessToken: msalAccessToken,
embedUrl: ‘https://app.Power BI.com/reportEmbed’,
id: reportId,
};
const reportContainer = document.getElementById(‘reportContainer’);
this.report = this.pbiService.embed(reportContainer, config) as pbi.Report;
}

Key configuration parameters are essential to ensure proper visualization:

  • type: Specifies the type of visualization to embed (in this case, ‘report’).
  • permissions: Defines the user’s permissions for interacting with the report (Read-only in this example).
  • tokenType: Specifies the type of token providing access to embedded Power BI data (models.TokenType.Aad for organizational embedding).
  • accessToken: Requires the access token obtained from the Microsoft Authentication Library (MSAL).
  • embedUrl: Indicates the URL of the report to be embedded.
  • id: Specifies the ID of the report to be embedded.

With these configurations in place, the report will seamlessly appear on the screen when everything is set up correctly.

Here you can see some example of Power BI reports embedded into our Observation Deck application:

Conclusion:

Multi-tenant Power BI Embedded reports are a powerful way to offer data analytics to a diverse user base while ensuring data isolation, scalability, and customization. By understanding the key components and considerations, developers can create applications that provide valuable insights to multiple tenants, all within a secure and efficient framework.

By embracing multi-tenancy in Power BI Embedded, organizations can unlock new possibilities for data-driven decision-making and insights across various industries.

optisolnew1 / About Author
More posts by optisolnew1
Connect With Us!