Fabric Trial

To facilitate the Power Embedded installation process, we have created this tutorial to help our customers install Power Embedded.

Prerequisites for the installation

Since Power Embedded is a SaaS system, you will not need to hire or manage any servers, applications, or databases — you will simply use it as a service.

To set up Power Embedded at your company, the following prerequisites must be met before we schedule the installation:

• An Azure user account with permission to create Fabric or Embedded capacity.

• An Azure user account with permission to create groups and application registrations in Azure AD.

• An Azure user account with the "Fabric administrator" role to access the Power BI administration portal.

During the system installation meeting, held together with the client, it is required that a user with the permissions listed above be available, or that someone from the client's team, with those permissions, can share their screen and perform the actions as instructed.

How to create the Power Embedded application in Azure AD

To register the application that will be used by Power Embedded, you will need to access this link.

On the screen below, click the "New registration" button.

Now you should choose a name for the application you will create in your Azure AD. The name is up to you.

After that, click the "Register" button at the bottom of the page.

After creating this application, you will be directed to the overview screen of this user.

Copy the value of the "Application (client) ID" field and save it in a notepad. This key is what you will paste in the "Power BI Client ID" field in the Power Embedded organization configuration.

Now click on "Certificates & secrets" and then click the "New client secret" button.

On the new screen, type a description for this secret (according to your preference) and select the expiration period for this secret.

It is recommended to select 24 months, so you only need to worry about expiration after two years. After the defined period ends, the secret will expire and the system will stop working, requiring you to generate a new secret and update it in Power Embedded.

Now click the "Add" button at the bottom of the page

Copy the generated "Value" field by clicking the copy button next to this key.

Save and keep this key safe, as this will be the ONLY time you can see it. If you lose this key, it cannot be recovered: you will need to generate a new secret and update it in the system.

The copied value should be pasted in the "Power BI Client Access Key" field on the Power Embedded configuration screen

Synchronize users and groups from Azure AD (Entra ID)

To integrate Power Embedded with Azure AD (Entra ID) and import users and groups:

On the same application registration screen, click "API permissions" and then click "Add a Permission".

On the next screen, select the "Microsoft Graph" option.

Then select the "Application permissions" option.

On the next tab, search for "Directory" and select the first option "Directory.Read.All" and click "Add permissions".

To finish, simply grant administrator consent by clicking "Grant admin consent for".

Done! When you finish the next steps, you will be able to import users and groups from Azure AD (Entra ID) to Power Embedded.

Adding the Power Embedded user to a new AD group

To grant permissions in the Power BI Administration Portal for the Service Principal you just created, it must be part of an Azure AD (Entra ID) security group.

To do this, access this link and click the "New group" button.

Select the "Security" option in the "Group type" field and type a name of your choice for this group we are creating.

Click on the "Owners" link and add the people who will be responsible for Power Embedded.

Click on the "No members selected" link in the "Members" category.

On the screen that opened, type the name of the Service Principal you created to filter. Select the Service Principal from the list and click the "Select" button at the bottom of the page.

Now that you have selected the member to add to this new group, click the "Create" button at the bottom of the page.

How to grant the necessary permissions in the Power BI Administration Portal

Using a user with Power BI administrator permission, access this link.

Scroll down the page until you find the "Developer Settings" section (or search for "api" in the search bar on the right).

Check the "Service principals can use Fabric APIs" option.

For security reasons, check the "Specify security groups" option in the "Apply to:" section and select the security group we created at the beginning of this topic (in my case, "PowerEmbedded-Group").

Click the "Apply" button.

Scroll down a bit more on the page and repeat the same process for the item "Service principals can access read-only admin APIs" and "Enhance admin API responses with detailed metadata" in the "Admin API Settings" section.

Refresh the page and now the option "Enhance admin API responses with DAX expressions and mashup" will be available to be checked. Repeat the same process for this permission.

Still in the "Developer Settings" category, or by searching for "embed" in the search bar, check the "Embed content for customers" option and add the security group you created in the "Specific security groups" filter in the "Apply to" option.

If this setting is already enabled and allowed for the entire organization, which is the Power BI default, you can leave it as is, if the client agrees. Changing this may cause issues in other processes if something requires this permission.

Now search for the word "Export" in the search bar located in the upper right of the screen.

Find the "Export and sharing settings" section and check whether Power BI is allowing the following exports: - Export to Excel (Used by the "Export data" menu in visuals) - Export to .csv (Used by the "Export data" menu in visuals) - Export reports as PowerPoint presentations or PDF documents (Export button) - Export reports as image files (Export button)

\

And finally, in the "Integration settings" section, do the same process for the "Allow XMLA endpoints and Analyze in Excel with on-premises semantic models" setting, which is used to allow automatic listing of RLS roles.

If this setting is already enabled and allowed for the entire organization, which is the Power BI default, you can leave it as is, if the client agrees. Changing this may cause issues in other processes if they are using something that requires this permission

Done! Now the Portal has access to your Power BI environment.

First access to the Administrative Portal

Access the administrative area of the Portal by accessing this link, logged in with a user with "Azure Global Administrator" permission.

You will authenticate with your Microsoft account and as soon as you finish logging in, you will see a permission request screen in your Azure AD.

Check the "Consent on behalf of your organization" option and click the "Accept" button.

Forgot to check the "Consent on behalf of your organization" option or performed the installation with an account that was not an administrator?

After confirming the permissions, you will be redirected to the system and will need to create the new organization.

On this screen, you can configure the following settings:

• Name: This is the name of your company. The system will retrieve the name registered in the Azure Tenant, but you will be able to change it on this screen or later through the system settings page.

• Power BI Client ID: This is the ID of the Service Principal that will be created to integrate Power Embedded with your Azure Active Directory (we will explain more about this below).

• Power BI Client Access Key: This is the secret generated for the Service Principal (we will explain more about this below).

• Custom Domain: This is your company's domain (without www or https). This field will be used to create a custom access URL for accessing reports (e.g., reports.yourcompany.com.br).

With the Client ID and Secret Value that you obtained at the beginning of the installation and noted in a notepad, we will now use them on the Power Embedded organization configuration screen.

Click the "Create Organization" button and you will be able to start using the Portal.

How to integrate the Portal with the Power BI Workspace?

To import Power BI reports to Power Embedded, you will need to do three things in the workspace:

1. Enable the Fabric trial period (if you haven't already done so).

2. Change the Workspace capacity to Fabric capacity.

3. Add the Service Principal created (Power Embedded user) as administrator of the workspaces from which you want to import reports (can be more than one).

To enable the Fabric trial period, click on your photo in the Power BI menu.

Remember that only 6 people in the organization can have started the Fabric trial, and once a person has activated the trial, it is not possible to reallocate this capacity to another person.

To change the Workspace capacity to Premium (Fabric) capacity, access the workspace, click the 3 dots, and select "Workspace Settings".

On the screen that opened, click the "Premium" menu, then choose the "Embedded" license and in the "License mode" field, select the "Trial" resource.

Click the "Apply" button just below.

From this moment on, this workspace is now at the Premium capacity of Fabric. If you pause this resource, the Workspace will become inaccessible, even using a Pro account and accessing directly through the portal.

The last step now is to add the Service Principal user to the Workspace.

To add the Service Principal created as an administrator of a workspace, access the workspace, click the 3 dots, and select "Manage access".

Click the "+ Add people or groups" button.

Search for the name of the application created earlier (PowerEmbedded-App) and remember to change the access level to "Administrator". After that, click the "Add" button.

Done! Now Power Embedded has access to this workspace. Repeat this for all Workspaces from which you want to import reports.