Embed Power BI Visuals in Power App Portals for External Customers

Exposing a report or a dashboard tile from Power BI on a page in your Power App Portal is a supported feature. Not only, you will get the read-only visuals on your page, but you will also get a good amount of power like Natural Language Q/A, exporting data, drilling , filtering, slicing etc.

PowerApp Portal now has a liquid tag called powerbi, with this simple tag we can embed reports and dashboards in a single line of liquid any where on the portal. To get the powerbi liquid tag working, you need to enable Power BI Visualization from the portal admin center (you need to be a global admin).

The powerbi tag accepts the authentication_type, a path parameters for a report or a dashboard, a roles parameter for Row level security roles and a tileid for a specific dashboard tile if needed. Previously, the authentication type allowed only AAD (Azure Active Directory) and Anonymous values. In the AAD case, only users in the company AAD who have the reports shared with them, will have access to view the report (A sign in may be required to load the report), this is a good case for the Employee portal but hardly a good case for any other portal type or if your customers are not in your AAD. With the Anonymous case, you need to make your report fully public in Power BI service which means no authentication what so ever which can be a no-no for some organizations. In the October 2019 release, a new authentication type called powerbiembedded became available and with this authentication type, we can easily support viewing a report from Power BI on the portal by letting the Power App portal itself authenticate with the Power BI Service on the user’s behalf.

{% powerbi authentication_type:”” path:”” roles:”” tileid”” %}

The very first step to enable this mode of authentication is by going to the portal admin center and enable Power BI Embedded Service.

You will be asked to select the work space(s) that includes the reports you wish to expose. Move the workspace to the Selected work spaces and click Enable. This may trigger a portal restart that may take few minutes.

Up until now, the Power BI service and the Power App Portal don’t trust each other. To enable the Portal to authenticate with the Power BI Service, we need to make AAD aware of that. We need to create a security group in AAD and add the portal application to it as a member. This will allow us to tell Power BI Service that anyone in this group is allowed to see what’s inside workspace. To do this, login into https://portal.azure.com and open AAD.

Select Groups

Select New Group

Fill in the group details and click Create

Open the recently created group and click on Members, Add Members.

Search for the portal application and add it as a member. To save time, you can paste the Application ID found under the Portal Admin center in the new member search box and it should filter that portal application only.

Now, we need to tell Power BI that this security group is trusted. To do this, sign in into https://powerbi.microsoft.com and from the gear icon, select Admin Portal.

Under Tenant settings->Developer Settings, add the group you created in the previous step. Any member in this group will have access to Power BI APIs. Click Apply when done.

Our work is done here, what we need now is to expose a visual on the portal. Create a web page with a custom page template. Let the page template point to a custom web template. To show a working example, I created a sample web template called PowerBI and it has the powerbi liquid tag.

Notice that the authentication_type is now powerbiembeded and the path points to a report in my Power BI Service. Note that roles parameter here, I assigned it to some dummy role I created in my report (see https://docs.microsoft.com/en-us/power-bi/service-admin-rls) as It seems like at least one role has to be passed in the liquid tag for the visualization to work. A really good use case of the roles parameter is to have the roles in your Power BI report match the name of your web roles on the Power Portal, then you can control who can see what data based on your web role.

The final result? a report on the Power Portal with the portal taking care of authentication with Power BI Service.

17 thoughts on “Embed Power BI Visuals in Power App Portals for External Customers

  1. Hello Omar, thanks for sharing this very helpful post. I was setting up an embedded Power BI report inside Powerapps Portal using the liquid tag like you did in this post. I am using the powerbiembedded authentication type.I have a generic role setup on the report and I passed that into the liquid roles attribute to get past to row level security error, but the report itself does not load.

    Any ideas as to why the report is not loading?

    Like

    1. Hi Luke, thank you for following up! I can’t tell from your description, have you set the proper security group in Azure and added the portal application to it ? If you already did that, have you given the PowerBI service access to that group via the Power BI admin center?

      Like

      1. Yes, the security group has been created with the portal application assigned to it and the PowerBI service does have access to the group.

        The liquid tag that I am using looks something like this:

        {% powerbi authentication_type:”powerbiembedded” path:”https://app.powerbi.com/groups/00000000-0000-0000-0000-000000000000/reports/00000000-0000-0000-0000-000000000001/ReportSection01″
        roles:”Generic” %}

        Liked by 1 person

  2. this seems OK to me and you seem like you followed all the steps (including giving the portal access to that workspace). One note is that workspace that has the report in it shouldn’t be “My workspace” and needs to be a new workspace. If that is also your case, do you see an error in the browser dev tools while the report is rendering?

    Like

    1. I did check to confirm and it is the new workspace type. I checked the console and it does seem to get stuck loading all of the powerbi source files. The error in the console says:

      Uncaught TypeError: e.html is not a function

      I have successfully loaded a report using AAD authentication and when I compared what was loaded it looks like the error is preventing all of the powerbi320 (PowerBIIframe.aspx) files from loading.

      Like

      1. No I used a trial as well. U don’t have more than one portal, right? Just in case you gave access to a different application Id? I’m guessing now and I’m pretty sure u got the setup right. I used Chrome and I doubt it makes any difference. I will look into it more and see.

        Like

  3. Hello Omar. Thank you for the write up. I followed the instructions and am getting the following error when the portal loads ” powerbi: power bi feature is disabled in portal admin center”. I have clicked on enable powerbi embedded and added a workspace. Any ideas why this error might exist?

    Like

    1. Thank you David. So I just want to make sure that you enabled Power bi and also enabled the embed of power bi in the Admin center? When you did those steps, did you see a message asking for your permission to give power bi access to the portal? Also, restart the portal if you did everything right because I noticed that this feature and enabling sharepoint require a restart. I’m always happy to help over a quick Teams meeting.

      Like

  4. I did everything as you described.
    If I use the role in the link, I have an empty report [a white square in the place where the report should be]. If I don’t specify a role, the following message appears:
    “Liquid syntax error: Row-level security (RLS) is enabled in Power BI report. You must specify the ‘role’ parameter and its value in your Liquid code.”

    Like

  5. Hi Omar, Thanks for sharing the useful information. We’re planning to use this feature and embed power bi dashboards on portals, so I’m trying to learn more how the billing works for Power BI embed service. Also, do we need to have power BI pro license as well with Power BI embed license?
    our portal users are contacts records in Dynamcis 365, so if I enable this feature will they need to have any sign in?

    Like

  6. Hey Omar, did you ever find a solution for this error “Liquid syntax error: Row-level security (RLS) is enabled in Power BI report. You must specify the ‘role’ parameter and its value in your Liquid code.”?

    I’m running into this issue after following the steps. I’m currently using a live connection to AAS and verified there is no RLS applied, but am still running into this error message.

    Like

  7. Hey Omar

    You mentioned you set up a dummy role in order to display the report. What settings did you apply to that role? Did you apply DAX for any specific tables?

    Also do you add the service principle to that role?

    Thanks!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s