I want to demonstrate to a client how you can embed a report in a custom web application using Power BI Embedded with row-level security (RLS). The client wants to share a report with users outside their organisation, and the report content must be filtered to the user viewing the report. Ideally they do not want the user to have to sign in to Power BI. Is such a scenario supported?
What I have done so far is:
- Provisioned a Power BI Embedded capacity
- Created a workspace and assigned it to the capacity
- Created a simple report using dynamic row-level security to filter the content of the report based on the identity of the logged-in user. This works fine when tested in Power BI Desktop (using View As) and also in the Power BI service. The users I have tested it with exist in my Azure AD/Entra tenant. In the customer's scenario they would prefer not to have to invite external users to their Entra tenant.
- Created an App Registration in Azure, added it to a security group, and granted access to the read-only API permissions for Power BI (I did this using the Power BI Embedded set up tool at: https://app.powerbi.com/embedsetup)
- In Power BI tenant admin settings, enabled REST API endpoints for Service Principals and added the security group created in the previous step.
- Gave the security group Admin access on the workspace.
I'm now at the point where I'm using one of the "AppOwnsData" sample solutions to test the embedding, but what is not made clear is how the user credentials get passed through to Power BI in order for the content to be filtered to the user. Presumably, I have to implement some kind of authentication to get the correct embed token back before the report is rendered?
I can get embedding to work easily where you invite the external user into AAD/Entra, add them into the necessary RLS roles, and the user is asked to sign in before the report is rendered, but the client is clear that they'd prefer an option whereby the user is presented with the filtered content the moment they select a report to view.
What remaining steps are necessary to achieve the client's goal?
Refer to this documentation Embed a report with RLS. We need to define the Roles and users in the Effective Identity request body while generating the Embed Token inorder to embed report with RLS.
This is only applicable to apps-own data scenario.