Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
Erkko
Regular Visitor

Power BI Embedded for customers security question

Hi! 

 

We are currently working a project where we embed Power BI in our app for customers. We have all the data in one table and my concern is that is it possible to provide the customer ID from our app with embed token and apply automatically some kind of locked filter to show only data mapped to that provided customer ID? 

 

Example of the case: 

Customer A signs in our app and navigates to page where Power BI embedded is. Power BI embedded automatically filters the data belonging to Customer A and hides everything else. 

Customer B signs in the same time and sees only data belonging to Customer B.

I'm new at this so any kind of help is more than welcome. Thanks!

1 ACCEPTED SOLUTION
v-pgoloju
Community Support
Community Support

Hi @Erkko,

 

Thank you for reaching out to the Microsoft Fabric Forum Community.

 

In Power BI Embedded you can enforce multi‑tenant isolation by combining a single Dynamic Row‑Level Security (RLS) role in the dataset with an embed token that carries the viewer’s Customer ID. You create one RLS role in Power BI Desktop—e.g. CustomerRole whose filter is [CustomerID] = CUSTOMDATA(). When each user signs in to your SaaS app, your back‑end calls GenerateToken and, in the effectiveIdentity, supplies that role plus a customData value equal to the user’s Customer ID (or a comma‑separated list of IDs for resellers). Because CUSTOMDATA() is populated from the signed token, Power BI automatically filters the dataset so the report renders only the rows whose CustomerID matches the value in the token—no extra code or

slicers required, and users cannot tamper with the filter. This lets a single published report securely serve every customer while minimizing maintenance and license overhead.

 

Thank you & best regards,
Prasanna Kumar

View solution in original post

2 REPLIES 2
Erkko
Regular Visitor

Thank you for the answer! We will test this one 🙂

v-pgoloju
Community Support
Community Support

Hi @Erkko,

 

Thank you for reaching out to the Microsoft Fabric Forum Community.

 

In Power BI Embedded you can enforce multi‑tenant isolation by combining a single Dynamic Row‑Level Security (RLS) role in the dataset with an embed token that carries the viewer’s Customer ID. You create one RLS role in Power BI Desktop—e.g. CustomerRole whose filter is [CustomerID] = CUSTOMDATA(). When each user signs in to your SaaS app, your back‑end calls GenerateToken and, in the effectiveIdentity, supplies that role plus a customData value equal to the user’s Customer ID (or a comma‑separated list of IDs for resellers). Because CUSTOMDATA() is populated from the signed token, Power BI automatically filters the dataset so the report renders only the rows whose CustomerID matches the value in the token—no extra code or

slicers required, and users cannot tamper with the filter. This lets a single published report securely serve every customer while minimizing maintenance and license overhead.

 

Thank you & best regards,
Prasanna Kumar

Helpful resources

Announcements
July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.