Embed Power BI content with Service Principal

You can embed power BI into any web-based solution you want. where you use an Azure AD App to connect, you will not need any power BI pro license to access it. Also, you will need a Power BI Premium capacity for the same when it goes production depends on the queries made on the custom portal you are planning to display the report.

Let’s see how to implement it. Create an App registration to start with

Home – Azure Active Directory – Enterprise Applications
App registrations – Microsoft Azure

new registration – name – Accounts in this organizations directory only (most cases)

You will be using the tenant ID in later steps.

Copy the Client Secret you created – VJ9Gx75.-.I1RcJvb~~h4gqe_64Uk3fuDY

We are creating this security group to reduce the landscape of the access instead of allowing for the whole organization. we will allow only this azure ad app to access power BI.

Admin Portal – Groups – Active Groups – Add a Group – Security Group

https://admin.microsoft.com/#/groups

Enter a friendly name.

We need to get the object ID of the security group we created

if you don’t have the azure ad module installed

Install-Module -Name AzureAD
Import-Module -Name AzureAD
Connect-AzureAD

Now copy the object id of the group

Get-AzureADGroup | Where-Object{$_.displayname -like "OnlyMembersCanReadfromBI"}

Get Security Group Object ID

Get-AzureADGroup | Where-Object{$_.displayname -like "OnlyMembersCanReadfromBI"}

Get Service Principal Object ID (Note Azure app object ID is different from service principal object ID – )

Get-AzureADServicePrincipal -SearchString "powerbi-read-via-azure-ad-app"

Now add service principal to the azure ad security group

Add-AzureADGroupMember -ObjectId 66a95eb3-c534-4fe9-b0d0-ee0b0414c07c -RefObjectId ff3895c2-23d0-43a5-a595-829a549bbbb9

Verify it got added

Get-AzureADGroupMember -ObjectId 66a95eb3-c534-4fe9-b0d0-ee0b0414c07c

Let’s Apply this group in power BI Tenant Settings and create a Power BI workspace and a report if you don’t have one.

Get into power BI Admin PortalĀ  Power BI

Settings – Admin Portal

Allow service principals to use Power BI APIs
Enabled for a subset of the organization
Specific Security Groups – Enter the security group we created
Save

There is something in the preview. Which will allow only read-only. I tried putting the preview . doesn’t seem to work when I am writing this article. Allow service principals to use read-only Power BI admin APIs (Preview).

Now create a workspace if you don’t have one, create a test report if you don’t have one.

Please note: This will not work on “My workspace” you need to create a workspace. In my case, I created something called Azure365ProWorkSpace

Created a test report

Login-PowerBI in Powershell. if you don’t have the modules install them.

Install-Module -Name MicrosoftPowerBIMgmt

Import-Module MicrosoftPowerBIMgmt

Login-PowerBI

Now Copy the Workspace ID

Get-PowerBIWorkspace | Where-Object {$_.Name -like "Azure365ProWorkSpace"}

Using the ID and Service Principal Object ID retrieved earlier.

Add-PowerBIWorkspaceUser -Id a8f44d06-6326-4c78-a140-c3beb13966a3 -AccessRight Member -PrincipalType App -Identifier ff3895c2-23d0-43a5-a595-829a549bbbb9

you can toggle the access right to admin if you need it. but it works seamlessly as a member of custom portals. Depends on your requirement.

 

Now let’s see how to get an Embed token and make sure the application works. Always know that your azure ad token is different from the embed token. I tried several hours to get the embed token via the postman. I couldn’t achieve it. The only way easy way to get the embed token is via PowerShell for now. getting embed token via postman is quite complicated.

Now Collect these values for the script

$url (you need to customize the url to generate token – check script/screenshot ) / $applicationId / $clientsecret


$applicationId = "7ee3dd60-09f9-4c23-ac59-9d2fb02582fd";
$clientsecret = "VJ9Gx75.-.I1RcJvb~~h4gqe_64Uk3fuDY" | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $applicationId, $clientsecret
Connect-PowerBIServiceAccount -ServicePrincipal -Credential $credential -TenantId "2549c50e-e478-40d8-82cf-fa4efb5d1426"

$url = "https://api.powerbi.com/v1.0/myorg/groups/a8f44d06-6326-4c78-a140-c3beb13966a3/reports/6640254f-145a-4577-9f45-a655476e465d/GenerateToken"
$body = "{ 'accesslevel': 'view' }"
$response = Invoke-PowerBIRestMethod -Url $url -Body $body -Method Post
$response
$json = $response | Convertfrom-json
$json.token

Now use Powershell ISE. Much easier to run selection.
Run Selection so that you can make sure you can connect to the Power BI service.

Once you see a successful login you can run the next part of the script. As you know you call always save to ps1 and run as much as you want. This is for better understanding.

When you copy the embed token from PowerShell you need to make it to the single line without spaces to work smoothly.

Get the Embed URL

Collect the report ID from the same embed URL

Embed Token – Sample

H4sIAAAAAAAEAC3Sx66DVgBF0X95UyIBpkfKgGI6pl7a7FJNxzQDUf49T1Hme3C0dP7-ceDVT7D4-fPHGI_WX9PH2ojPzsLisYnwMBkaucKCg53DNbhQ0miHMnlCWTkas-6MPQpQVTghvQZ2HY2MrTs8Z4ekLlr5Jz2KCi360mUsyy5Fh4A5L0hvtxEc_mNrVXRaJvRxb5OkbAvkh34ugerWELreIyW8uqGsOEV17Nao3FEfep5HbqDSJk2-5OQxofVJItMu-F4HZjEDZ9mK4iMujrrnGz7BjZQizHttxo6NCAVk0e5W2S6wp0u3zeDT8Sh4RMhAsfkaQDLlIBnL-Yk5CD9eiAbniHBjdS7FrVJ3uzWMgBm_LyehH18NujTdt_qyEdLYLiPfjp-tyYl6VwFG6022DV5BPQ3FVxQRL21pwyWOM_J5sg3XWTqZcuXzNLDejiTGYTYnkcMCjV6zDPQwfhwFxs_Ft2tLE5H0YxtF378MUZK-lwr4cA_xNO37LqzmgO60YnBkqe95LnmiinOFtRUArbVQFjczlDGtYWjdNchZ8HF35r33227O6tGm9OxelS1yxmruNKWmLBdhTfjG6Q7A0CyNidTCvAPtwrJLvzeIepUQWbGk3NEzvIvbslV7bJGtk06GkNAAJLUBRGC-Ei_ArCdJhOL1DPmthNa0BjQOQsk6PdzskHEp8zb-HZQmouLAhwSCy-Tzet577QBbBFzpqD-uN2B3D2ftLaWICFr_EehASERWpbu_fv74EZdr3iajvH6vy7dytB2CxOuxwXf2c5wsF09usgE6qX9ChtsXD2dDvy74LTq8dl7oozSNVF2V8jwn7Q3jmnjh4DWd8yPwmIbzzi1xaMhw9-bgJMM6obCG9xp5JuAkyOBMqNWYJAcmABRejMfRbOMqqYvDJf3zIeVnmJe97xjZt-9yeDl9Z-lLjBq1lLbhwLpU8Xma9dZKH5-2u5Vi0veLrlCH4VDMQ4d9ycJca1rZjbMjunkYt23cpoK_cEgHtSn7rHMwTyX7LV6gYrHBKHphvhQ0Ih3RXDeMYL6fhsAEXcpy5jiq0AzLNGoZLZW0ucJBe1NWOcDpUfTU8Kp23s826-l4Baif4Eu3vmrWf_3HfM3vctHCX-WOPVWoFqX_XFRqIRXSfQz_V35Tj3Dbl_I3KyXxDBzexfPEfTUwrd_PMhO04PDyMtwpkxAzBZh0_VXuKBa5rZ6rjUQJ0SSXr_HYVDCDoIgvbBr5MyoLDbjOToqvYzEQfbZ8vVCluqeuwUzUPFOVW54kSrmcprMDv9aKd7s4jG5GVJp6G6SEBehxbEwd62aRfq4K-00RgkoAMdsL_cRV-Dj1GhkWdbpFvKXvNwUbQa_54JhsqKfHQvcnOFpRuwj7CBCrUlIhcIDxzdDmWun70xXZCWtE94Iz2W2bBzkTToNQs4MQ-1yKekT6mbiEv2fj7W1V1TfEJNvDYcvzx9yhMCATTO0z-iT7ykeIP3zbcp8PbAeS5BTk6vU1arq_zP_8C1v0jcWuBQAA.eyJjbHVzdGVyVXJsIjoiaHR0cHM6Ly9XQUJJLUlORElBLUNFTlRSQUwtQS1QUklNQVJZLXJlZGlyZWN0LmFuYWx5c2lzLndpbmRvd3MubmV0IiwiZW1iZWRGZWF0dXJlcyI6eyJtb2Rlcm5FbWJlZCI6ZmFsc2V9fQ==

Embed URL – Sample

https://app.powerbi.com/reportEmbed?reportId=f6bfd646-b718-44dc-a378-b73e6b528204&groupId=be8908da-da25-452e-b220-163f52476cdd&config=eyJjbHVzdGVyVXJsIjoiaHR0cHM6Ly9XQUJJLVVTLU5PUlRILUNFTlRSQUwtcmVkaXJlY3QuYW5hbHlzaXMud2luZG93cy5uZXQiLCJlbWJlZEZlYXR1cmVzIjp7Im1vZGVybkVtYmVkIjp0cnVlfX0%3d

Report ID – Sample

6640254f-145a-4577-9f45-a655476e465d

 


You can verify the same using postman.
Get embed URL
Authorization Bearer Embedtoken

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Azure365pro.com. Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Check Also

Adding [EXTERNAL] for emails with Auto Remove on Reply

In the world of spam and the number of phishing emails is increasing day by …

Leave a Reply

Your email address will not be published.