Can someone share datasets in PowerBI across different service principle profiles?

Question

We would like to expose some datasets that are common for all customers and could be imported into their powerbi reports across different workspaces.

We have a design where we use one service principle profile per customer. This in provides securoty around isolating the data of each customer. Is there any way (using service principle profiles) to be able to support the sharing of some common data across workspaces?

Answer 1

Is there any way (using service principal profiles) to be able to support the sharing of some common data across workspaces?

Yes, you can create a security group in Azure AD and add all the service principals that are modelled to your customers in that group and then provide that security group access to your workspace by adding the group as with required permissions on the workspace where the shared dataset exists. If you want to give access to individual service principals, you can do that too.
Your customers can then use the SP’s client ID, Tenant ID and Secret to access the dataset via their app in the browser or even by calling the data via PowerShell. You can directly share your dataset with the security group containing your Service principals.

1. Created a security group in Azure AD and added my service principal to the group: -

2. Power BI settings:-

Go to app.powerbi.com Log in to your Power BI workspace > click on Settings > Admin Portal > Tenant Settings > Developer Settings > Allow service principals to use Power BI API’s Enable > and then provide access to your security group

3. There are 2 ways you can share your data with the Service principal

1. Sharing directly

By directly sharing the workspace dataset with the Security group where the service principals exist.

2. Access permissions on workspace
Provide Access to the workspace so the sp’s can access data set directly via their app or call the workspace via Power shell.

Go to your workspace > Select your data and click on … dots > Manage permissions > Grant people access > Select your Power BI Embed group

You can change the read write permissions later >

Calling Dataset via Application -
Now, We can call this Dataset from our application by adding the Authentication to Service principal and adding the SP’s Client ID, Tenant ID, Client Secret etc. You can refer this document :-
https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-organization-app

Authentication Code :

This method gets called by the runtime. Use this method to add services to the container.

public void ConfigureServices (IServiceCollection services) {

  services
    .AddMicrosoftIdentityWebAppAuthentication(Configuration)
    .EnableTokenAcquisitionToCallDownstreamApi(PowerBiServiceApi.RequiredScopes)
    .AddInMemoryTokenCaches();

  services.AddScoped (typeof (PowerBiServiceApi));

  var mvcBuilder = services.AddControllersWithViews (options => {
    var policy = new AuthorizationPolicyBuilder()
      .RequireAuthenticatedUser()
      .Build();
    options.Filters.Add (new AuthorizeFilter (policy));
  });

  mvcBuilder.AddMicrosoftIdentityUI();

  services.AddRazorPages();

}

app.settings:

{
"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "xxxx.onmicrosoft.com",
    "TenantId": "xxxxxxxxxxxxx",
    "ClientId": "xxxxxxxxxxxxx",
    "ClientSecret": "xxxxxxxx",
    "CallbackPath": "/signin-oidc",
    "SignedOutCallbackPath": "/signout-callback-oidc"
},
"PowerBi": {
    "ServiceRootUrl": "https://api.powerbi.com"
},
"Logging": {
    "LogLevel": {
        "Default": "Information",
        "Microsoft": "Warning",
        "Microsoft.Hosting.Lifetime": "Information"
    }
},
"AllowedHosts": "*"
}

Controller.cs

    private PowerBiServiceApi powerBiServiceApi;

    public HomeController (PowerBiServiceApi powerBiServiceApi) {
        this.powerBiServiceApi = powerBiServiceApi;
    }

    [AllowAnonymous]
    public IActionResult Index() {
        return View();
    }

    public async Task<IActionResult> Embed() {
        Guid workspaceId = new Guid("11111111-1111-1111-1111-111111111111");
        Guid reportId = new Guid("22222222-2222-2222-2222-222222222222");
        var viewModel = await powerBiServiceApi.GetReport(workspaceId, reportId);
        return View(viewModel);
    }

    [AllowAnonymous]
    [ResponseCache (Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
    public IActionResult Error() {
        return View (new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
    }
}

Embed your powerbi data set with JS

$(function(){
// 1 - Get DOM object for div that is report container
let reportContainer = document.getElementById("embed-container");

// 2 - Get report embedding data from view model
let reportId = window.viewModel.reportId;
let embedUrl = window.viewModel.embedUrl;
let token = window.viewModel.token

// 3 - Embed report using the Power BI JavaScript API.
let models = window['powerbi-client'].models;
let config = {
    type: 'report',
    id: reportId,
    embedUrl: embedUrl,
    accessToken: token,
    permissions: models.Permissions.All,
    tokenType: models.TokenType.Aad,
    viewMode: models.ViewMode.View,
    settings: {
        panes: {
            filters: { expanded: false, visible: true },
            pageNavigation: { visible: false }
        }
    }
};

// Embed the report and display it within the div container.
let report = powerbi.embed(reportContainer, config);

Add such codes depending on the framework of your customer’s App and run the app to access the Power BI data.

Accessing PowerBI workspace with Powershell -
Refer the document here :- https://learn.microsoft.com/en-us/powershell/module/microsoftpowerbimgmt.profile/connect-powerbiserviceaccount?view=powerbi-ps

Powershell commands :-
Install PowerBI Powershell module -

Install-Module -Name MicrosoftPowerBIMgmt

Connect to PowerBI SP -

Connect-PowerBIServiceAccount -ServicePrincipal -Credential (Get-Credential) -Tenant 83331f4e-7f45-4ce4-99ed-af9038592395

In the User name enter the App Id of the SP and in Password add the secret that was created for the SP during app registration.

connected to PowerBI successfully :-

Get the workspace -

   Get-PowerBIWorkspace

Reference :-

• https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal

• https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-organization-app