Power BI Embedded Dashboards Without Authentication UI

UPDATE: An updated sample is included in the Chapter 12 source code of my “Applied Power BI” book.

One of the biggest Power BI strengths is its open architecture. In addition to opening the visualization framework, Power BI introduced REST APIs that let developers embed dashboard tiles in custom web applications (embedded reports will probably follow soon). Microsoft provided a sample application (Integrate-a-tile-into-an-app) on GitHub to demonstrate how dashboard tile embedding works. This application navigates the user to an authentication UI where the user signs it to Power BI before the application can access the user content. However, there are plenty of embedded reporting scenarios where this isn’t desirable. For example, you might have a web application that already authenticates users with Forms Authentication and you don’t want to ask the user to log in to Power BI again. Instead, you might want to pass the identity of the authenticated user to Power BI. In the more advanced (but increasingly common) scenario, you would want Power BI to pass the user identity all the way to an on premises Analysis Services model so that data security works.

The bad news is that currently Power BI doesn’t support custom security. Custom security is on the roadmap but currently you can’t pass application users to Power BI. This isn’t as bad as it sounds. For example, if you have a limited number of users or external customers, you can register them in Power BI so that you know their Power BI usernames and passwords. For example, if my company does business with Acme1 and Acme2, I could register acme1@prologika.com and acme2@prologika.com with PowerBI. Then, once the acme1 user authenticates with my web application and request a dashboard, I can authenticate the user with acme1@prologika.com to Power BI.

The good news is that Power BI supports OAuth2 for security. OAuth2 is a very flexible security mechanism and it supports different flows via the grant_type parameter. One of the flows that it supports is the grant_type=password flow that allows you to avoid the Power BI authentication UI step if you know the user credentials. This is conceptually similar to how Basic Authentication works. The OAuth2 grant_type=password scenario is also referred to as two-leg authentication (the three-leg authentication is when the Authentication UI is involved).

To demonstrate this, I’ve made changes to the Microsoft sample app and uploaded the modified sample (attached to this blog). Configure it in Visual Studio as follows:

  1. In the application settings, change the ClientSecret, ClientID, UserName, and Password to match your setup. You obtain ClientID and ClientSecret when you register the application with Azure AD. The username and password must match the credentials of a registered Power BI user.
  2. In the application Build tab, make sure that the NOLOGIN conditional symbol exists.
  3. Right-click on the project and then click Manage NuGet packages. Download and install all referenced packages as they are not packaged with the sample to reduce size.
  4. Run the application. The “Sign in to Power BI” button should be disabled. When you click Get Dashboards, the app should be able to retrieve the dashboards on behalf of the Power BI user. From this point on, the app works as per the original sample. Again, the big difference is that the Authentication UI is not shown because you don’t need to collect the user credential.

Special thanks to the Power BI Team and Rui Quintino by DevScope for sharing insights. For more information about how APIs for embedded dashboard tiles work, read the “Power BI API updates roundup” blog by Lukasz Pawlowski.

In summary, the sample demonstrates how you can use OAuth2 two-leg flow to avoid authenticating the user twice and redirecting to the Power BI authentication dialog. As a disclaimer, this is not a production-ready sample (there are hardcoded links, no error handling, no refresh token flow, etc.).

Download Files
  • Vinay Ra’avi Prasad

    hello, I downloaded and tried setting this up.

    I downloaded the extra packages and verified that NOLOGIN conditional symbol exists. I keyed in my credentials into the web.config file,

    The program starts but crashes on authentication. Has something changed?

    • Prologika

      Hi Vinay,

      I ran the sample again and it ran fine. Please tripple-verify your configuration settings and follow the setup steps in the book.

    • Peer Grønnerup

      Hi Vinay,

      Hope you got this to working. Otherwise please note that you need to also change the tenant ID in line 35 of default.aspx.cs. This is not mentioned in the specs. above.

      Syntax should be:
      System.Net.WebRequest request = System.Net.WebRequest.Create(“https://login.microsoftonline.com/[HERE GOES YOUR TENANT ID]/oauth2/token”) as System.Net.HttpWebRequest;

      Use this guide to find your Tenant ID: https://support.office.com/en-us/article/Find-your-Office-365-tenant-ID-6891b561-a52d-4ade-9f39-b492285e2c9b

      Regards
      Peer

      • Prologika

        Peer is correct. Inadvertently, I hardcoded the Prologika tenant id (e7b81d0a-a949-4103-83dc-feff6277c109) in the following URL inside the two-legged call.

        System.Net.WebRequest request = System.Net.WebRequest.Create(“https://login.microsoftonline.com/e7b81d0a-a949-4103-83dc-feff6277c109/oauth2/token”) as System.Net.HttpWebRequest;

        • Jun Allan Parreno

          Hi, I am able to do what is described in this article using the credentials of a generic power bi service account I created. My sample integrates with SharePoint. I would like to know how to pass SharePoint credentials for OAuth2 in Power BI

  • Jun Allan Parreno

    Hi, I am able to do what is described in this article using the credentials of a generic power bi service account I created. My sample integrates with SharePoint. I would like to know how to pass SharePoint credentials for OAuth2 in Power BI?

    • Prologika

      Hi Jun, not sure what you mean by passing the SharePoint credentials. I have to admit that the Power BI-SharePoint integration story has left some ground for improvement and Microsoft is working on it. Meanwhile, I recommend the DevScope Power BI Tiles for SharePoint.

      • Jun Allan Parreno

        Thanks for getting back. What I mean by passing SharePoint credentials is that the Power BI REST API requires a username and password in order for a token to be created which allows me to retrieve reports/tiles from Power BI. I use a generic Power BI service account but I want to use one based on the SharePoint user. Is my description clear now?

        • Prologika

          As far as I know, unless SharePoint uses Forms Authentication, you won’t be able to get the user password in SharePoint. I can’t think of another way but to ask the user to re-authenticate against Power BI which is what Power BI Tiles for SharePoint do.

          • Jun Allan Parreno

            Thanks for the feedback

  • Brian Pietrzak

    Hi, I have tried running the sample application to access Power BI with the REST API. I have changed the tenant id, and registered the app with Power BI. I keep getting a Bad Request (400 Error) at line 43. I am not sure if this is an issue with the settings used to register the app with Power BI or something else.

    • Prologika

      You’re following the book steps and sample in the book?

      • Brian Pietrzak

        Unfortunately, I don’t have the book. I came across the site via Google search looking for someone who has successfully authenticated to the Power BI REST service without have the application redirect to a Microsoft login page before getting access to the Power BI resources. We have successfully used the sample app provided by Microsoft and even in our own custom application, but we would always run into a login page to provide Azure AD user credentials. The solution on this page seems to address my main goal. If there are additional steps to follow I would need to get the Applied Power BI book?

        • Prologika

          Yes, the sample uses the two-leg OAuth if you know the user name and password. You don’t need to buy the book if you don’t need the steps. You can download the source code from the book page http://prologika.com/applied-microsoft-power-bi/. Take a look at Chapter 11 and especially Chapter 12. Also, if your application is external customer facing than you should consider Power BI Embedded Azure Service which was release after the book was published.

          • Brian Pietrzak

            Interesting….When I tried to register the app using http://dev.powerbi.com/apps it didn’t seem to be getting into the AzureAD. I looked using the management portal and the application wasn’t listed. When I registered the the app directly using the Azure Management Portal everything seemed to work fine. What is interesting is that when I used the http://dev.powerbi.com/apps site it was returning a clientID and clientSecretKey.

  • Brian Pietrzak

    Okay, thanks! If I did make the changes to the modified Microsoft sample application that are mentioned on this page to avoid the authentication page, I am assuming it should work. Not sure why I keep getting the 400 – Bad Request error.