Advance your Data & AI career with 50 days of live learning, dataviz contests, hands-on challenges, study groups & certifications and more!
Get registeredJoin us at FabCon Atlanta from March 16 - 20, 2026, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM. Register now.
Hi everyone,
I'm asking for some help to understand how to embed a Power BI report into a web application that the development team is building for the client.
I'm currently working on a Power BI report that will later be embedded into the client's web application (so it will be private, not public).
What do I need to do on the Power BI side to allow the report to be embedded?
Please note:
- The website is accessed through Single Sign-On (SSO).
- We have capacity premium.
- Users will already be logged into the web application.
- They should be able to view the report as soon as they click on the "Dataplatform" section.
Thank you very much for your support!
Solved! Go to Solution.
To embed a Power BI report securely into a private web application—especially one that uses Single Sign-On (SSO) and where users should view the report seamlessly—you’ll want to use Power BI’s "user owns data" or "app owns data" embedding model, with the "app owns data" model being the right fit in most enterprise cases like yours. Since you mentioned that the client has Power BI Premium capacity, you're well-positioned to use the Power BI REST APIs and service principals for scalable, secure embedding without requiring individual user Power BI Pro licenses.
Here’s how it works in practice:
Set up Azure AD and Register an Application: First, register your web application in Azure Active Directory (Azure AD) to obtain a client ID, client secret, and define permissions (e.g., Report.Read.All, Dataset.Read.All). This app will authenticate via OAuth 2.0 to generate embed tokens.
Use a Service Principal for Backend Authentication: Since users are already authenticated in your web app via SSO, you can use their identity or roles to determine access logic, but the actual Power BI interaction is done via a service principal. This avoids requiring each user to have a Power BI account.
Configure Workspaces and Reports: Make sure the Power BI report is published into a workspace that is hosted on Premium capacity. Grant the Azure AD service principal access to that workspace with at least Viewer or Contributor permissions.
Generate Embed Tokens: In your backend, use the Power BI REST API to generate an embed token for the report. This token securely grants the front-end user access to the report based on the roles and dataset access you define. The token is passed to the frontend where Power BI JavaScript SDK loads the report.
Embed with JavaScript SDK: In the front-end of the web application, use the Power BI JavaScript SDK (powerbi-client) to render the report inside an iframe or component. The user will see the report as soon as they enter the "Dataplatform" section, using the embed token issued from the backend.
Row-Level Security (Optional): If users should see only a subset of data, implement Row-Level Security (RLS) in your dataset and pass the effective identity of the user when generating the embed token (e.g., their email or role from your SSO system).
To embed a Power BI report securely into a private web application—especially one that uses Single Sign-On (SSO) and where users should view the report seamlessly—you’ll want to use Power BI’s "user owns data" or "app owns data" embedding model, with the "app owns data" model being the right fit in most enterprise cases like yours. Since you mentioned that the client has Power BI Premium capacity, you're well-positioned to use the Power BI REST APIs and service principals for scalable, secure embedding without requiring individual user Power BI Pro licenses.
Here’s how it works in practice:
Set up Azure AD and Register an Application: First, register your web application in Azure Active Directory (Azure AD) to obtain a client ID, client secret, and define permissions (e.g., Report.Read.All, Dataset.Read.All). This app will authenticate via OAuth 2.0 to generate embed tokens.
Use a Service Principal for Backend Authentication: Since users are already authenticated in your web app via SSO, you can use their identity or roles to determine access logic, but the actual Power BI interaction is done via a service principal. This avoids requiring each user to have a Power BI account.
Configure Workspaces and Reports: Make sure the Power BI report is published into a workspace that is hosted on Premium capacity. Grant the Azure AD service principal access to that workspace with at least Viewer or Contributor permissions.
Generate Embed Tokens: In your backend, use the Power BI REST API to generate an embed token for the report. This token securely grants the front-end user access to the report based on the roles and dataset access you define. The token is passed to the frontend where Power BI JavaScript SDK loads the report.
Embed with JavaScript SDK: In the front-end of the web application, use the Power BI JavaScript SDK (powerbi-client) to render the report inside an iframe or component. The user will see the report as soon as they enter the "Dataplatform" section, using the embed token issued from the backend.
Row-Level Security (Optional): If users should see only a subset of data, implement Row-Level Security (RLS) in your dataset and pass the effective identity of the user when generating the embed token (e.g., their email or role from your SSO system).
Thanks @Poojara_D12 . You were very clear and precise. I wanted to ask you more about the RLS. Each user can only see certain information that interests them. I was thinking of setting the security directly in the SQL Views (created specifically for reporting in Power BI). Can I use this solution? instead of using the RLS directly on Power BI?
Hi @Elisa_Costanza ,
Apart from following the documentation shared which gives detailed explaination you can also follow these checks to embed the report-
1. Set Up Power BI Service and Workspace-Ensure that your Power BI report is published to a workspace that has the necessary permissions and premium capacity.
2. Configure Permissions-Assign the necessary permissions to the service principal or application that will be accessing the Power BI report.
3.Embed the Report- Use the Power BI Embedded API to embed the report into your web application. This involves generating an embed token that provides the necessary permissions for users to view the report. The embed token is generated using the Power BI REST API and should be securely passed to the client application.
4. Handle Authentication and SSO- Since your web application uses Single Sign-On (SSO), ensure that the authentication flow is correctly implemented.
5.Integrate with Web Application- Embed the Power BI report into your web application using the Power BI JavaScript SDK. This SDK allows you to integrate the report and handle interactions such as filtering, refreshing, and navigating within the report.
Also, please refer for step-by-step guide.
Embed a report in a secure portal or website
Hope this helps!
If the response has addressed your query, please accept it as a solution so that other members can easily find it.
Thank you.
The documentation is pretty exhaustive
Power BI embedded analytics overview - Power BI | Microsoft Learn
Thank you for te documentation. Seems that the solution for my task is "Embed for your organization". I would like to understand whether this option can actually be applied in my scenario. Is it compatible with a Premium workspace capacity? Because in the detail I read this:
and then, can I apply security at the database level, for example by setting roles directly in the view through SQL Server?
yes, this works on P and F SKUs
 
					
				
				
			
		
| User | Count | 
|---|---|
| 6 | |
| 3 | |
| 1 | |
| 1 | |
| 1 | 
| User | Count | 
|---|---|
| 6 | |
| 5 | |
| 3 | |
| 3 | |
| 3 |