PowerBI Widget - Configuration Guide
This guide covers two security approaches for deploying the PowerBI widget in enterprise environments.
The PowerBI Widget can be downloaded from here: http://install.gobright.cloud/temp/widget/Widget-PowerBI.gbexport
Overview
The PowerBI widget supports two authentication and authorization patterns:
- Option 1: Direct Service Principal – Simple setup, service principal directly assigned
- Option 2: Security Group – Enterprise-recommended, using Entra ID security groups
Prerequisites (Both Options)
Review the following steps, as they apply to both options.
1. Azure AD App Registration
1. Go to Azure Portal > Azure Active Directory > App registrations
2. Click New registration
3. Configure:
- Name: PowerBI-Widget-App (or your preferred name)
- Supported account types: Accounts in this organizational directory only
- Redirect URI: Leave empty
4. Click Register
2. Configure App Registration
After registration, note down:
- Application (client) ID
- Directory (tenant) ID
3. Create Client Secret
1. Go to Manage > Certificates & secrets
2. Click +New client secret
3. Configure:
- Description: PowerBI-Widget-Secret
- Expires: 24 months (recommended)
- Click Add
4. Copy the secret value immediately – you won’t see it again
4. API Permissions (Not Required)
Important: No additional API permissions are required in Azure AD for this widget.
The service principal gets access through:
1. Power BI Admin Settings (configured below)
2. Direct Workspace Permissions (configured below)
The default User.Read permission can remain, but additional PowerBI API permissions are unnecessary since access is granted at the Power BI service level, not through Azure AD API permissions.
Once you’ve completed the steps above, choose the option you want to proceed with and follow the corresponding instructions.
Option 1: Direct Service Principal (Simple Setup)
Power BI Admin Center Configuration
1. Go to Power BI Admin Portal > Tenant settings
2. Configure these settings:
Developer Settings
- ✅ Enabled: Service principals can call Fabric public APIs
- Apply to: The entire organization
Embed Content Settings
- ✅ Enabled: Embed content in apps
- Apply to: The entire organization
Workspace Access Configuration
1. Go to your PowerBI Workspace
2. Click Manage access
3. Click +Add people or groups
4. Search for your service principal:
- Format: [App Name] (AppId: [Application-client-ID])
5. Select permission level:
- Member (recommended) – Full access to workspace content
- Contributor – Can create/edit content
- Viewer – Read-only access (minimum required)
6. Click Add
Option 2: Security Group (Enterprise Recommended)
Step 1: Create Entra ID Security Group
1. Go to Azure Portal > Azure Active Directory > Groups
2. Click New group
3. Configure:
- Group type: Security
- Group name: PowerBI-Service-Principals
- Group description: Security group for PowerBI widget service principals
- Membership type: Assigned
4. Click Create
Step 2: Add Service Principal to Security Group
1. Open the created security group
2. Go to Manage > Members > Add members
3. Search for your service principal:
- Format: [App Name] (AppId: [Application-client-ID])
- Example: PowerBI-Widget-App (AppId: 12345678-1234-1234-1234-123456789abc)
4. Select and click Select
Step 3: Power BI Admin Center Configuration
1. Go to Power BI Admin Portal > Tenant settings
2. Configure these settings:
Developer Settings
- ✅ Enabled: Service principals can call Fabric public APIs
- Apply to: Specific security groups
- Security groups: Add your security group:
- PowerBI-Service-Principals
Embed Content Settings
- ✅ Enabled: Embed content in apps
- Apply to: Specific security groups
- Security groups: Same security group as above:
- PowerBI-Service-Principals
Step 4: Workspace Access Configuration
1. Go to your PowerBI Workspace
2. Click Manage access
3. Click +Add people or groups
4. Search for your security group:
- PowerBI-Service-Principals
5. Select permission level:
- Member (recommended) – Full access to workspace content
- Contributor – Can create/edit content
- Viewer – Read-only access (minimum required)
6. Click Add
Widget Configuration
Parameters Required
{
“tenantID”: “your-tenant-id”,
“clientID”: “your-application-client-id”,
“clientSecret”: “your-client-secret”,
“inputUrl”: “https://app.powerbi.com/groups//reports/”
}
Supported URL Formats
- Reports: https://app.powerbi.com/groups//reports/
- Specific Pages: https://app.powerbi.com/groups//reports//ReportSection
- Dashboards: https://app.powerbi.com/groups//dashboards/
Security Comparison
| Aspect | Direct Service Principal | Security Group |
|---|---|---|
| Setup Complexity | Simple | Moderate |
| Enterprise Scalability | Manual per app | Centralized management |
| Permission Management | Individual updates | Group-based updates |
| Audit Trail | App-specific | Group-based |
| Best For | Single app/POC | Enterprise deployment |
| Security | ✅ Secure | ✅ More secure |
| Maintenance | Higher effort | Lower effort |
Troubleshooting
Common Issues
Error: “Unauthorized” or “Token expired”
- Verify client secret hasn’t expired
- Check API permissions are granted with admin consent
- Ensure service principal/security group has workspace access
Error: “Service principal not found”
- Wait 10-15 minutes after creating the app registration
- Verify the service principal is added to security group (Option 2)
- Check Power BI admin settings allow service principals
Error: “Access denied to workspace”
- Verify workspace permissions (minimum: Viewer)
- Check workspace visibility (must not be personal workspace)
- Ensure security group has proper workspace access (Option 2)
Error: “At least 1 dataset is required” (Dashboards)
- This is handled automatically by the widget
- Occurs with static dashboards (images, text only)
- Widget includes fallback handling
Best Practices
1. Use Security Groups for enterprise environments
2. Rotate client secrets regularly (every 12-24 months)
3. Grant minimum required permissions (Viewer level sufficient for embedding)
4. Monitor service principal usage through Azure AD audit logs
5. Document security group membership for compliance
6. Test with non-admin users to verify permissions are correct
Security Notes
- Client credentials flow provides application-level access (not user-specific)
- Workspace-scoped permissions limit access to assigned workspaces only
- No interactive authentication required – suitable for server-side widgets
- Security groups provide better governance and audit capabilities
- Regular secret rotation maintains security posture
