Embedportal a subproduct of atSpark
Sign in Start free

Home / Docs / Embed Power BI

How to embed Power BI
into Embedportal.

The six-step setup for service-principal embedding. Register an Azure AD app, grant the right Power BI API permissions, enable service-principal access in your tenant, and assign the principal to the workspace that holds your reports.

Published
2026-04-17
Reading time
10 min
Level
Intermediate
Works with
Power BI Service (Azure AD)

1. Why this is needed

To embed Power BI reports and dashboards you need to register an application in Azure Active Directory. This lets Embedportal authenticate with Power BI on your behalf using a service principal, so reports embed securely while your data stays in your Power BI workspace.

works with — Power BI Service (Azure AD integrated).

2. Prerequisites

  • An active Power BI Service tenant with the reports you want to embed.
  • Azure AD admin access (to create an App Registration and grant admin consent).
  • Power BI admin access (to change tenant settings).
  • Workspace admin access for the workspace containing the reports.
  • An Embedportal workspace (Professional or Enterprise plan).
  • About 30 minutes end-to-end.

3. Register a New Application

  1. 01

    Open Azure AD App Registrations

    Sign in to the Azure portal App Registrations blade.

  2. 02

    Click New registration

    Name the app atSpark Power BI Integration. This is the name Embedportal expects — matching it keeps Tableau’s admin views tidy.

  3. 03

    Supported account types

    Select Accounts in this organizational directory only (single tenant). You’re the only org that will use this app.

  4. 04

    Click Register

    Leave the redirect URI blank — Power BI service-principal embedding doesn’t need one.

4. Copy Application Identifiers

From the app’s Overview page in Azure AD, copy two values:

In Azure ADIn EmbedportalExample
Application (client) ID Client ID field a1b2c3d4-1234-...
Directory (tenant) ID Tenant ID field 72f988bf-86f1-...

Both are GUIDs. They’re safe to copy at any time.

5. Create a Client Secret

  1. 01

    Open Certificates & secrets

    In the Azure AD App, go to Certificates & secrets → Client secrets.

  2. 02

    New client secret

    Description: atSpark Integration. Expiry: 24 months (recommended — longer is lazier, shorter is fiddlier).

  3. 03

    Copy the Value (not the Secret ID)

    Azure shows two columns: Secret ID and Value. Copy the Value — that’s what goes into Embedportal’s Client Secret field.

    important — the Value is only shown once. Save it immediately.

6. Configure API Permissions

Embedportal needs read access to reports, dashboards, and datasets in your Power BI tenant.

  1. 01

    Add permissions

    In the Azure AD app, open API permissions → Add a permission → Power BI Service. Select Delegated permissions.

  2. 02

    Select three scopes

    • Report.Read.All
    • Dashboard.Read.All
    • Dataset.Read.All

    Click Add permissions.

  3. 03

    Grant admin consent

    Click Grant admin consent for [Your Organization]Yes. This has to be done by an Azure AD admin.

7. Enable Service Principal in Power BI Admin Portal

Power BI rejects service-principal requests by default. A Power BI admin has to explicitly turn it on for your tenant and allowlist your app.

  1. 01

    Open Tenant Settings

    Go to the Power BI Admin Portal → Tenant settings.

  2. 02

    Enable two settings

    Under Developer settings:

    • Allow service principals to use Power BI APIs — add your app by Application ID.
    • Allow service principals to use read-only admin APIs — nice to have.

    Click Apply.

you must be a Power BI Admin to access Tenant settings.

8. Add Service Principal to Workspace

Finally, grant the service principal access to the workspace that holds the reports you want to embed.

  1. 01

    Open the workspace

    In Power BI, open the workspace containing the reports.

  2. 02

    Access → Add people

    Search for your app name atSpark Power BI Integration.

  3. 03

    Grant Viewer or Member

    Viewer is enough for embedding. Member is only needed if Embedportal should create or modify content on your behalf.

9. Fields you’ll fill in Embedportal

The Power BI connection form collects three values:

FieldSourceRequired
Client ID Azure AD App → Overview → Application (client) ID Yes
Tenant ID Azure AD App → Overview → Directory (tenant) ID Yes
Client Secret Azure AD App → Certificates & secrets → Value column Yes

Click Save & Test Connection. Embedportal will call the Power BI REST API, fetch your workspace list, and show a green confirmation. You’re connected.

10. Row-level security

Define RLS roles in your Power BI dataset (Power BI Desktop or the service), then turn on RLS for the dashboard in Embedportal. Embedportal forwards the viewer’s tenant, region, role or custom attributes as Effective Identities on the embed token, and Power BI applies the matching role at query time.

For the full setup across vendors, see: Row-level security for embedded dashboards.

11. Security best practices

  • Rotate the client secret every 24 months at minimum.
  • Grant the service principal Viewer on the workspace, not Member, unless you need write access.
  • Do not grant the app broader Microsoft Graph permissions — only Power BI Service scopes.
  • Monitor service-principal usage in Azure AD audit logs and Power BI activity logs.
  • If the Client Secret leaks, delete it in Azure AD and create a new one; Embedportal can be updated in under a minute.

12. Troubleshooting

  • 401 unauthorized — Client Secret doesn’t match. Check you copied the Value, not the Secret ID.
  • 403 forbidden — service principals aren’t enabled in Power BI Tenant settings, or your app isn’t on the allowlist.
  • Workspace list is empty — the service principal hasn’t been added to any workspace. Add it as Viewer.
  • Report loads blank — the dataset is using a personal connection; change it to a gateway or import to make it accessible via the service principal.
  • “This report is embedded but you don’t have access” — the service principal needs workspace access, but for datasets it may also need Build permissions explicitly.
  • Admin consent fails — you need to be an Azure AD Global Admin or Privileged Role Admin to grant tenant-wide consent.

13. FAQ

Do I need Power BI Premium to embed?

For prototyping, a Power BI Pro licence on the owning user is enough. For production multi-tenant embeds with meaningful traffic, Microsoft recommends Premium Per User or a Premium capacity to avoid rate limits.

Why a service principal instead of a personal Power BI login?

Service principals are app identities — not tied to humans. They survive employee turnover, don’t require MFA, don’t break when someone changes roles, and are the Microsoft-recommended path for embedded scenarios.

What if my Azure AD admin won’t grant admin consent?

Admin consent is required for the delegated Power BI permissions at tenant level. If that’s a blocker, the alternative is per-user consent — but it doesn’t scale to production and isn’t recommended.

Can I embed Power BI reports without users logging in?

Yes — register the dashboard in Embedportal with Anonymous mode. Embedportal still signs the Power BI embed token but with no RLS claims, so every viewer sees the same data.

Where do the Client ID and Tenant ID come from?

Both are on the Overview tab of your Azure AD App Registration. Application (client) ID → Client ID field. Directory (tenant) ID → Tenant ID field.

How long is a Power BI embed token valid for?

Power BI embed tokens can live up to 60 minutes. Embedportal typically issues 30-minute tokens and refreshes before expiry.

Ready to embed Power BI?

A Power BI connection usually takes about 30 minutes front to back. Start on Professional with a 14-day free trial — no credit card, unlimited dashboards and users.

Start free trial Book a walkthrough