Microsoft Power BI for WordPress

Use this guide, if you want to embed a Microsoft Power BI report, dashboard or tile in a WordPress page or post (also see the following video https://youtu.be/fDyB_Ue72j4). Also make sure to visit https://www.wpo365.com/power-bi-for-wordpress/ for details how you can unlock premium features such as support for the App owns data scenario, adding custom report filters, defining custom settings e.g. to hide a panel and support for row-level security (RLS).

Before you start

  • You must already have configured the single sign-on capability of the WordPress + Office 365 plugin.
  • Additionally, you must also already have configured the integration capability of the plugin.
  • You are a Global Administrator for your company’s Office 365 tenant / Azure AD directory (or have at least the ability to edit the Azure Active Directory App registration that was created previously when the single sign-on capability was configured).
  • You are an Administrator for your WordPress website.

Choosing a scenario

Embedding Power BI content into a WordPress page or post with the help of the WPO365 plugin (and extensions) can be done in one of two ways.

User owns data In this case the user has been given access to the Power BI workspace in question. Therefore the user must sign in with Microsoft (with the help of the WPO365 plugin) to your WordPress website. This is necessary so the plugin can obtain an access token for Microsoft Graph to access the Power BI REST APIs. This also implies that you must configure the appropriate delegated permissions (see API Permissions below).

Application owns data In this case the user has not been given access to the Power BI workspace in question. Instead the Service Principal (= App registration) that you created when you configured the single sign-on capability of the WPO365 | LOGIN plugin must be given administrative access to the Power BI workspace in question (see Prepare your Power BI environment below).

Considerations and Limitations

  • Ensure that you have selected the Beta version for the Microsoft Graph on the plugin's Integration page.
  • SAML 2.0 is not supported in combination with the User owns data scenario.
  • The Application owns data is not available for the basic version of the Power BI Embed app but instead requires the WPO365 | M365 APPS or the WPO365 | INTRANET bundle to be installed and activated. 
  • The Application owns data scenario does not require the user to have access to the Power BI workspace in question. However, due to a limitation of the WPO365 | LOGIN plugin must the user have logged into your website (but signing in with Microsoft is not a requirement). 
  • Please make sure that you have read the considerations and limitations section on the Microsoft website.
  • Disclaimer According to Microsoft - in case of the Application owns data scenario - a capacity is required when moving to production

App registration

  • In Azure Portal click the 'hamburger' (icon with three horizontal lines in the upper corner) to open the menu.
  • Navigate to Azure Active Directory > App registrations.
  • Select the App registration that you created when you configured the single sign-on capability of the plugin.

API Permissions

Please note If you intend to implement the Application owns data scenario there is not need to assign delegated permissions and you can skip this step.

  • Click API permissions from the 'App registration' menu on the left
  • Click + Add permission.
  • Select Power BI Service > Delegated permissions.
  • Scroll down to Dataset and check
    • Dataset.Read.All
  • Scroll down to Report and check
    • Reports.Read.All
  • Click  Add permissions.
  • Click Grant admin consent for … to grant consent for all users in your tenant to use this ‘App registration’.

Depending on your requirements you can of course add more permissions e.g. Workspace.Read.All, Dashboard.Read.All.

Integration

  • Navigate to WP Admin > WPO365 > Integration.
  • Click Delete tokens.
  • Click Save configuration.
  • Sign out of your WordPress website.
  • Sign in with Microsoft to your WordPress website.

Prepare your Power BI environment

Important 

  • The WPO365 plugin only supports the embedding of Power BI content using a Service principal. Authentication using a master account is not supported. This also means that content must reside in new workspaces (and that traditional workspaces are not supported).
  • You should not register a new App in Azure AD. Instead you can use the existing App registration (= Service Principal) that you registered initially when you configured the single sign-on feature and possible other integrations e.g. with SharePoint Online, Yammer etc.
  • You must, however, configure your Power BI environment to support Service principal authentication. Using this method that can be used to let an Azure AD application access Power BI service content and APIs. To do so, please carefully execute the following steps documented by Microsoft (see https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal):

When you see an error that states "... No authorization code and refresh token found when trying to get an access token for https://graph.microsoft.com/User.Read. The current user must sign out of the WordPress website and log back in again to retrieve a fresh authorization code that can be used in exchange for access tokens ..." Then please sign out of your WordPress website and immediately sign back in (with Microsoft) into your site. This will ensure that the plugin retrieved a fresh set of access tokens on your behalf.

Generate a Microsoft Power BI shortcode

The table below provides a simple overview of the available features per plugin edition.

Feature WPO365 | LOGIN WPO365 | M365 APPS
WPO365 | INTRANET
User owns data scenario (AAD token) Yes Yes
Application owns data scenario (Embed token) No Yes
Request permission for multiple items No Yes
Customize embed token request endpoint No Yes
Customize embed token request JSON body No Yes
Customize embed configuration JSON No Yes

To generate a shortcode to embed a Microsoft Power BI artifact into any WordPress page or post, perform the following steps. 

  • Navigate to WP Admin > WPO365 > ... > Power BI.
  • Select the Microsoft Power BI artifact to embed i.e. report, dashboard or tile.
  • Select the desired token type:
    • For the User owns data scenario select the AAD Token.
    • For the Application owns data scenario select the corresponding (type of) Embed Token (the shortcode generator will only enable those options that match with the Microsoft Power BI artifact that you want to embed e.g. Report in Workspace and Multiple Items when you want to embed a Report.
  • Enter the Workspace ID of the Microsoft Power BI Workspace where the artifact that you are embedding resides in.
  • Then
    • Enter the Report ID of the Microsoft Power BI report if you are embedding a report.
    • Enter the Dashboard ID of the Microsoft Power BI dashboard if you are embedding a dashboard.
    • Enter the Dashboard ID and the Tile ID of the Microsoft Power BI tile and its containing dashboard if you are embedding a tile.

Please note that you can find all these IDs when you navigate to https://app.powerbi.com/ and then load the workspace of your choice. In your workspace open the artifact that you want to embed. Once open, the web address should contain all necessary IDs. The following URL is an example for a report with ID 206e6e12-b5f6-4542-a22e-2c17de272a4f in a workspace with ID f6fddbde-2415-435a-9c51-e8d6a2b6274b e.g. https://app.powerbi.com/groups/f6fddbde-2415-435b-9c51-e8d6a2b6274b/reports/206f6e12-b5f6-4542-a22e-2c17de272a4f/ReportSectionb4bd8f0e6c0029bcea0b

  • Finally you can enter the height and width of the embedded artifact on your WordPress page.
  • Click Copy shortcode to clipboard.

Embed a Microsoft Power BI artifact in a WordPress page or post

  • From the WordPress Admin Bar, click + New to add a new WordPress page or post.
  • On the page or post, type shortcode in the block navigator and click the shortcode shortcut to add a new shortcode block to the page or post.
  • In the shortcode editor, click Ctrl+V (or right mouse click and click Paste) to paste the shortcode.
  • Publish the page and then click View post to check the result.

Advanced (premium-only) configuration options

If you'd like to take more control over how your Power BI report is embedded, you can click to manually edit the embed config (JSON) as shown below.

Adding custom Report Settings

Editing the configuration manually allows you to add settings e.g. to collapse the filters panel, as shown in the previous image and example below.

...
"settings": {
      "panes": {
          "filters": {
              "expanded": false,
              "visible": true
          }
     }
},
...

You can have a look at this article to learn more embedded Power BI report settings.

Adding Report Filters

Also visible in the previous image is a configuration that would add a filter to your report. Again, this can be achieved if you manually edit the configuration and add a filter configuration as shown below.

{
  "$schema": "http://powerbi.com/product/schema#basic",
  "target": {
    "table": "Sales",
    "column": "Country"
  },
  "operator": "In",
  "values": ["Canada"],
  "filterType": 1,
  "requireSingleSelection": true
}

When editing a filter configuration you must convert some enumerated values into number. In the example above you'll notice that filterType is set to 1. To look up those enumerated values you can use the Power BI models reference. Here you can search for the actual values for filterType only to find that 1 stands for Basic.

Please note that configuration properties must follow the JSON notation and all must be wrapped in double quotes e.g. "filterType".

Support for RLS

Row-level security (RLS) can be used to restrict user access to data within dashboards, tiles, reports, and datasets. Different users can work with those same artifacts all while seeing different data. Embedding supports RLS. Read more ...

If you're embedding to Power BI users (user owns data), within your organization, RLS works the same as it does within the Power BI service directly. There's nothing more you need to do in your application. For more information, see Row-Level security (RLS) with Power BI.

If you're embedding for non-Power BI users (app owns data), which is typically an ISV scenario, then you must configure the embed token to account for the user and role.

By default the Token request JSON (for non-Power BI / app owns data) is as follows.

{
  "accessLevel": "View"
}
To configure the embed token to account for the user and the role you must update the Token request JSON as shown below by adding an identities member that specifies the username, role(s) and dataset(s).
{
  "accessLevel": "View",
  "identities": [
        {
            "username": "ellen@wpo365.com",
            "roles": [ "Canada" ],
            "datasets": [ "795b2d57-22d6-4c08-9db3-b660fe9b3483" ]
        }
    ]
}
Please note Whether or not the username provided is being honored when you're embedding for non-Power BI users (app owns data) is depending on whether your DAX expression is expecting a username or not. If your DAX expression does not include a  username() or userprincipalname() expression then the value provided as Token request's  username will have no effect. In that case RLS will always return the data for the role, even if you assigned specific users to the role. When the  app owns data, the effective identity is your App registration's Service Principal ID that you have granted admin access to the workspace.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us