Question

How do I set up a Power BI Embedded solution with row-level security for external users?
I need to configure a Power BI Embedded solution that enforces row-level security (RLS) for external users accessing reports through an application. The setup should ensure that each user only sees data relevant to their assigned permissions. What is the best approach to implementing RLS in Power BI Embedded, and how can I manage authentication and user access efficiently?

Answer 1

To enable Power BI Embedded for external users with Row Level Security (RLS), RLS in Power BI must be configured, and reports must be embedded using the Power BI REST API and authentication management. This ensures that users see only the data that pertains to them in an accessed highly secure manner.

Define RLS in Power BI Desktop

- In Power BI Desktop, apply DAX filters using the Modeling tab to create roles that filter data per user. An example is [UserEmail] = USERPRINCIPALNAME().

- Publish it to Power BI Service and assign security settings for roles in the dataset.

Embed Reports with Secure Access

- Generate an effective_identity object for the user inside the API of Power BI and embed this to generate an embed token with RLS via the REST API of Power BI.

- App owns Data Authentication if Embedding for External Users(Your App Authenticates Users and Gets Embed Token).

- Service Principal Authentication with Power BI Embedded Capacity for Scalable, Secure Embedding.

Manage Authentication and Access

- Custom Authentication (JWT tokens), OAuth, or Azure AD B2B should be used to authenticate external users.

- Power BI Client SDK integrates Secure Embed Reports into your application.

- Performance optimization is achieved via data caching, reduced API calls, and preloaded filters tailored to a user.