Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Calling all Data Engineers! Fabric Data Engineer (Exam DP-700) live sessions are back! Starting October 16th. Sign up.

Reply
Erkko
Frequent Visitor

Power BI Embedded for customers security question

‎04-24-2025 12:58 AM

Hi! 

 

We are currently working a project where we embed Power BI in our app for customers. We have all the data in one table and my concern is that is it possible to provide the customer ID from our app with embed token and apply automatically some kind of locked filter to show only data mapped to that provided customer ID? 

 

Example of the case: 

Customer A signs in our app and navigates to page where Power BI embedded is. Power BI embedded automatically filters the data belonging to Customer A and hides everything else. 

Customer B signs in the same time and sees only data belonging to Customer B.

I'm new at this so any kind of help is more than welcome. Thanks!

Message 1 of 5
882 Views
0
1 ACCEPTED SOLUTION
v-pgoloju
Community Support
Community Support

‎04-24-2025 03:08 AM

Hi @Erkko,

 

Thank you for reaching out to the Microsoft Fabric Forum Community.

 

In Power BI Embedded you can enforce multi‑tenant isolation by combining a single Dynamic Row‑Level Security (RLS) role in the dataset with an embed token that carries the viewer’s Customer ID. You create one RLS role in Power BI Desktop—e.g. CustomerRole whose filter is [CustomerID] = CUSTOMDATA(). When each user signs in to your SaaS app, your back‑end calls GenerateToken and, in the effectiveIdentity, supplies that role plus a customData value equal to the user’s Customer ID (or a comma‑separated list of IDs for resellers). Because CUSTOMDATA() is populated from the signed token, Power BI automatically filters the dataset so the report renders only the rows whose CustomerID matches the value in the token—no extra code or

slicers required, and users cannot tamper with the filter. This lets a single published report securely serve every customer while minimizing maintenance and license overhead.

 

Thank you & best regards,
Prasanna Kumar

View solution in original post

Message 2 of 5
854 Views
4 REPLIES 4
FabricISV
Regular Visitor

‎07-24-2025 02:59 PM

does this work for MS fabric Direct Query or Direct Lake ? 

Message 5 of 5
563 Views
0
Erkko
Frequent Visitor

‎04-24-2025 04:17 AM

Thank you for the answer! We will test this one 🙂

Message 4 of 5
845 Views
0
v-pgoloju
Community Support
Community Support

‎04-24-2025 03:08 AM

Hi @Erkko,

 

Thank you for reaching out to the Microsoft Fabric Forum Community.

 

In Power BI Embedded you can enforce multi‑tenant isolation by combining a single Dynamic Row‑Level Security (RLS) role in the dataset with an embed token that carries the viewer’s Customer ID. You create one RLS role in Power BI Desktop—e.g. CustomerRole whose filter is [CustomerID] = CUSTOMDATA(). When each user signs in to your SaaS app, your back‑end calls GenerateToken and, in the effectiveIdentity, supplies that role plus a customData value equal to the user’s Customer ID (or a comma‑separated list of IDs for resellers). Because CUSTOMDATA() is populated from the signed token, Power BI automatically filters the dataset so the report renders only the rows whose CustomerID matches the value in the token—no extra code or

slicers required, and users cannot tamper with the filter. This lets a single published report securely serve every customer while minimizing maintenance and license overhead.

 

Thank you & best regards,
Prasanna Kumar

Message 2 of 5
855 Views
Erkko
Frequent Visitor
In response to v-pgoloju

‎08-14-2025 06:38 AM

Hi! We got everything working with the normal PBI reports. However we need support to embed also paginated reports in app. We have looked Use row-level security when embedding paginated reports - Power BI | Microsoft Learn this document when applying the settings. We pass "identities": [ username: ] the CUSTOMDATA() value so that the paginated report would work but instead the customdata() value, the report displays some Power BI session GUID for some reason. Do you have any ideas how to get the paginated report embedding with RLS work properly? 

 

Thank you very much in advance!

Message 3 of 5
400 Views
0

Helpful resources

Announcements
FabCon Global Hackathon Carousel

FabCon Global Hackathon

Join the Fabric FabCon Global Hackathon—running virtually through Nov 3. Open to all skill levels. $10,000 in prizes!

October Power BI Update Carousel

Power BI Monthly Update - October 2025

Check out the October 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All