Publish to web from Power BI Limitations

Anonymous · ‎10-24-2018

I am aware of the data security regarding the "Publish to Web" option. As I came across multiple blogs and Microsoft official documentation, Publish to Web seems to be a bad option as opposed to Power BI Embedded which offers embedding within a web application in a more secure way (by using access token or embed token). I realized that both options will generate a link:

Publish to Web: A link that enables sharing with anyone on the internet (Ex: https://app.powerbi.com/view?r=xxxxxxxxxxxxxxx)

Power BI Embedded: An embed URL (Ex: https://app.powerbi.com/reportEmbed?reportId=abc&groupId=def&config=ghijklmn)

where I noticed both URLs start with "https://app.powerbi.com/xxxxx". I know that anyone who got the link from "Publish to Web" option is able to view the report freely. Now my question is that if anyone outside of my organization that managed to get the embed URL, is there any way that he/she can possibly view my report (by parsing the embed URL in the browser, find a way to embed to their website using the embed URL, etc..)?

Also, appreciate that anyone can explain further how secure is Power BI Embedded as compared to Publish to Web.

Any help would be greatly appreciated. Thanks in advance.

TedPattison · ‎10-24-2018

Just knowing the EmbedUrl is not enough to load a Power BI report using the Power BI embedding model. It also requires an Azure AD token or an embed token. Any attacker with an EmbedUrl would then have to go through the authentication process with Azure AD to acquire either an Azure AD token or an embed token.

The URL used for Publish to Web has an embed code (not an embed token) at the end which provides anonmyous access. That means that Publish to Web works without requring any form of user authentication. If you have the URL with the embed code at the end, you are able to view the report. That's why we say the Publish to Web is inherently insecure.

Power BI embedding, on the other hand, will always require authentication with Azure AD. Today, Power BI embedding requires that a specific user with enough permissions to authenticate to acquire an access token. The access token is passed back to the browser for embedding when using first-party embedding and the user-owns-data model. With third-party embedding, the access token is used to call to the Power BI Service API to retrieve an embed token, and it is the emebd token not the access token which is then passed to the browser.

The bottom line is that Power BI embedding is secure while Publish to Web is not.

View solution in original post

Anonymous · ‎05-11-2019

Publish to web from Power BI Limitations

https://docs.microsoft.com/en-us/power-bi/service-publish-to-web#custom-visuals

Custom visuals

Custom visuals are supported in Publish to web. When you use Publish to web, users with whom you share your published visual do not need to enable custom visuals to view the report.

Limitations

Publish to web is supported for the vast majority of data sources and reports in the Power BI service, however, the following are not currently supported or available with Publish to web:

Reports using row level security.
Reports using any Live Connection data source, including Analysis Services Tabular hosted on-premises, Analysis Services Multidimensional, and Azure Analysis Services.
Reports shared to you directly or through an organizational content pack.
Reports in a group in which you are not an edit member.
"R" Visuals are not currently supported in Publish to web reports.
Exporting Data from visuals in a report, which has been published to the web
ArcGIS Maps for Power BI visuals
Reports containing report-level DAX measures
Single sign-on data query models
Secure confidential or proprietary information
The automatic authentication capability provided with the Embed option doesn't work with the Power BI JavaScript API. For the Power BI JavaScript API, use the user owns data approach to embedding. Learn more about user owns data.

Tenant setting

Power BI administrators can enable or disable the publish to web feature. They may also restrict access to specific groups

TedPattison · ‎10-24-2018

Just knowing the EmbedUrl is not enough to load a Power BI report using the Power BI embedding model. It also requires an Azure AD token or an embed token. Any attacker with an EmbedUrl would then have to go through the authentication process with Azure AD to acquire either an Azure AD token or an embed token.

The URL used for Publish to Web has an embed code (not an embed token) at the end which provides anonmyous access. That means that Publish to Web works without requring any form of user authentication. If you have the URL with the embed code at the end, you are able to view the report. That's why we say the Publish to Web is inherently insecure.

Power BI embedding, on the other hand, will always require authentication with Azure AD. Today, Power BI embedding requires that a specific user with enough permissions to authenticate to acquire an access token. The access token is passed back to the browser for embedding when using first-party embedding and the user-owns-data model. With third-party embedding, the access token is used to call to the Power BI Service API to retrieve an embed token, and it is the emebd token not the access token which is then passed to the browser.

The bottom line is that Power BI embedding is secure while Publish to Web is not.