Latest Posts

Embedding Reports with RLS in D365

Posted on by Rishan Solutions

Loading

Introduction

As data becomes increasingly central to decision-making, embedding analytics directly within business applications like Microsoft Dynamics 365 (D365) is becoming a must-have for organizations. Embedded reports not only improve user experience but also ensure that stakeholders have access to timely, actionable insights without switching platforms.

A key part of embedding reports in D365—especially in multi-user environments—is maintaining data security. This is where Row-Level Security (RLS) comes in. RLS ensures that users see only the data they are authorized to access. Combined with Power BI embedding, this approach enables powerful, secure, and interactive reporting experiences inside Dynamics 365.

This article provides a comprehensive deep dive into how to embed reports in Dynamics 365 with RLS enabled, covering concepts, setup, benefits, limitations, and best practices.

Understanding the Basics

What is Embedding?

Embedding refers to the integration of Power BI reports and dashboards into third-party applications. In this case, it means integrating Power BI reports into Dynamics 365 model-driven apps, such as Sales or Customer Service.

Embedding allows users to:

  • View real-time data reports directly within the app.
  • Avoid switching between multiple tools.
  • Benefit from seamless UX and contextual analytics.

What is Row-Level Security (RLS)?

RLS in Power BI is a method to restrict data access for given users based on filters. These filters are defined within roles in Power BI Desktop and applied to the dataset. When a user accesses a report, the filters ensure they only see the data they’re permitted to view.

This is especially critical in Dynamics 365 environments, where different users (e.g., sales reps, managers, regional leads) should only access data relevant to their roles or regions.

Embedding Options in Dynamics 365

There are three main approaches to embedding Power BI reports into Dynamics 365:

1. Embed as a Power BI Dashboard Tile

  • Quick method using out-of-the-box Power BI tiles.
  • Limited interactivity.
  • Requires publishing dashboards in Power BI and pinning them.

2. Embed with Power BI Service

  • Use iFrames and embedUrl to display a Power BI report in a form or dashboard.
  • More customizable, especially with JavaScript.
  • Works well with RLS when integrated correctly.

3. Embed Using Power BI JavaScript API

  • Best for custom portal scenarios or web resources.
  • Allows granular control over interactivity and layout.
  • Supports RLS via embedded tokens (App Owns Data scenario).

This article focuses primarily on the Power BI Service embedding and how RLS works with it.

Implementing RLS for Embedded Reports in D365

Step 1: Prepare the Power BI Report

  1. Build your Power BI Report
    • Connect to your data source (e.g., Dataverse, SQL Server).
    • Design your visuals.
  2. Define Roles in Power BI Desktop
    • Go to Modeling > Manage Roles.
    • Create roles and apply DAX filters. Example: [UserEmail] = USERPRINCIPALNAME()
    • This ensures each user only sees rows where their email matches the data.
  3. Test the Roles
    • Use View as Role in Power BI Desktop to validate your logic.
  4. Publish to Power BI Service
    • Upload your report to a workspace (preferably in a Power BI Premium workspace for better performance and access control).

Step 2: Enable RLS in the Power BI Service

  1. Go to the Dataset in the Power BI Service
    • Open the workspace where your dataset is published.
  2. Assign Security Roles
    • Click Datasets > Security.
    • Assign Azure AD users or security groups to each role.

Note: If you’re using the “App Owns Data” model (embedding for external users), RLS must be implemented using embedded tokens and passed at runtime.

Step 3: Embed the Report in Dynamics 365

There are several ways to embed Power BI into D365 forms or dashboards. Here’s a standard method using iFrames:

Option A: Embed as a Web Resource on a Form

  1. Get the Embed URL
    • In Power BI, go to the report > File > Embed report > Website or portal.
    • Copy the iframe URL.
  2. Create a Web Resource in D365
    • Go to Power Apps > Solutions > Your App.
    • Add a new Web Resource (type: HTML or Script).
    • Paste the iFrame code.
  3. Insert the Web Resource into a Form
    • Open the desired form in the form editor.
    • Add a new Web Resource component using the one you created.
  4. Pass Context (Optional)
    • Use JavaScript to dynamically pass parameters like UserID or Region to filter visuals (if needed).

Option B: Use Power BI Dashboard Integration

  1. Enable Power BI Integration
    • In Dynamics 365 Settings > Administration > System Settings > Reporting Tab.
    • Set Enable Power BI Visuals to “Yes”.
  2. Add Power BI Dashboard to D365
    • Go to Personal Dashboards.
    • Create a new Power BI dashboard.
    • Select your workspace and report.

This method allows direct integration with the Power BI service without requiring custom development.

RLS and Authentication Models

User Owns Data vs. App Owns Data

  • User Owns Data:
    • Users are authenticated via their own Power BI credentials.
    • RLS roles apply automatically based on their identity.
    • Ideal for internal Dynamics 365 users.
  • App Owns Data:
    • The application (e.g., D365 portal or custom app) authenticates on behalf of the user.
    • RLS is enforced via token-based filters (passing user context).
    • Suitable for embedding reports in external-facing portals.

In most Dynamics 365 scenarios, User Owns Data is the appropriate model, especially when embedding into model-driven apps for internal users.

Best Practices

1. Use Azure AD Security Groups

Assign users to roles using Azure AD groups instead of individual accounts for easier management and scalability.

2. Minimize Data Exposure

Design your RLS filters to limit the scope of accessible data as much as possible. Use measures like ISINSCOPE() to prevent aggregate leaks.

3. Use Separate Datasets and Reports

Maintain a separate dataset layer with RLS and connect it to multiple reports to ensure reusability.

4. Monitor Usage and Access

Use the Power BI Audit Logs and Activity Log to track who’s accessing which reports and ensure RLS is functioning as intended.

5. Test RLS Thoroughly

Always test RLS from the perspective of various roles before pushing to production. Even a small logic error can expose sensitive data.

Common Challenges

1. Not Using USERPRINCIPALNAME()

For RLS to dynamically filter data based on the signed-in user, you must use USERPRINCIPALNAME() in your DAX filters.

2. Misconfigured Roles

If roles aren’t properly assigned in the Power BI Service, RLS won’t be enforced—even if the report is configured correctly.

3. Unsupported Data Sources

Some connectors or composite models might not fully support RLS. Always check compatibility if you’re mixing sources.

4. External Users

When embedding for external users (like customers via D365 Portals), you’ll need to move to the App Owns Data model with token-based RLS.

Advanced Scenario: RLS in Power BI Embedded for Portals

For organizations using Power Pages (formerly Power Apps Portals) to share Power BI reports externally, implementing RLS becomes more complex:

  • Use Azure AD B2C or a custom identity provider.
  • Generate Power BI Embed Tokens with effective identity information.
  • Pass user attributes like UserEmail or Region at runtime into the RLS role.

This approach provides granular security and ensures compliance when exposing data externally.

Benefits of Embedding with RLS

  • Personalized Insights: Users see only their data.
  • Security Compliance: Enforces data governance rules.
  • Improved UX: One-stop access to reports within D365.
  • Performance: Smaller, filtered datasets load faster.
  • Scalability: Supports thousands of users securely.

Leave a Reply

Your email address will not be published. Required fields are marked *