Why this is needed
To embed Power BI reports and dashboards you need to register an application in Azure Active Directory. This lets Embedportal authenticate with Power BI on your behalf using a service principal, so reports embed securely while your data stays in your Power BI workspace.
works with — Power BI Service (Azure AD integrated).
Prerequisites
- An active Power BI Service tenant with the reports you want to embed.
- Azure AD admin access (to create an App Registration and grant admin consent).
- Power BI admin access (to change tenant settings).
- Workspace admin access for the workspace containing the reports.
- An Embedportal workspace (Professional or Enterprise plan).
- About 30 minutes end-to-end.
Register a New Application
- Open Azure AD App Registrations.
- Click New registration. Name the app
atSpark Power BI Integration— this is the name Embedportal expects. - Supported account types: Accounts in this organizational directory only (single tenant).
- Click Register. Leave the redirect URI blank — service-principal embedding doesn’t need one.
Copy Application Identifiers
From the app’s Overview page in Azure AD, copy two values:
| In Azure AD | In Embedportal | Example |
|---|---|---|
| Application (client) ID | Client ID field | a1b2c3d4-1234-... |
| Directory (tenant) ID | Tenant ID field | 72f988bf-86f1-... |
Both are GUIDs. They’re safe to copy at any time.
Create a Client Secret
- In the Azure AD App, go to Certificates & secrets → Client secrets.
- Click New client secret. Description:
atSpark Integration. Expiry: 24 months (recommended — longer is lazier, shorter is fiddlier). - Azure shows two columns: Secret ID and Value. Copy the Value — that’s what goes into Embedportal’s Client Secret field.
important — the Value is only shown once. Save it immediately.
Configure API Permissions
Embedportal needs read access to reports, dashboards, and datasets in your Power BI tenant.
- In the Azure AD app, open API permissions → Add a permission → Power BI Service. Select Delegated permissions.
- Select three scopes:
Report.Read.AllDashboard.Read.AllDataset.Read.All
- Click Add permissions.
- Click Grant admin consent for [Your Organization] → Yes. This has to be done by an Azure AD admin.
Enable Service Principal in Power BI Admin Portal
Power BI rejects service-principal requests by default. A Power BI admin has to explicitly turn it on for your tenant and allowlist your app.
- Go to the Power BI Admin Portal → Tenant settings.
- Under Developer settings, enable:
- Allow service principals to use Power BI APIs — add your app by Application ID.
- Allow service principals to use read-only admin APIs — nice to have.
- Click Apply.
you must be a Power BI Admin to access Tenant settings.
Add Service Principal to Workspace
Finally, grant the service principal access to the workspace that holds the reports you want to embed.
- In Power BI, open the workspace containing the reports.
- Click Access → Add people. Search for your app name
atSpark Power BI Integration. - Grant Viewer (enough for embedding) or Member (only if Embedportal should create or modify content on your behalf).
Fields you’ll fill in Embedportal
The Power BI connection form collects three values:
| Field | Source | Required |
|---|---|---|
| Client ID | Azure AD App → Overview → Application (client) ID | Yes |
| Tenant ID | Azure AD App → Overview → Directory (tenant) ID | Yes |
| Client Secret | Azure AD App → Certificates & secrets → Value column | Yes |
Click Save & Test Connection. Embedportal will call the Power BI REST API, fetch your workspace list, and show a green confirmation. You’re connected.
Row-level security
Define RLS roles in your Power BI dataset (Power BI Desktop or the service), then turn on RLS for the dashboard in Embedportal. Embedportal forwards the viewer’s tenant, region, role or custom attributes as Effective Identities on the embed token, and Power BI applies the matching role at query time.
For the full setup across vendors, see: Row-level security for embedded dashboards.
Security best practices
- Rotate the client secret every 24 months at minimum.
- Grant the service principal Viewer on the workspace, not Member, unless you need write access.
- Do not grant the app broader Microsoft Graph permissions — only Power BI Service scopes.
- Monitor service-principal usage in Azure AD audit logs and Power BI activity logs.
- If the Client Secret leaks, delete it in Azure AD and create a new one; Embedportal can be updated in under a minute.
Troubleshooting
- 401 unauthorized — Client Secret doesn’t match. Check you copied the Value, not the Secret ID.
- 403 forbidden — service principals aren’t enabled in Power BI Tenant settings, or your app isn’t on the allowlist.
- Workspace list is empty — the service principal hasn’t been added to any workspace. Add it as Viewer.
- Report loads blank — the dataset is using a personal connection; change it to a gateway or import to make it accessible via the service principal.
- “This report is embedded but you don’t have access” — the service principal needs workspace access, but for datasets it may also need Build permissions explicitly.
- Admin consent fails — you need to be an Azure AD Global Admin or Privileged Role Admin to grant tenant-wide consent.
13. FAQ
Do I need a Power BI Premium capacity to embed?
Technically no — service-principal embedding works with a Power BI Pro licence on the owning user. For production embedded workloads with multiple tenants or heavy concurrent use, Microsoft recommends a Power BI Premium Per User licence or a Premium capacity to avoid rate limits.
Why do I need a service principal instead of a personal account?
A service principal is an Azure AD identity tied to an app, not a human. It doesn't break when employees leave, doesn't require MFA, and gives Embedportal an auditable, scoped identity for every embed call. Power BI explicitly supports service principals for embedded scenarios.
Where do I find the Tenant ID and Client ID?
Both appear on the Overview tab of your Azure AD App Registration: Application (client) ID is the Client ID and Directory (tenant) ID is the Tenant ID. Paste each into the matching Embedportal field.
What permissions does the service principal need?
The minimum delegated permissions are Report.Read.All, Dashboard.Read.All and Dataset.Read.All, all under Power BI Service. Grant admin consent for the full tenant after adding them.
Can I use row-level security with Power BI embeds?
Yes. Define RLS roles in your Power BI dataset, then enable RLS on the dashboard in Embedportal. Embedportal passes the viewer's attributes as Effective Identities on the embed token, and Power BI applies the matching role at query time.
How often should I rotate the client secret?
Rotate every 24 months at a minimum, and immediately if the secret is exposed. Azure AD lets you add a new secret before deleting the old one so there's no downtime during rotation.
Ready to embed?
Start on Professional with a 14-day free trial — no credit card, unlimited dashboards and users.