Embed a Power BI report securely to a GO webpage #2569
Description
We should embed Power BI reports securely in our Django/React site – so only logged-in users can see it and prevent the public sharing of the report's underlying URL.
The recommended and most secure approach for this is using Power BI Embedded with the "App Owns Data" scenario, where the Django backend is responsible for all the security and token generation.
How to Securely Embed the Report
The key to preventing unauthorized sharing is to use a secure, short-lived Embed Token generated by our Django backend, rather than directly embedding the report's static URL.
- Backend: Django (Security and Token Generation)
Our Django backend will serve as the gatekeeper and the middleman between our React frontend and the Power BI service.
Authentication Check: Implement a Django view that first verifies the user's logged-in status (using Django's authentication system). If the user is not logged in, the request is denied.
Generate Embed Token: If the user is authenticated, the Django view makes a server-to-server call to the Power BI REST API to generate a short-lived, report-specific Embed Token.
This API call uses a Service Principal (an application identity in Azure AD) or a Master User account to authenticate with Power BI.
The token is generated with a limited expiry time (e.g., 60 minutes) and is tied to a specific report and workspace.
Respond with Parameters: The Django view returns the following data to the React frontend:
The Embed URL for the report.
The Report ID.
The generated, secure Embed Token.
- Frontend: React (Rendering the Report)
The React frontend handles the actual display but never has the permanent, shareable Power BI URL.
Fetch Embed Data: When the page loads, the React component makes an authenticated AJAX request to our secure Django endpoint to get the embed parameters (URL, ID, Token).
Conditional Rendering: The component should only proceed with embedding if the data, including the valid token, is received.
Embed Report: Use the powerbi-client-react library to render the report using the received embedUrl, id, and crucially, the accessToken (the Embed Token).
Why this prevents sharing the URL
The security lies in the Embed Token:
Short-Lived: If a logged-in user copies the final URL they see in their browser's developer tools, the associated Embed Token will expire quickly (e.g., within an hour).
Report-Specific: The token only works for that specific report.
No Direct Power BI Access: The embed URL itself is useless without the accompanying, server-generated Embed Token. The original, permanent Power BI Service URL is never exposed to the client.
If a logged-in user shares the page's URL, an unauthenticated user who clicks it will be stopped by the Django view's authentication check and will not be able to get a new Embed Token. If they share the temporary, embed-specific URL from their session, the token will quickly expire, rendering the link useless.
Power BI Licensing Requirement
For the "App Owns Data" scenario (where our app authenticates users who do not need their own Power BI licenses), you typically require a Power BI Premium capacity (SKUs A, EM, P, or the Fabric F SKUs). This is necessary to use a Service Principal for secure embedding.
For more details, you'll need to research the specific implementation steps for Power BI Embedded using the REST API in a Python/Django environment.
We’ll need (via env vars) for the PowerBI integration:
POWERBI_TENANT_ID
POWERBI_CLIENT_ID
POWERBI_CLIENT_SECRET
POWERBI_WORKSPACE_ID
POWERBI_REPORT_ID (optional; if omitted, first report in the workspace is used)
OR
AZURE_CLIENT_ID
POWERBI_WORKSPACE_ID
(Optionally: POWERBI_REPORT_ID)