Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.
I am aware of the data security regarding the "Publish to Web" option. As I came across multiple blogs and Microsoft official documentation, Publish to Web seems to be a bad option as opposed to Power BI Embedded which offers embedding within a web application in a more secure way (by using access token or embed token). I realized that both options will generate a link:
Publish to Web: A link that enables sharing with anyone on the internet (Ex: https://app.powerbi.com/view?r=xxxxxxxxxxxxxxx)
Power BI Embedded: An embed URL (Ex: https://app.powerbi.com/reportEmbed?reportId=abc&groupId=def&config=ghijklmn)
where I noticed both URLs start with "https://app.powerbi.com/xxxxx". I know that anyone who got the link from "Publish to Web" option is able to view the report freely. Now my question is that if anyone outside of my organization that managed to get the embed URL, is there any way that he/she can possibly view my report (by parsing the embed URL in the browser, find a way to embed to their website using the embed URL, etc..)?
Also, appreciate that anyone can explain further how secure is Power BI Embedded as compared to Publish to Web.
Any help would be greatly appreciated. Thanks in advance.
Solved! Go to Solution.
Just knowing the EmbedUrl is not enough to load a Power BI report using the Power BI embedding model. It also requires an Azure AD token or an embed token. Any attacker with an EmbedUrl would then have to go through the authentication process with Azure AD to acquire either an Azure AD token or an embed token.
The URL used for Publish to Web has an embed code (not an embed token) at the end which provides anonmyous access. That means that Publish to Web works without requring any form of user authentication. If you have the URL with the embed code at the end, you are able to view the report. That's why we say the Publish to Web is inherently insecure.
Power BI embedding, on the other hand, will always require authentication with Azure AD. Today, Power BI embedding requires that a specific user with enough permissions to authenticate to acquire an access token. The access token is passed back to the browser for embedding when using first-party embedding and the user-owns-data model. With third-party embedding, the access token is used to call to the Power BI Service API to retrieve an embed token, and it is the emebd token not the access token which is then passed to the browser.
The bottom line is that Power BI embedding is secure while Publish to Web is not.
https://docs.microsoft.com/en-us/power-bi/service-publish-to-web#custom-visuals
Custom visuals are supported in Publish to web. When you use Publish to web, users with whom you share your published visual do not need to enable custom visuals to view the report.
Publish to web is supported for the vast majority of data sources and reports in the Power BI service, however, the following are not currently supported or available with Publish to web:
Power BI administrators can enable or disable the publish to web feature. They may also restrict access to specific groups
Just knowing the EmbedUrl is not enough to load a Power BI report using the Power BI embedding model. It also requires an Azure AD token or an embed token. Any attacker with an EmbedUrl would then have to go through the authentication process with Azure AD to acquire either an Azure AD token or an embed token.
The URL used for Publish to Web has an embed code (not an embed token) at the end which provides anonmyous access. That means that Publish to Web works without requring any form of user authentication. If you have the URL with the embed code at the end, you are able to view the report. That's why we say the Publish to Web is inherently insecure.
Power BI embedding, on the other hand, will always require authentication with Azure AD. Today, Power BI embedding requires that a specific user with enough permissions to authenticate to acquire an access token. The access token is passed back to the browser for embedding when using first-party embedding and the user-owns-data model. With third-party embedding, the access token is used to call to the Power BI Service API to retrieve an embed token, and it is the emebd token not the access token which is then passed to the browser.
The bottom line is that Power BI embedding is secure while Publish to Web is not.
Thanks for the clear explanation.
Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City
Check out the April 2024 Power BI update to learn about new features.
User | Count |
---|---|
14 | |
2 | |
2 | |
1 | |
1 |