Phoenix
Power BI Embed Demo
Explore enterprise-ready Power BI embedding patterns, marketing-ready assets, and a full walkthrough of the Phoenix Dataworks demo.

Power BI Embed Proof of Concept

Explore four key embedding scenarios with the Power BI JavaScript SDK

Create New Report

Create a new Power BI report from scratch using an existing dataset/data model.

Key Features:

Connect to existing datasets

Use report authoring tools

Add visualizations

Save to workspace

Edit Existing Report

Load and edit an existing Power BI report with full editing capabilities.

Key Features:

Load existing reports

Modify visualizations

Change data bindings

Save changes

Semantic Models

View and manage semantic models (datasets) in your workspace.

Key Features:

Browse semantic models

Refresh data

View model details

Open in Power BI

Paginated Reports

Create and edit paginated reports (RDL) with export capabilities.

Key Features:

View paginated reports

Set parameters

Export to PDF/Excel

Print-ready layouts

How the System Works

This demo uses a secure, enterprise-ready architecture for embedding Power BI reports. The system follows a three-step process: authentication, token generation, and embedding with API controls.

The application uses Azure AD service principal authentication for secure, server-side access to Power BI resources.

  • Azure AD App Registration

    Registered application in Azure AD with Power BI API permissions (Dataset.ReadWrite.All, Report.ReadWrite.All)

  • Service Principal Authentication

    Uses client credentials flow (client ID + secret) for server-side authentication without user interaction

  • MSAL Integration

    Microsoft Authentication Library (MSAL) handles token acquisition and caching automatically

  • Workspace Access

    Service principal must be added as member/admin to Power BI workspaces for resource access

Environment Variables Required:
- AZURE_CLIENT_ID
- AZURE_CLIENT_SECRET
- AZURE_TENANT_ID
- POWER_BI_SCOPE

The backend generates embed tokens with specific permissions and parameters based on the embedding scenario.

Token Generation Flow:
  • 1. Client Request

    Frontend requests embed config via API route (e.g., /api/reports/[id]/embed)

  • 2. Access Token

    Backend obtains Azure AD access token using service principal credentials

  • 3. Embed Token

    Backend calls Power BI REST API GenerateToken endpoint with report/dataset IDs and permissions

  • 4. Return Config

    Backend returns embed URL, token, and settings to frontend

Permission Levels:
View
Read-only access for viewing reports
Edit
Full editing capabilities (modify visuals, data bindings, save changes)
Create
Create new reports from scratch using existing datasets
Token Parameters:
{
  reports: [{ id: "report-id" }],
  datasets: [{ id: "dataset-id" }],
  preferredEmbedTokenVersion: "V2",
  accessLevel: "view" | "edit" | "create"
}

Once the embed token is received, the frontend uses the Power BI JavaScript SDK to embed the report and exposes UI controls for interacting with the embedded content.

Embedding Process:
  • Power BI SDK Initialization

    Initialize powerbi.embed() with embed URL, access token, and configuration settings

  • Report Rendering

    SDK creates iframe and loads Power BI report in specified container element

  • Event Listeners

    Subscribe to events: 'loaded', 'error', 'saved', 'dataSelected', 'pageChanged'

  • UI Controls

    Expose buttons and controls that call SDK methods (save, refresh, print, export)

Available API Controls:
Save Report
report.save() - Persist changes to Power BI workspace
Refresh Data
report.refresh() - Refresh dataset and reload visuals
Print Report
report.print() - Open browser print dialog
Export Report
report.export() - Export to PDF/Excel/Word formats
Set Parameters
report.setParameters() - Update paginated report parameters
Example Code:
const report = powerbi.embed(container, {
  type: 'report',
  id: reportId,
  embedUrl: embedUrl,
  accessToken: accessToken,
  permissions: Permissions.All,
  viewMode: ViewMode.Edit
});

// Expose UI controls
report.on('loaded', () => {
  // Enable save button
  saveButton.onclick = () => report.save();
});

Row-Level Security (RLS) enables data filtering at the dataset level based on user identity, ensuring users only see data they're authorized to access. This is critical for multi-tenant scenarios and data governance.

How RLS Works:
  • 1. Dataset RLS Configuration

    RLS rules are defined in Power BI dataset using DAX expressions (e.g., [Region] = USERNAME())

  • 2. Identity Resolution

    Frontend passes user identity (username/roles) via HTTP headers (x-pbi-username, x-pbi-roles)

  • 3. Token Generation

    Backend includes identities array in GenerateToken request to Power BI REST API

  • 4. Data Filtering

    Power BI applies RLS rules when rendering report, filtering data based on embedded identity

RLS Components:
Username-Based RLS
Filter data using USERNAME() DAX function. Example: [SalesRep] = USERNAME()
Role-Based RLS
Filter data using USERROLE() DAX function. Example: USERROLE() = "Manager"
Dynamic RLS
Combine username and roles for complex filtering scenarios
Identity Format:
{
  identities: [{
    username: "[email protected]",
    roles: ["Sales", "Manager"],
    datasets: ["dataset-id"]
  }]
}
Implementation Example:
// Frontend: Pass identity in request headers
const response = await fetch('/api/paginated-reports/[id]/embed', {
  headers: {
    'x-pbi-username': '[email protected]',
    'x-pbi-roles': 'Sales,Manager'
  }
});

// Backend: Resolve identities from headers
const identities = resolvePaginatedIdentities(request);
// Returns: [{ username: '[email protected]', roles: ['Sales', 'Manager'] }]

// Backend: Include in token generation
const embedToken = await authService.generatePaginatedReportEmbedToken(
  reportId,
  workspaceId,
  datasetId,
  { identities }
);

// Power BI: Applies RLS rules based on identity
// Dataset DAX: [Region] = USERNAME() OR USERROLE() = "Manager"
Important Notes:
  • RLS is dataset-level

    RLS rules must be configured in the Power BI dataset, not the report

  • Service Principal Context

    When using service principal, identities must be explicitly passed in embed token - Power BI cannot infer user context

  • Paginated Reports

    RLS is especially important for paginated reports which query datasets directly via XMLA

  • Testing RLS

    Use Power BI Desktop to test RLS rules with View As before deploying to service

Technical Implementation
Backend Technologies:
Next.js API Routes
Azure AD
Power BI REST API
MSAL
Frontend Technologies:
React
Power BI JavaScript SDK
Material-UI
Axios
Prerequisites:

• Azure AD application with Power BI permissions
• Power BI workspace with premium capacity or Pro license
• Sample datasets and reports in your workspace
• Environment variables configured in Vercel for API calls