cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
mrhodes
Regular Visitor

Power BI Embedded and Azure Active Directory Authentication

Power BI Embedded and Azure Active Directory Authentication – There is limted documentation available at this time and we know the service is still in preview, but we read that Power BI Embedded supports token level authentication and Azure Active Directory Authentication. Code examples are provided for token level authentication, but we have not seen any for Azure Active Directory Authentication.  Are there any examples available connecting to Power BI Embedded workspaces with Azure Active Directory Authentication.

13 REPLIES 13
Anmolgan
Post Prodigy
Post Prodigy

I  am also trying to achive the similar scenerio!!

but I am not able to do so, How will I be able to achive this I am using the app owns data scnerio, but nowhere its written how and where I have to do this. Guidence is all we need.

Hi.

The feature of passing AAD token to SQL Azure is currently not supported in "App owns data" scenario.

We are currently looking into this ask.

 

Consider using "User owns data" for this flow for now.

 

Eli.

 

You are saying that I cant design an application that gives access to users by matching there credentials from a database and opening a particular report for them using AAD Authorization??


If Not Then are there any ways So that I can achive this scenerio?

In "App owns data" scenario, there is no way to pass user AAD token through PowerBI to SQL Azure.

 

 

Eli.

So are there any other scnerios where this is possible?

In "User own data", users' AAD will be passed to SQL Azure, if his datasource is configured to do that.

 

shanu_123
Frequent Visitor

I'm facing similar problem, i have downloaded the sample Powerbi embedded App_own_data for the native app, it's working but i want user authentication to application from azure AD, I have also implemented "rls" but I have to pass username static in that can anybody please provide guidance.... 

jeffabailey
New Member

I'm also trying to achieve a similar scenario.

 

  1. Create a direct query report in the Power BI portal pointing to a sql azure database
  2. Set the datasource of the report's dataset to a read only replica in Azure via the portal API
  3. Allow an Azure AD authenticated user to access the dataset with the previously set datasource

I did not find a way to make use of the on behalf of token in the connection string since it's not possible to pass the token in the connection string currently.

 

https://github.com/Azure/azure-content-nlnl/blob/master/articles/sql-database/sql-database-aad-authe...

 

I would like to know if this is even possible and if not if there is any plan to allow for passing an authentication token in the actual connection string to sql server. I don't understand why this would never be possible given the fact that people already store sensitive credentials in the connection string the world over. Maybe this isn't the right forum for this question but a referral to the appropriate place to ask for this would also be useful.

 

Thanks

jocaplan-MSFT
Microsoft
Microsoft

Power BI Embedded leaves authentication and authorization up to the application that it is embedded into. You Can have your users sign into your app any way you want to (including AAD) and then your app can delegate permissions to Power BI using app tokens.

We need the credential of the current authenticated user to be able to flow through so it can be passed to the credentials for the dataset level access. e.g. connection to the azure sql database. ultimately the connection to the database needs to be under the context of the current logged in user. a fixed service account will not allow sql to know what user is requesting the data so we can only send the data relevant to that user. 

If you used the regular PBI and not the Embedded, then you could use the new Row Level Security feature, that is available in preview since a few weeks:

https://powerbi.microsoft.com/en-us/documentation/powerbi-admin-rls/

 

But I'm afraid you cannot use it with PBI Embedded.

 

Instead you could use predefined filters of your own for your embedded reports / tiles based on the user context. That's not super bullet-proof, but it does the job.

It sounds like a totally different scenario, and not really related to authentication. As far as I know user context is not available at all. Especially not in PBI Embedded, where the user is not impersonated, but a sinble application token is used. In the "conventional" version the logged in user can be used for row level security, when the datasource is an SSAS cube. But that's not applicabple here.

 

Folks, correct me if I'm wrong. But I thin you need a different approach here. Authentication tricks won't help you in this regard.

pritesho
Helper I
Helper I

Try Option 7 on the sample to configure your AD account.

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Power BI October Update 2021.jpg

Power BI Release

Click here to read more about the October 2021 Release!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

Teds Dev Camp Oct. 2021 768x460.jpg

Power BI Dev Camp - October 28th, 2021

Mark your calendars and join us for our next Power BI Dev Camp!

Top Solution Authors
Top Kudoed Authors