Securely sharing Power BI reports with external users: difficult process

Question

We have some Power BI reports that we would like to share outside the organisation, but with named users only. We are fortunate to have Premium Capacity, so we can use the Secure Embed functionality to authenticate those users’ own email addresses with our organisation as guests (sharing publicly via Publish to Web is not an option for this content). Specifically, we’re following the planned invite instructions.

This process works for some external users, but we have two problems:

1. Users who use domains that Microsoft considers personal, e.g. Gmail.com, Outlook.com, are forced to register with an organisational account. The quick start example doesn’t mention this. Some are unwilling to do so, as they legitimately wish to continue using their preferred provider to access content from our organisation. In addition, this request makes an already suspicious-looking process look even more like phishing. We provide instructions before sending the invitations, but are finding that some users still baulk at jumping through all the hoops.
2. Some organisations have blocked this kind of sharing altogether, making it difficult to securely share any content at all through the Power BI Service. Users receive the following error when they accept the invitation: “Your network administrator has blocked access. External access is blocked by policy. Contact your IT department for access.”

So even after committing to Premium Capacity, we’re running into these kinds of hurdles to sharing outside of the organisation. Has anyone else managed to find an effective way to easily and securely share their PBI content externally? For instance, is there any way to pre-approve users so that an invite to view a report ‘just works’? The planned invite process requires going through the whole consent experience, with the issues noted above. Are there configuration options in Azure or Power BI that we should be considering?

With thanks, Drew

Answer 1

This quick start guide explains how to invite an external user to your organization Azure Active Directory (AAD). It has nothing to do with Power BI, that's why it doesn't mention anything about it. However if you look at the section Supported email addresses in Power BI's documentation, you will see that it requires business or school e-mail address.

Sharing reports is Pro feature, i.e. both the author and the consumer must have Power BI Pro licenses. What Power BI Premium (P SKUs) gives you, is the option to share a report, when the consumer has Power BI Free license, but he still must have a license (although it is free). This means that the consumer still need to sign up for Power BI, i.e. he needs a business or school e-mail address.

To be able to avoid the hassle, you should use a different way to share the reports. The best way is to build a web application, where you can authenticate your users the way you want and let them use their gmail, outlook, whatever e-mail address. Then your app will decide which reports should be available for the currently logged user and embed them in the application. In other words, all authentication and authorization processes are left up to you. However this method require programming skills. To find out how this can be done, start from here:

Tutorial: Embed a Power BI report in an application for your customers

Basically, you will use a single user account or service principal to authenticate your app against Power BI and this will eliminate the need for your end users to have Power BI licenses at all.