Power BI integration into Power Pages enables powerful data visualizations directly within your websites, allowing both internal and external users to interact with reports and dashboards securely. When you need to display personalized views of data for different users, Row-Level Security (RLS) becomes essential. It filters data dynamically based on the viewer’s identity, showing only the data they’re authorized to access.
This guide provides a detailed, step-by-step explanation of embedding Power BI with RLS in Power Pages.
Overview of Power BI Embedding in Power Pages
Power BI embedding allows you to embed interactive Power BI reports into your Power Pages site using an <iframe> or using the Power BI JavaScript API. Combined with Azure Active Directory (AAD) authentication and Row-Level Security, you can serve personalized visual content securely.
✅ What is Row-Level Security (RLS)?
RLS restricts access to data at the row level for each user. This means each user only sees the subset of data they’re allowed to view, based on filters you define in Power BI.
You can implement RLS in two main ways:
- Static RLS – Predefined filters for roles (e.g., Role A sees Region A).
- Dynamic RLS – Filters are defined based on the logged-in user’s identity (user-based filtering).
Dynamic RLS is more suitable for Power Pages where each portal user can have a unique view.
Prerequisites
Before you begin:
- Power BI Pro or Premium per user (PPU) license.
- Power BI report published to Power BI service workspace.
- Azure Active Directory (AAD) for authentication.
- Power Pages site configured.
- Access to Dataverse to associate user data with identity.
Step-by-Step Implementation
Step 1: Create the Report with RLS in Power BI Desktop
- Create a data model in Power BI Desktop.
- Add a table with user email addresses (or usernames) linked to their data.
- Go to Modeling > Manage Roles.
- Click Create and define a new role:
[UserEmail] = USERNAME()Or use: DAXCopyEdit[UserEmail] = USERPRINCIPALNAME()Choose based on your AAD identity mapping. - Save and publish the report to the Power BI Service workspace.
Step 2: Configure Row-Level Security in Power BI Service
- Go to app.powerbi.com and navigate to your workspace.
- Click Datasets > Security.
- Add users or security groups to the defined roles.
- Test the RLS by selecting View As Role.
Step 3: Configure Azure AD Authentication for Power Pages
To pass user identity from Power Pages to Power BI, you need to ensure that:
- Users log in using Azure AD B2C or AAD.
- The Power Pages site captures their AAD identity.
Steps:
- In Power Pages Admin Center, set up Azure AD B2C as an identity provider.
- Map AAD attributes (such as
email,upn) to Dataverse Contact fields. - Ensure your Dataverse Contact records are linked with user identities (store AAD UPN/email).
Step 4: Enable Power BI Embedded for Your Tenant
- Go to Power BI Admin Portal (admin rights required).
- Enable Embed content in apps and Use Power BI API.
Step 5: Generate Embed Token with RLS
You can use Power BI REST APIs to generate an embed token that includes RLS.
Using a service principal (Azure App Registration):
- Register an Azure AD application in Azure Portal.
- Assign API permissions for Power BI (
Report.Read.All,Dataset.Read.All). - Add this app as a workspace member with contributor rights.
- Use a custom backend (e.g., Azure Function or Power Automate Custom Connector) to call the Power BI Embed Token API.
Sample Request (RLS included):
{
"accessLevel": "View",
"identities": [
{
"username": "user@example.com",
"roles": ["ViewerRole"],
"datasets": ["dataset_id"]
}
]
}
The embed token will enforce the correct RLS filters.
Step 6: Embed Power BI Report into Power Pages
Use JavaScript to embed the Power BI report dynamically.
- Add a Web Page or Web Template in Power Pages.
- Paste the following JavaScript into the HTML content:
<div id="reportContainer" style="height:600px;"></div>
<script src="https://cdn.jsdelivr.net/npm/powerbi-client@2.21.0/dist/powerbi.min.js"></script>
<script>
const embedConfig = {
type: 'report',
id: '<REPORT_ID>',
embedUrl: '<EMBED_URL>',
accessToken: '<EMBED_TOKEN>',
tokenType: window['powerbi-client'].models.TokenType.Embed,
settings: {
filterPaneEnabled: false,
navContentPaneEnabled: false
}
};
const reportContainer = document.getElementById('reportContainer');
powerbi.embed(reportContainer, embedConfig);
</script>
Replace:
<REPORT_ID>with your Power BI report ID<EMBED_URL>with the report embed URL<EMBED_TOKEN>with the token generated from the previous step
Note: Never expose sensitive code (like token generation) in Power Pages frontend. Use a backend service to fetch tokens securely.
Step 7: Automate Embed Token Generation (Optional)
You can:
- Use Power Automate Flow to call an Azure Function and return the token.
- Store the token temporarily in Dataverse and retrieve it via Liquid or JavaScript.
Security Considerations
- Always generate embed tokens server-side.
- Do not hardcode tokens in the front-end.
- Ensure all external users are authenticated and mapped to Dataverse contacts.
- Use HTTPS and secure token lifetimes.
Troubleshooting
| Issue | Solution |
|---|---|
| Users see blank report | Confirm RLS filters match their identity. |
| Token expired | Ensure token is valid and generated on each load. |
| AAD login fails | Verify correct Azure AD B2C setup. |
| Embed fails in portal | Check if iframe is blocked by tenant settings. |
Summary
Embedding Power BI with RLS in Power Pages combines the powerful visual capabilities of Power BI with secure, user-personalized access in a public or partner-facing portal. By enforcing row-level filtering through RLS and using secure embed tokens, you ensure data visibility remains tailored to each individual user.
This approach is ideal for scenarios such as:
- Customer dashboards
- Partner performance metrics
- Vendor-specific reporting