cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
stanley88
Frequent Visitor

Power BI Embedded vs Publish to Web

I am aware of the data security regarding the "Publish to Web" option. As I came across multiple blogs and Microsoft official documentation, Publish to Web seems to be a bad option as opposed to Power BI Embedded which offers embedding within a web application in a more secure way (by using access token or embed token). I realized that both options will generate a link:

 

Publish to Web: A link that enables sharing with anyone on the internet (Ex: https://app.powerbi.com/view?r=xxxxxxxxxxxxxxx)

Power BI Embedded: An embed URL (Ex: https://app.powerbi.com/reportEmbed?reportId=abc&groupId=def&config=ghijklmn)

 

where I noticed both URLs start with "https://app.powerbi.com/xxxxx". I know that anyone who got the link from "Publish to Web" option is able to view the report freely. Now my question is that if anyone outside of my organization that managed to get the embed URL, is there any way that he/she can possibly view my report (by parsing the embed URL in the browser, find a way to embed to their website using the embed URL, etc..)?

 

Also, appreciate that anyone can explain further how secure is Power BI Embedded as compared to Publish to Web.

 

Any help would be greatly appreciated. Thanks in advance.

1 ACCEPTED SOLUTION
TedPattison
Microsoft
Microsoft

Just knowing the EmbedUrl is not enough to load a Power BI report using the Power BI embedding model. It also requires an Azure AD token or an embed token. Any attacker with an EmbedUrl would then have to go through the authentication process with Azure AD to acquire either an Azure AD token or an embed token. 

 

The URL used for Publish to Web has an embed code (not an embed token) at the end which provides anonmyous access. That means that Publish to Web works without requring any form of user authentication. If you have the URL with the embed code at the end, you are able to view the report. That's why we say the Publish to Web is inherently insecure.

 

Power BI embedding, on the other hand, will always require authentication with Azure AD. Today, Power BI embedding requires that a specific user with enough permissions to authenticate to acquire an access token. The access token is passed back to the browser for embedding when using first-party embedding and the user-owns-data model. With third-party embedding, the access token is used to call to the Power BI Service API to retrieve an embed token, and it is the emebd token not the access token which is then passed to the browser.

 

The bottom line is that Power BI embedding is secure while Publish to Web is not.

View solution in original post

3 REPLIES 3
ShivendooKumar
Post Patron
Post Patron

Publish to web from Power BI Limitations

https://docs.microsoft.com/en-us/power-bi/service-publish-to-web#custom-visuals

 

Custom visuals

Custom visuals are supported in Publish to web. When you use Publish to web, users with whom you share your published visual do not need to enable custom visuals to view the report.

Limitations

Publish to web is supported for the vast majority of data sources and reports in the Power BI service, however, the following are not currently supported or available with Publish to web:

  • Reports using row level security.
  • Reports using any Live Connection data source, including Analysis Services Tabular hosted on-premises, Analysis Services Multidimensional, and Azure Analysis Services.
  • Reports shared to you directly or through an organizational content pack.
  • Reports in a group in which you are not an edit member.
  • "R" Visuals are not currently supported in Publish to web reports.
  • Exporting Data from visuals in a report, which has been published to the web
  • ArcGIS Maps for Power BI visuals
  • Reports containing report-level DAX measures
  • Single sign-on data query models
  • Secure confidential or proprietary information
  • The automatic authentication capability provided with the Embed option doesn't work with the Power BI JavaScript API. For the Power BI JavaScript API, use the user owns data approach to embedding. Learn more about user owns data.

Tenant setting

Power BI administrators can enable or disable the publish to web feature. They may also restrict access to specific groups

TedPattison
Microsoft
Microsoft

Just knowing the EmbedUrl is not enough to load a Power BI report using the Power BI embedding model. It also requires an Azure AD token or an embed token. Any attacker with an EmbedUrl would then have to go through the authentication process with Azure AD to acquire either an Azure AD token or an embed token. 

 

The URL used for Publish to Web has an embed code (not an embed token) at the end which provides anonmyous access. That means that Publish to Web works without requring any form of user authentication. If you have the URL with the embed code at the end, you are able to view the report. That's why we say the Publish to Web is inherently insecure.

 

Power BI embedding, on the other hand, will always require authentication with Azure AD. Today, Power BI embedding requires that a specific user with enough permissions to authenticate to acquire an access token. The access token is passed back to the browser for embedding when using first-party embedding and the user-owns-data model. With third-party embedding, the access token is used to call to the Power BI Service API to retrieve an embed token, and it is the emebd token not the access token which is then passed to the browser.

 

The bottom line is that Power BI embedding is secure while Publish to Web is not.

View solution in original post

Thanks for the clear explanation.

Helpful resources

Announcements
PBI_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

MBAS on Demand

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

Get Ready for Power BI Dev Camp

Microsoft named a Leader in The Forrester Wave

Microsoft received the highest score of any vendor in both the strategy and current offering categories.

R2 (Green) 768 x 460px.png

Microsoft Dynamics 365 & Power Platform User Professionals

DynamicsCon is a FREE, 4 half-day virtual learning experience for 11,000+ Microsoft Business Application users and professionals.