Power BI Embedded Analytics — Part 2: Power BI Embedded Overview

Note: This article dives into the details of Power BI Embedded. It is a continuation of the Power BI Embedded Analytics — Part 1 article, which discusses Power BI Authoring and an introduction to Power BI Embedded Analytics. So, it is recommended that you go through the discussion on that article.

You can also find Part 3, which presents a Power BI Embedded Demo application, here, based on the details presented in this article.

Power BI Embedded Overview

Two solutions are available:

• Embed for customers (app owns data): Customers here are users of our application, and they don't need to sign in using Power BI credentials or have any licenses to view the embedded content/analytics. It allows building an app that authenticates itself against Power BI using non-interactive authentication flow (i.e., without any prompts to the user, it does the authentication internally and presents the content to the end-user).
• Embed for organization (user owns data): This one is intended for internal users of our organization who might have Power BI licenses. It requires users to sign in to Power BI using their own credentials.

For our scenario, we would use the first solution, Embed for customers (app owns data).

To embed and use Power BI in our app in production, capacity needs to be purchased/licensed. In simpler terms, capacity is the compute resources (cloud virtual machines) required to process workloads, such as report rendering and data refresh. 

These licenses allow embedding content for external users, i.e., users need not have any Power BI license, and they can access the content through our app. Two types of capacity-based licenses are available:

Embedded

• This license allows embedding content for external users. Users who do not have a Power BI license can access the content through our app (even if they have their own credentials/licenses, the app's authentication/license works).
• This license mode is available with Power BI Embedded, which is an Azure resource and is available for purchase from the Azure portal.
• The node (compute resource) falls under an A SKU category. SKUs range from A1 to A8 (1 being the weakest, 8 being the most powerful). A4 to A8 are equivalent to P1 to P5 (see below) in terms of power.
• This capacity can be scaled up/down or paused/resumed.
• This is billed on an hourly basis.
• The license mode for the specific workspace should be set to Embedded to activate this license.
• The Azure subscription would be required (Azure's Pay-as-you-go subscription would work in our case. There’s no fee to maintain the Azure free account; we would only be paying for the Embedded license/capacity that is purchased through the Azure Portal).
• Capacity can be managed through the Azure Portal.
• Content creators still need a Power BI Pro license for report authoring. At least one Power BI Pro license is required for the organization to be able to author and publish content.

Premium Per Capacity

• These licenses allow embedding content for external users and internal users.
• This license mode is available with Power BI Premium, which is available for purchase from the Microsoft 365 admin centre.
• The node (compute resource) falls under the P SKU category. P SKUs range from P1 to P5 (1 being the weakest, 5 being the most powerful).
• This capacity can not be paused/resumed. It can be scaled manually or through the AutoScale feature.
• This is billed on a monthly basis.
• The license mode for the specific workspace should be set to Premium to activate this license.
• Capacity can be managed through the Power BI Admin Portal and renewed through the Microsoft 365 admin centre.
• A Microsoft 365 subscription is required for this to be managed through Microsoft 365.
• An Azure subscription would be required to manage the authentication flow required for using this in the embedded scenario.
• Content creators still need a Power BI Pro license for report authoring. At least one Power BI Pro license is required for the organization to author and publish content.
• * (not relevant for our case) This also includes a license for on-prem Power BI Report server.

For our scenario, we would be going with the first solution, i.e., Embedded License (Power BI Embedded), which should be cheaper and is recommended for our case.

For the authentication flow in embedding, an embedding identity is required. Along with the embedding identity, an Azure app needs to be registered and tied to the embedding identity. An embedding identity can be:

• Service principal: Your app can use a service principal to acquire an Azure AD token. The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. This enables core features such as authentication of the user/application during sign-in and authorization during resource access. This method uses secrets or certificates for auth. When your app's embedding identity is a service principal, a Power BI tenant admin must first:
  • Enable the use of service principals through the Power BI admin portal.
  • Register a security group that contains them.
• Master user: Your app can use a master user account to acquire an AD token. A master user account is a regular Azure AD user. It must also have either a Power BI Pro or Power BI Premium Per User (PPU) license and hence can access Power BI Service, unlike the service principal. In Power BI, the account must belong to the workspace admin or member role to embed workspace content. Another consideration is that master user accounts can't require MFA.

Once the app user authenticates with the app, the app uses the embedding identity (service principal or master user) to acquire an Azure AD token by using a non-interactive authentication flow.

Once the app acquires an Azure AD token (using the Microsoft Authentication Library-MSAL), it caches and then uses it to generate an embed token (by using a Power BI REST API operation, which requires an Azure AD token). An embed token represents facts about Power BI content and how to access it, like:

• Claims to specific Power BI content.
• Access level, which you set to view, create, or edit.
• Token lifetime, which determines when the token expires. These tokens should be refreshed before they expire using the Power BI REST APIs.

For our scenario, we would be going with the first solution, i.e., Service Principal, since it is more secure and is the recommended method for production.

Power BI Embedded APIs provide programmatic access to Power BI capabilities, allowing developers to integrate Power BI content, such as reports and dashboards, into custom applications, websites, or portals. 

These APIs enable us to create, interact with, and manage Power BI content within our own applications. The following APIs are required to achieve a Power BI Embedded Analytics solution:

Power BI REST API

The Power BI REST APIs provide service endpoints for embedding, administration, governance, and user resources. With Power BI REST APIs, you can do the following:

• Manage Power BI content
• Perform admin operations
• Embed Power BI Content

REST Operation Groups

• Admin: Operations for working with administrative tasks
• Apps: Operations for working with Apps
• Available features: Operations that return available features
• Capacities: Operations for working with capacities
• Dashboards: Operations for working with dashboards
• Dataflow storage accounts: Operations for working with dataflow storage accounts
• Dataflows: Operations for working with dataflows
• Datasets: Operations for working with datasets
• Embed token: Operations for working with embed tokens
• Gateways: Operations for working with gateways
• Groups: Operations for working with groups
• Imports: Operations for working with imports
• Pipelines: Operations for working with deployment pipelines
• Push datasets: Operations for working with push datasets
• Reports: Operations for working with reports
• Template apps: Operations for working with Template Apps
• Users: Operations for working with users

For further details, refer to this website.

Power BI Client API

The Power BI Client API is a client-side library that allows you to programmatically control your embedded Power BI content using JavaScript or TypeScript. The client APIs communicate between Power BI items (such as reports and dashboards) and the application code, giving you the flexibility to build an end-user experience according to your design.

The Client APIs communicate with an embedded Power BI item, such as a report or dashboard. The iframe creates a separation between the hosting app and the Power BI item, making sure the data is secured.

Client APIs are further divided into these categories:

• powerbi-client: The main Power BI Client library, which includes all the Power BI Client APIs except for powerbi-report-authoring. This library defines the classes for the different Power BI items that can be embedded. The powerbi-client library allows you to control the content you're embedding.
• powerbi-models: Contains the object models for the Power BI Client APIs. For each model, there is a TypeScript interface, a JSON schema definition, and a validation function to ensure a given object is a valid model.
• powerbi-report-authoring: An extension of the client library. These APIs help with creating visuals and authoring the report after it's loaded. The powerbi-report-authoring library allows you to programmatically edit your embedded reports.

The next and last article covers PowerBI Embedded Demo application highlighting solutions, integration steps and key features.