Solved: Re: Implement Power BI Embedded with RLS

CoulterJames2 · ‎03-28-2024

I am working with a clientwho wants to share a Power BI report with users outside their organisation using Power BI Embedded. The customer is a supplier of materials to the healthcare industry and they want to show their customers a dashboard of their spend to date through their online e-commerce platform. The idea is that the report and data model would implement dynamic RLS so that each end user sees only their own spending data. In an ideal scenario, the external customer would not have to be set up in the client's Azure AD/Entra ID, and the end user would not have to sign in to Power BI in order to view the report. Is this a supported scenario? I've looked extensively into the various options for embedding Power BI and one solution seems to involve configuring roles in the Power BI service, then adding users to roles, but the users a) have to exist in Entra ID and b) will need to sign in before they can view the report. The other option seems to involve using a service principal to connect to Power BI, but it's not clear how the user credentials get passed to Power BI so that the data is filtered via RLS. Is this controlled through the embed tokens?

I've tried to set up a demo environment internally first and have got as far as the following steps:

Provisioned a Power BI Embedded capacity
Created a workspace and assigned it to the capacity
Created a simple report using dynamic row-level security to filter the content of the report based on the identity of the logged-in user. This works fine when tested in Power BI Desktop (using View As) and also in the Power BI service. The users I have tested it with exist in my Azure AD/Entra tenant. In the customer's scenario they would prefer not to have to invite external users to their Entra tenant.
Created an App Registration in Azure, added it to a security group, and granted access to the read-only API permissions for Power BI (I did this using the Power BI Embedded set up tool at: https://app.powerbi.com/embedsetup)
In Power BI tenant admin settings, enabled REST API endpoints for Service Principals and added the security group created in the previous step.
Gave the security group Admin access on the workspace.

I'm now at the point where I'm using one of the "AppOwnsData" sample projects to test the embedding, but what is not made clear is how the user credentials get passed through to Power BI in order for the content to be filtered to the user. Are there links to any resources that show me what the next steps are to get this working?

As a side note, when I run the sample solution it fails to retrieve the embed token with http error 500 "bad request" so seems like something is wrong in my setup.

Anonymous · ‎03-28-2024

Hi @CoulterJames2 ,

You can refer the following links to embed the report with RLS:

Using standard cloud based row-level security with embedded content in Power BI embedded analytics

Power BI Embedded: Convention-based dynamic Row-level Security

Enable Row Level Security (RLS) and Embed PowerBI Dashboard in an Application

Best Regards

View solution in original post

lherbert501 · ‎09-11-2024

Hi @CoulterJames2 ,

How did you get on with this? I'm looking at doing the same but it doesn't feel like there's loads out there on it at the moment.

Thanks

Liam

CoulterJames2 · ‎09-11-2024

Hi @lherbert501 I did get this working in the end, but as you have found, the official MS documentation can be a bit unclear at times. Firstly, your semantic models and reports have to be deployed to the Embedded capacity. Secondly, assuming your web app (in which the Power BI reports are going to be displayed) handles user login and authentication, you need a means of associating the logged in user with the data in your model that requires filtering. In our case, we wanted to show a customer spending report in which the content was filtered by customer ID. We had two options: we could either create a table in the data model that had a list of web app logins and the associated customer ID, then pass the user ID in the API request and use that to filter the report, or since the user and customer details already existed in the web app back end, we just passed the customer ID itself as the USERNAME() in the DAX expression to filter the customer table.

Also, you will first need get a access token using the Service Principal credentials, passing in the client ID and client secret which you get from Azure AD/Entra ID:

GET: https://login.microsoftonline.com/{tenant ID}/oauth2/v2.0/token

Once you get the token back, that needs to be included as the bearer token in subsequent API calls to the Power BI service.

To generate an embed token to display the report, you need to call GenerateToken endpoint with a JSON body looking something like this:

{

"accessLevel": "View",

"allowSaveAs": false,

"identities": [

{

"username": "{value passed in from web app that will be used to filter the table}",

"roles": ["{name of dynamic RLS role"],

"datasets": ["{semantic model ID"]

}

]

}

I hope that helps

lherbert501 · ‎09-11-2024

Hi @CoulterJames2 ,

Wow that's amazing, thanks so much for that.

Was there any steps or videos that you used that could help?

I'm looking at doing the same but with e.g an email log in that I create per customer which would be the log in which is passed through the url to filter the report.

I'm just a bit confused with the steps, so I have the report, with a test RLS set up, but what is the next step I guess straight after that.

Thanks for your reply