Authentication Methods Used In Power BI Embedding

For embedding Power BI reports in an application for customers, authentication is a mandatory step. Authentication is required because Azure AD needs to verify our application as our application needs Azure AD tenant resources. There are mainly two ways to authorize our application: Master User and Service Principal.

Master User Authentication

The master account will be used by our application when it needs to be authenticated to access the Azure resources. The application’s back-end will store this account’s credentials which it will use to acquire Azure AD authentication token using the Power BI API calls. Then, using the authentication token the master user will generate the embed token which will be fed to the application for embedding the desired report (since embed token contains all the information about the report). Additionally, the master user account should own a Pro power BI license and it should be owner of the app workspace that is going to be used for embedding.

Service Principal Authentication

Service principal does not have access to to any of Power BI API and contents like the master user has. Hence a security group is created in the Azure AD and the service principal is added in that group. Now for Azure AD to access Power BI content, a Power BI admin enables service principal access in the admin portal. Further, Power BI admin can grant these permissions to specific security groups or an entire organization. Finally, for Azure AD to retrieve reports, dataset and dashboard for embedding, the service principal entity or the security group that contains service principal is added as a member or admin of the workspace.


The embedding solution will depend based on the authentication type. Thus it is crucial to understand the limitations of each of the methods before considering it.

Considerations & Limitations of Master User
  1. Global administrator always needs to register each master user in Azure AD.
  2. The master user authentication requires credentials(username and password), an authentication method that isn’t aligned with Azure AD best practices. Moreover, managing multiple master users and associated passwords is challenging.
  3. This method requires a Power BI Pro license.
  4. For security purposes, it is necessary to change the Power BI account password frequently.
Considerations & Limitations of Service Principal
  1. Cannot access Power BI service or sign in into Power BI portal with service principal.
  2. This method is supported only by New Workspace and cannot work with My Workspace.
  3. Dataflow management is not supported.
  4. Power BI admin permissions are delegated to the service principal via the Power BI admin developer settings.
  5. A capacity is required when moving to production.

Required parameters as per the chosen Authentication Method

Service PrincipalMaster User
Azure AD application’s client ID/Application IDAzure AD application’s client ID/Application ID
Workspace ID that contains the embedded reportWorkspace ID that contains the embedded report
ID of the required embedding reportID of the required embedding report
Azure AD client secretMaster User’s username
Azure AD tenant IDMaster User’s password.

Pragya Verma
Addend Analytics

Addend Analytics is a Microsoft Gold Partner based in Mumbai, India, and a branch office in the U.S.

Addend has successfully implemented 100+ Microsoft Power BI and Business Central projects for 100+ clients across sectors like Financial Services, Banking, Insurance, Retail, Sales, Manufacturing, Real estate, Logistics, and Healthcare in countries like the US, Europe, Switzerland, and Australia.

Get a free consultation now by emailing us or contacting us.