I am in the process of building a multi-tenant application that requires visualizations. I am exploring PowerBI embedded for this purpose. I cannot use Power BI's row level security as data from each tenant cannot be in proximity to another tenant's data.
Each client will have different data sources but will need access to the same PowerBI report template. The only difference between clients and their reports will be the data sources their report points to.
Here's how I am approaching this problem:
Create a dedicated PowerBI Pro user.
With that user, register a PowerBI Native App at dev.powerbi.com/apps
Create a PowerBI Workspace
In that Workspace, create a PowerBI Report to use as a template for all my customers.
In my web application
For each new client
Create a Workspace
Create PowerBI Datasets for the client
Clone the Report template into the client Workspace and associate it with the Datasets created above.
As new data comes in, update the PowerBI Datasets
Use the GenerateToken method to create a token for their specific report. Embed this token and their report in the client's page.
Use the Client ID created above and my dedicated PowerBI user's credentials to get Access Token.
With this access token, use the PowerBI REST API to do the following:
When the client requests the report...
My concerns with this approach are the following:
The report doesn't have user level authentication with my application. Someone could just extract the embedded report URL/token and pass it along.
I am duplicating the Report. If I need to make a change to the report format, I need to propagate that change to all the cloned Reports.
I am polluting my Azure AD tenant with groups from the Workspaces (one Workspace per client). I'm not even sure I need the Workspaces.
I need to track metadata for all my PowerBI Datasets and Reports. If I don't, I will not know which PowerBI Datasets are compatible with which PowerBI reports.
How does this approach sound? Are there more sensible alternatives for my desired result?