You can embed power BI into any web-based solution you want. where you use an Azure AD App to connect, you will not need any power BI pro license to access it. Also, you will need a Power BI Premium capacity for the same when it goes production depends on the queries made on the custom portal you are planning to display the report.
Let’s see how to implement it. Create an App registration to start with
Home – Azure Active Directory – Enterprise Applications
App registrations – Microsoft Azure
new registration – name – Accounts in this organizations directory only (most cases)
You will be using the tenant ID in later steps.
Copy the Client Secret you created – VJ9Gx75.-.I1RcJvb~~h4gqe_64Uk3fuDY
We are creating this security group to reduce the landscape of the access instead of allowing for the whole organization. we will allow only this azure ad app to access power BI.
Admin Portal – Groups – Active Groups – Add a Group – Security Group
https://admin.microsoft.com/#/groups
Enter a friendly name.
We need to get the object ID of the security group we created
if you don’t have the azure ad module installed
Install-Module -Name AzureAD
Import-Module -Name AzureAD
Connect-AzureAD
Now copy the object id of the group
Get-AzureADGroup | Where-Object{$_.displayname -like "OnlyMembersCanReadfromBI"}
Get Security Group Object ID
Get-AzureADGroup | Where-Object{$_.displayname -like "OnlyMembersCanReadfromBI"}
Get Service Principal Object ID (Note Azure app object ID is different from service principal object ID – )
Get-AzureADServicePrincipal -SearchString "powerbi-read-via-azure-ad-app"
Now add service principal to the azure ad security group
Add-AzureADGroupMember -ObjectId 66a95eb3-c534-4fe9-b0d0-ee0b0414c07c -RefObjectId ff3895c2-23d0-43a5-a595-829a549bbbb9
Verify it got added
Get-AzureADGroupMember -ObjectId 66a95eb3-c534-4fe9-b0d0-ee0b0414c07c
Let’s Apply this group in power BI Tenant Settings and create a Power BI workspace and a report if you don’t have one.
Get into power BI Admin Portal Power BI
Settings – Admin Portal
Allow service principals to use Power BI APIs
Enabled for a subset of the organization
Specific Security Groups – Enter the security group we created
Save
There is something in the preview. Which will allow only read-only. I tried putting the preview . doesn’t seem to work when I am writing this article. Allow service principals to use read-only Power BI admin APIs (Preview).
Now create a workspace if you don’t have one, create a test report if you don’t have one.
Please note: This will not work on “My workspace” you need to create a workspace. In my case, I created something called Azure365ProWorkSpace
Created a test report
Login-PowerBI in Powershell. if you don’t have the modules install them.
Install-Module -Name MicrosoftPowerBIMgmt Import-Module MicrosoftPowerBIMgmt Login-PowerBI
Now Copy the Workspace ID
Get-PowerBIWorkspace | Where-Object {$_.Name -like "Azure365ProWorkSpace"}
Using the ID and Service Principal Object ID retrieved earlier.
Add-PowerBIWorkspaceUser -Id a8f44d06-6326-4c78-a140-c3beb13966a3 -AccessRight Member -PrincipalType App -Identifier ff3895c2-23d0-43a5-a595-829a549bbbb9
you can toggle the access right to admin if you need it. but it works seamlessly as a member of custom portals. Depends on your requirement.
Now let’s see how to get an Embed token and make sure the application works. Always know that your azure ad token is different from the embed token. I tried several hours to get the embed token via the postman. I couldn’t achieve it. The only way easy way to get the embed token is via PowerShell for now. getting embed token via postman is quite complicated.
Now Collect these values for the script
$url (you need to customize the url to generate token – check script/screenshot ) / $applicationId / $clientsecret
$applicationId = "7ee3dd60-09f9-4c23-ac59-9d2fb02582fd";
$clientsecret = "VJ9Gx75.-.I1RcJvb~~h4gqe_64Uk3fuDY" | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $applicationId, $clientsecret
Connect-PowerBIServiceAccount -ServicePrincipal -Credential $credential -TenantId "2549c50e-e478-40d8-82cf-fa4efb5d1426"
$url = "https://api.powerbi.com/v1.0/myorg/groups/a8f44d06-6326-4c78-a140-c3beb13966a3/reports/6640254f-145a-4577-9f45-a655476e465d/GenerateToken"
$body = "{ 'accesslevel': 'view' }"
$response = Invoke-PowerBIRestMethod -Url $url -Body $body -Method Post
$response
$json = $response | Convertfrom-json
$json.token
Now use Powershell ISE. Much easier to run selection.
Run Selection so that you can make sure you can connect to the Power BI service.
Once you see a successful login you can run the next part of the script. As you know you call always save to ps1 and run as much as you want. This is for better understanding.
When you copy the embed token from PowerShell you need to make it to the single line without spaces to work smoothly.
Get the Embed URL
Collect the report ID from the same embed URL
Embed Token – Sample
H4sIAAAAAAAEAC3Sx66DVgBF0X95UyIBpkfKgGI6pl7a7FJNxzQDUf49T1Hme3C0dP7-ceDVT7D4-fPHGI_WX9PH2ojPzsLisYnwMBkaucKCg53DNbhQ0miHMnlCWTkas-6MPQpQVTghvQZ2HY2MrTs8Z4ekLlr5Jz2KCi360mUsyy5Fh4A5L0hvtxEc_mNrVXRaJvRxb5OkbAvkh34ugerWELreIyW8uqGsOEV17Nao3FEfep5HbqDSJk2-5OQxofVJItMu-F4HZjEDZ9mK4iMujrrnGz7BjZQizHttxo6NCAVk0e5W2S6wp0u3zeDT8Sh4RMhAsfkaQDLlIBnL-Yk5CD9eiAbniHBjdS7FrVJ3uzWMgBm_LyehH18NujTdt_qyEdLYLiPfjp-tyYl6VwFG6022DV5BPQ3FVxQRL21pwyWOM_J5sg3XWTqZcuXzNLDejiTGYTYnkcMCjV6zDPQwfhwFxs_Ft2tLE5H0YxtF378MUZK-lwr4cA_xNO37LqzmgO60YnBkqe95LnmiinOFtRUArbVQFjczlDGtYWjdNchZ8HF35r33227O6tGm9OxelS1yxmruNKWmLBdhTfjG6Q7A0CyNidTCvAPtwrJLvzeIepUQWbGk3NEzvIvbslV7bJGtk06GkNAAJLUBRGC-Ei_ArCdJhOL1DPmthNa0BjQOQsk6PdzskHEp8zb-HZQmouLAhwSCy-Tzet577QBbBFzpqD-uN2B3D2ftLaWICFr_EehASERWpbu_fv74EZdr3iajvH6vy7dytB2CxOuxwXf2c5wsF09usgE6qX9ChtsXD2dDvy74LTq8dl7oozSNVF2V8jwn7Q3jmnjh4DWd8yPwmIbzzi1xaMhw9-bgJMM6obCG9xp5JuAkyOBMqNWYJAcmABRejMfRbOMqqYvDJf3zIeVnmJe97xjZt-9yeDl9Z-lLjBq1lLbhwLpU8Xma9dZKH5-2u5Vi0veLrlCH4VDMQ4d9ycJca1rZjbMjunkYt23cpoK_cEgHtSn7rHMwTyX7LV6gYrHBKHphvhQ0Ih3RXDeMYL6fhsAEXcpy5jiq0AzLNGoZLZW0ucJBe1NWOcDpUfTU8Kp23s826-l4Baif4Eu3vmrWf_3HfM3vctHCX-WOPVWoFqX_XFRqIRXSfQz_V35Tj3Dbl_I3KyXxDBzexfPEfTUwrd_PMhO04PDyMtwpkxAzBZh0_VXuKBa5rZ6rjUQJ0SSXr_HYVDCDoIgvbBr5MyoLDbjOToqvYzEQfbZ8vVCluqeuwUzUPFOVW54kSrmcprMDv9aKd7s4jG5GVJp6G6SEBehxbEwd62aRfq4K-00RgkoAMdsL_cRV-Dj1GhkWdbpFvKXvNwUbQa_54JhsqKfHQvcnOFpRuwj7CBCrUlIhcIDxzdDmWun70xXZCWtE94Iz2W2bBzkTToNQs4MQ-1yKekT6mbiEv2fj7W1V1TfEJNvDYcvzx9yhMCATTO0z-iT7ykeIP3zbcp8PbAeS5BTk6vU1arq_zP_8C1v0jcWuBQAA.eyJjbHVzdGVyVXJsIjoiaHR0cHM6Ly9XQUJJLUlORElBLUNFTlRSQUwtQS1QUklNQVJZLXJlZGlyZWN0LmFuYWx5c2lzLndpbmRvd3MubmV0IiwiZW1iZWRGZWF0dXJlcyI6eyJtb2Rlcm5FbWJlZCI6ZmFsc2V9fQ==
Embed URL – Sample
https://app.powerbi.com/reportEmbed?reportId=f6bfd646-b718-44dc-a378-b73e6b528204&groupId=be8908da-da25-452e-b220-163f52476cdd&config=eyJjbHVzdGVyVXJsIjoiaHR0cHM6Ly9XQUJJLVVTLU5PUlRILUNFTlRSQUwtcmVkaXJlY3QuYW5hbHlzaXMud2luZG93cy5uZXQiLCJlbWJlZEZlYXR1cmVzIjp7Im1vZGVybkVtYmVkIjp0cnVlfX0%3d
Report ID – Sample
6640254f-145a-4577-9f45-a655476e465d
You can verify the same using postman.
Get embed URL
Authorization Bearer Embedtoken
