We want to include reports for customers in our website. These are generic reports, and should only show the data for these customers. Currently, SQL Server Reporting services is being used, where we can provide the parameters in a server side ASP.Net control. The end user can never influence or manipulate these parameters.

As we are moving to Azure, and from SSRS to PowerBI, we would like to use the flow "Embed a powerbi report in an application for your customer", where we don't have to register or administer our customer's users in PowerBI. (we have about 1 800 users).

The embedding of the report and using the service principal to authenticate works fine, passing the parameters is also possible, but only using the client side JavaScript. The parameters on the report are hidden, so the user can not manipulate them. But in the JavaScript, it is not that difficult to intercept the script (developer tools), and change the values of the parameter.

There is the Embed URL which has been generated on the server side, and contains the token. In a similar way, the parameters could be defined on the server side, en send over encrypted and signed, as part of the embed url, so they cannot be manipulated in the javascript.

Within a safe way to pass these parameters, the "embed a powerbi report in an application for your customer" does not have a lot of useful scenario's in my opinion. The alternative is to use customer specific reports, with their filters, but that is even more complex and overhead then registering the users.

I hope you can see the benefits of this idea. If there are any other alternatives, please let me know.