35.5 C
Tuesday, April 23, 2024

Embed Power BI content with Service Principal

You can embed power BI into any web-based solution you want. where you use an Azure AD App to connect, you will not need any power BI pro license to access it. Also, you will need a Power BI Premium capacity for the same when it goes production depends on the queries made on the custom portal you are planning to display the report.

Let’s see how to implement it. Create an App registration to start with

Home – Azure Active Directory – Enterprise Applications
App registrations – Microsoft Azure

new registration – name – Accounts in this organizations directory only (most cases)

You will be using the tenant ID in later steps.

Copy the Client Secret you created – VJ9Gx75.-.I1RcJvb~~h4gqe_64Uk3fuDY

We are creating this security group to reduce the landscape of the access instead of allowing for the whole organization. we will allow only this azure ad app to access power BI.

Admin Portal – Groups – Active Groups – Add a Group – Security Group


Enter a friendly name.

We need to get the object ID of the security group we created

if you don’t have the azure ad module installed

Install-Module -Name AzureAD
Import-Module -Name AzureAD

Now copy the object id of the group

Get-AzureADGroup | Where-Object{$_.displayname -like "OnlyMembersCanReadfromBI"}

Get Security Group Object ID

Get-AzureADGroup | Where-Object{$_.displayname -like "OnlyMembersCanReadfromBI"}

Get Service Principal Object ID (Note Azure app object ID is different from service principal object ID – )

Get-AzureADServicePrincipal -SearchString "powerbi-read-via-azure-ad-app"

Now add service principal to the azure ad security group

Add-AzureADGroupMember -ObjectId 66a95eb3-c534-4fe9-b0d0-ee0b0414c07c -RefObjectId ff3895c2-23d0-43a5-a595-829a549bbbb9

Verify it got added

Get-AzureADGroupMember -ObjectId 66a95eb3-c534-4fe9-b0d0-ee0b0414c07c

Let’s Apply this group in power BI Tenant Settings and create a Power BI workspace and a report if you don’t have one.

Get into power BI Admin PortalĀ  Power BI

Settings – Admin Portal

Allow service principals to use Power BI APIs
Enabled for a subset of the organization
Specific Security Groups – Enter the security group we created

There is something in the preview. Which will allow only read-only. I tried putting the preview . doesn’t seem to work when I am writing this article. Allow service principals to use read-only Power BI admin APIs (Preview).

Now create a workspace if you don’t have one, create a test report if you don’t have one.

Please note: This will not work on “My workspace” you need to create a workspace. In my case, I created something called Azure365ProWorkSpace

Created a test report

Login-PowerBI in Powershell. if you don’t have the modules install them.

Install-Module -Name MicrosoftPowerBIMgmt

Import-Module MicrosoftPowerBIMgmt


Now Copy the Workspace ID

Get-PowerBIWorkspace | Where-Object {$_.Name -like "Azure365ProWorkSpace"}

Using the ID and Service Principal Object ID retrieved earlier.

Add-PowerBIWorkspaceUser -Id a8f44d06-6326-4c78-a140-c3beb13966a3 -AccessRight Member -PrincipalType App -Identifier ff3895c2-23d0-43a5-a595-829a549bbbb9

you can toggle the access right to admin if you need it. but it works seamlessly as a member of custom portals. Depends on your requirement.


Now let’s see how to get an Embed token and make sure the application works. Always know that your azure ad token is different from the embed token. I tried several hours to get the embed token via the postman. I couldn’t achieve it. The only way easy way to get the embed token is via PowerShell for now. getting embed token via postman is quite complicated.

Now Collect these values for the script

$url (you need to customize the url to generate token – check script/screenshot ) / $applicationId / $clientsecret

$applicationId = "7ee3dd60-09f9-4c23-ac59-9d2fb02582fd";
$clientsecret = "VJ9Gx75.-.I1RcJvb~~h4gqe_64Uk3fuDY" | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $applicationId, $clientsecret
Connect-PowerBIServiceAccount -ServicePrincipal -Credential $credential -TenantId "2549c50e-e478-40d8-82cf-fa4efb5d1426"

$url = "https://api.powerbi.com/v1.0/myorg/groups/a8f44d06-6326-4c78-a140-c3beb13966a3/reports/6640254f-145a-4577-9f45-a655476e465d/GenerateToken"
$body = "{ 'accesslevel': 'view' }"
$response = Invoke-PowerBIRestMethod -Url $url -Body $body -Method Post
$json = $response | Convertfrom-json

Now use Powershell ISE. Much easier to run selection.
Run Selection so that you can make sure you can connect to the Power BI service.

Once you see a successful login you can run the next part of the script. As you know you call always save to ps1 and run as much as you want. This is for better understanding.

When you copy the embed token from PowerShell you need to make it to the single line without spaces to work smoothly.

Get the Embed URL

Collect the report ID from the same embed URL

Embed Token – Sample


Embed URL – Sample


Report ID – Sample



You can verify the same using postman.
Get embed URL
Authorization Bearer Embedtoken

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles


Please enter your comment!
Please enter your name here

× How can I help you?