Power BI Embed Decision Helper: App-Owns-Data vs Org Embed & Licensing

This self-contained “Power BI Embed Decision Helper” guides you to the right embedding model—App-owns-data (for external users) or Org embed / user-owns-data (for internal users)—and recommends the matching licensing. Provide inputs such as audience type, Entra ID sign-in, portal location (e.g., 3rd-party like Clinked), backend token service availability, desired billing (hourly vs monthly), Fabric adoption, and scale (concurrency and renders/hour). The tool then produces a clear recommendation, a licensing matrix (A-SKU Azure Power BI Embedded, F-SKU Microsoft Fabric capacity, P-SKU Premium per capacity, Pro/PPU per-user), and a copy-ready summary plus JSON for downstream use. An implementation cheatsheet covers the service principal → REST API → embed token flow for App-owns-data, secure sign-in requirements for Org embed, and common gotchas (e.g., raw iframes in third-party portals). A Light/Dark theme toggle is included for comfortable use in any environment. Power BI Embed Decision Helper

Power BI Embed Decision Helper

A simple tool to help decide between App-owns-data and Org embed scenarios.

Light

Inputs

👥 Audience 🧩 Portal ⏸️ Capacity Control

Who are your viewers?

Rule of thumb: external → App‑owns‑data; internal → Org embed (user‑owns‑data).

Can viewers sign in with Entra ID (Microsoft 365)? Where are you embedding? Do you have a backend that can create embed tokens (service principal)?

App‑owns‑data requires your backend to issue short‑lived embed tokens via service principal or a master account (SP recommended).

Do you want hourly, pausable billing for capacity?

Are you adopting Microsoft Fabric beyond embedding?

Peak concurrent viewers

Est. report renders / hour (peak)

Need free viewers (no per‑user license)?

Recommendation

Fill the inputs and click Decide.

Suggested licensing

Option	When to choose	Notes

Implementation Cheatsheet

App‑owns‑data (Recommended for external customers)

Use a service principal with workspace access on capacity (A/F/P).
Your backend obtains an Azure AD token → calls Power BI REST API → issues a short‑lived embed token.
Serve a minimal embed page (your domain) that injects the embed token and reportId/groupId; 3rd‑party portal iframes your page.
Scale by capacity (A‑SKU hourly pause/resume; F/P monthly). Add cache for frequent renders.

Security & tenancy

Use Row‑Level Security (RLS) bound to effective identity in the embed token.
Keep tokens short‑lived; never expose service principal creds to the browser.

Org embed (user‑owns‑data)

Every viewer signs in to Power BI. They need Pro/PPU or the content must live on Premium/Fabric capacity.
Use secure embed or the JS SDK with user auth; best for internal portals.
For large audiences without per‑user licenses, place workspaces on Premium/Fabric capacity.

Common gotchas

3rd‑party portals that only accept a raw iframe URL cannot use App‑owns‑data unless they iframe your tokenized page.
PPU enables advanced features but still requires sign‑in; it does not replace capacity for external viewers.

Decision JSON

{}

Disclaimer: The Questions and Answers provided on https://gigxp.com are for general information purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose.