For embedding Power BI reports in an application for customers, authentication is a mandatory step. Authentication is required because Azure AD needs to verify our application as our application needs Azure AD tenant resources. There are mainly two ways to authorize our application: Master User and Service Principal.
Master User Authentication
The master account will be used by our application when it needs to be authenticated to access the Azure resources. The application’s back-end will store this account’s credentials which it will use to acquire Azure AD authentication token using the Power BI API calls. Then, using the authentication token the master user will generate the embed token which will be fed to the application for embedding the desired report (since embed token contains all the information about the report). Additionally, the master user account should own a Pro power BI license and it should be owner of the app workspace that is going to be used for embedding.
Service Principal Authentication
Service principal does not have access to to any of Power BI API and contents like the master user has. Hence a security group is created in the Azure AD and the service principal is added in that group. Now for Azure AD to access Power BI content, a Power BI admin enables service principal access in the admin portal. Further, Power BI admin can grant these permissions to specific security groups or an entire organization. Finally, for Azure AD to retrieve reports, dataset and dashboard for embedding, the service principal entity or the security group that contains service principal is added as a member or admin of the workspace.
The embedding solution will depend based on the authentication type. Thus it is crucial to understand the limitations of each of the methods before considering it.
Considerations & Limitations of Master User
- Global administrator always needs to register each master user in Azure AD.
- The master user authentication requires credentials(username and password), an authentication method that isn’t aligned with Azure AD best practices. Moreover, managing multiple master users and associated passwords is challenging.
- This method requires a Power BI Pro license.
- For security purposes, it is necessary to change the Power BI account password frequently.
Considerations & Limitations of Service Principal
- Cannot access Power BI service or sign in into Power BI portal with service principal.
- This method is supported only by New Workspace and cannot work with My Workspace.
- Dataflow management is not supported.
- Power BI admin permissions are delegated to the service principal via the Power BI admin developer settings.
- A capacity is required when moving to production.
Required parameters as per the chosen Authentication Method
|Service Principal||Master User|
|Azure AD application’s client ID/Application ID||Azure AD application’s client ID/Application ID|
|Workspace ID that contains the embedded report||Workspace ID that contains the embedded report|
|ID of the required embedding report||ID of the required embedding report|
|Azure AD client secret||Master User’s username|
|Azure AD tenant ID||Master User’s password.|