Embed a report with token-based identity (SSO)
APPLIES TO: App owns data User owns data
The token-based identity allows an ISV to use an Microsoft Entra access token to pass the identity of a customer to an Azure SQL database managed in the customer's tenant.
ISV customers that keep and manage their data in Azure SQL Database can keep their data secure in their tenant when integrating with Power BI Embedded in the ISV app.
When generating the embed token, specify the identity of the user in Azure SQL by passing that user's Microsoft Entra access token for the Azure SQL server. The access token is then used to pull only the relevant data for that user from Azure SQL, for that specific session.
Set up token-based identity
The token-based identity only works for DirectQuery models on a capacity connected to an Azure SQL Database that's configured to allow Microsoft Entra authentication. The semantic model's data source must be configured to use end users' OAuth2 credentials, to use a token-based identity. Learn more about Microsoft Entra authentication for Azure SQL Database.
From the Power BI portal, select Semantic model > More Options (three dots) > Settings > Data source credentials > Edit credentials.
Check the OAuth2 option box.
Generate an identity token
To create an access token for Azure SQL, the app must have Access Azure SQL DB and Data Warehouse delegated permission to Azure SQL Database API on the Microsoft Entra app registration configuration in the Azure portal.
Authenticate and acquire a token for the user from the Azure AD v2 endpoint for the following scope: https://database.windows.net/.default
See the following MSAL code samples for help:
- Code samples for Microsoft identity platform authentication and authorization - Microsoft Entra | Microsoft Learn
- Microsoft identity platform and OAuth 2.0 authorization code flow
Generate embed token
To Embed a report with token-based identity, generate an embed token that contains the token base identity of the desired ISV user. See the following examples for generating embed tokens for different scenarios.
- Power BI report with SSO
- Paginated report with SSO
- Power BI report with SSO and RLS on the semantic model
- Paginated report connected to Power BI semantic model with RLS, and SSO data source that is connected with DirectQuery to another Power BI dataset
{
"datasets": [
{
"id": "66ba5010-xxxx-xxxx-xxxx-f2bf0125abeb",
}
],
"reports": [
{
"allowEdit": false,
"id": "9e6da541-xxxx-xxxx-xxxx-7d9442827cce"
}
],
"datasourceIdentities": [
{
"identityBlob": "eyJ…",
"datasources": [
{
"datasourceType": "Sql",
"connectionDetails": {
"server": "YourServerName.database.windows.net",
"database": "YourDataBaseName"
}
}
]
}
]
}
The following example shows an embedded Power BI report with SSO and RLS applied to the dataset:
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for