cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
stanley88
Frequent Visitor

Power BI Embedded vs Publish to Web

I am aware of the data security regarding the "Publish to Web" option. As I came across multiple blogs and Microsoft official documentation, Publish to Web seems to be a bad option as opposed to Power BI Embedded which offers embedding within a web application in a more secure way (by using access token or embed token). I realized that both options will generate a link:

 

Publish to Web: A link that enables sharing with anyone on the internet (Ex: https://app.powerbi.com/view?r=xxxxxxxxxxxxxxx)

Power BI Embedded: An embed URL (Ex: https://app.powerbi.com/reportEmbed?reportId=abc&groupId=def&config=ghijklmn)

 

where I noticed both URLs start with "https://app.powerbi.com/xxxxx". I know that anyone who got the link from "Publish to Web" option is able to view the report freely. Now my question is that if anyone outside of my organization that managed to get the embed URL, is there any way that he/she can possibly view my report (by parsing the embed URL in the browser, find a way to embed to their website using the embed URL, etc..)?

 

Also, appreciate that anyone can explain further how secure is Power BI Embedded as compared to Publish to Web.

 

Any help would be greatly appreciated. Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
TedPattison Responsive Resident
Responsive Resident

Re: Power BI Embedded vs Publish to Web

Just knowing the EmbedUrl is not enough to load a Power BI report using the Power BI embedding model. It also requires an Azure AD token or an embed token. Any attacker with an EmbedUrl would then have to go through the authentication process with Azure AD to acquire either an Azure AD token or an embed token. 

 

The URL used for Publish to Web has an embed code (not an embed token) at the end which provides anonmyous access. That means that Publish to Web works without requring any form of user authentication. If you have the URL with the embed code at the end, you are able to view the report. That's why we say the Publish to Web is inherently insecure.

 

Power BI embedding, on the other hand, will always require authentication with Azure AD. Today, Power BI embedding requires that a specific user with enough permissions to authenticate to acquire an access token. The access token is passed back to the browser for embedding when using first-party embedding and the user-owns-data model. With third-party embedding, the access token is used to call to the Power BI Service API to retrieve an embed token, and it is the emebd token not the access token which is then passed to the browser.

 

The bottom line is that Power BI embedding is secure while Publish to Web is not.

View solution in original post

3 REPLIES 3
Highlighted
TedPattison Responsive Resident
Responsive Resident

Re: Power BI Embedded vs Publish to Web

Just knowing the EmbedUrl is not enough to load a Power BI report using the Power BI embedding model. It also requires an Azure AD token or an embed token. Any attacker with an EmbedUrl would then have to go through the authentication process with Azure AD to acquire either an Azure AD token or an embed token. 

 

The URL used for Publish to Web has an embed code (not an embed token) at the end which provides anonmyous access. That means that Publish to Web works without requring any form of user authentication. If you have the URL with the embed code at the end, you are able to view the report. That's why we say the Publish to Web is inherently insecure.

 

Power BI embedding, on the other hand, will always require authentication with Azure AD. Today, Power BI embedding requires that a specific user with enough permissions to authenticate to acquire an access token. The access token is passed back to the browser for embedding when using first-party embedding and the user-owns-data model. With third-party embedding, the access token is used to call to the Power BI Service API to retrieve an embed token, and it is the emebd token not the access token which is then passed to the browser.

 

The bottom line is that Power BI embedding is secure while Publish to Web is not.

View solution in original post

stanley88
Frequent Visitor

Re: Power BI Embedded vs Publish to Web

Thanks for the clear explanation.

ShivendooKumar Helper V
Helper V

Re: Power BI Embedded vs Publish to Web

Publish to web from Power BI Limitations

https://docs.microsoft.com/en-us/power-bi/service-publish-to-web#custom-visuals

 

Custom visuals

Custom visuals are supported in Publish to web. When you use Publish to web, users with whom you share your published visual do not need to enable custom visuals to view the report.

Limitations

Publish to web is supported for the vast majority of data sources and reports in the Power BI service, however, the following are not currently supported or available with Publish to web:

  • Reports using row level security.
  • Reports using any Live Connection data source, including Analysis Services Tabular hosted on-premises, Analysis Services Multidimensional, and Azure Analysis Services.
  • Reports shared to you directly or through an organizational content pack.
  • Reports in a group in which you are not an edit member.
  • "R" Visuals are not currently supported in Publish to web reports.
  • Exporting Data from visuals in a report, which has been published to the web
  • ArcGIS Maps for Power BI visuals
  • Reports containing report-level DAX measures
  • Single sign-on data query models
  • Secure confidential or proprietary information
  • The automatic authentication capability provided with the Embed option doesn't work with the Power BI JavaScript API. For the Power BI JavaScript API, use the user owns data approach to embedding. Learn more about user owns data.

Tenant setting

Power BI administrators can enable or disable the publish to web feature. They may also restrict access to specific groups

Helpful resources

Announcements
Announcing the New Spanish Forum

Announcing the New Spanish Forum

Do you need help in Spanish? Check out our new Spanish community section.

April 2020 Community Highlights

April 2020 Community Highlights

Info on our Super Users, MBAS content and badges, and updates to our support articles. - Read the full Community Highlights.

MBAS Gallery 2020

MBAS Gallery 2020

Watch Microsoft Business Applications Summit sessions on-demand.