Power BI Embedded Analytics: The Enterprise Guide to Pricing, Architecture, and Multi-Tenant Implementation
Embedding Power BI into your applications transforms static data into interactive analytics experiences for customers, partners, and employees — without requiring them to have Power BI licenses. This guide covers the complete Power BI Embedded landscape: pricing models and capacity planning, App Owns Data vs. User Owns Data architectures, multi-tenant SaaS patterns, Microsoft Fabric integration, security implementation, and performance optimization. Based on 200+ embedded analytics projects delivered by EPC Group.
Power BI Embedded Analytics Guide 2026
Last updated: 2026 · Read time: 10 min
Power BI Embedded lets applications embed interactive reports and dashboards without requiring users to have Power BI licenses. This guide covers App Owns Data vs. User Owns Data, Fabric F-SKU pricing, multi-tenant SaaS architecture, capacity planning, and security layers. Based on EPC Group's 200+ Embedded Analytics projects.
Key facts
- EPC Group: 200+ Power BI Embedded projects delivered across SaaS, customer portals, and enterprise applications.
- Two embed models: App Owns Data (SaaS products, external users) and User Owns Data (internal org apps).
- Fabric F-SKU is the recommended capacity for new Embedded deployments — replaces the deprecated A-SKU.
- Embed tokens expire after 1 hour by default — configure server-side token refresh for long user sessions.
- Row-Level Security (RLS) enforces tenant data isolation at the data engine level — required for multi-tenant SaaS.
App Owns Data vs. User Owns Data
Choose the embed model before any development begins. The two models have different security architectures, licensing requirements, and use cases.
App Owns Data (recommended for SaaS and customer portals)
The application authenticates with a service principal. End users do not need Power BI licenses. This is the model for SaaS products, customer-facing portals, and commercial software embedding analytics.
- Authentication: service principal or master user account authenticates to Power BI.
- Licensing: capacity-based (Fabric F-SKU or legacy A-SKU). No per-user Power BI license required for viewers.
- Security: RLS enforced via the embed token. The token carries the user's identity context to the data engine.
- Use for: SaaS products, ISV applications, customer-facing analytics, public websites.
User Owns Data (for internal enterprise apps)
Each user authenticates with their own Azure AD account. Users must have Power BI Pro or PPU licenses. This model is for internal enterprise applications where all users are in the same Azure AD tenant.
- Authentication: each user authenticates individually with Azure AD OAuth.
- Licensing: Power BI Pro ($14/user/month) or PPU ($20/user/month) per viewer.
- Security: report permissions follow the user's Power BI workspace access. No embed token required.
- Use for: internal enterprise apps, SharePoint embedding, Teams tab embedding, internal portals.
Security layers for Embedded Analytics
Embedded reports require security configured at multiple layers. Missing any layer creates data leakage risk in multi-tenant environments.
- Row-Level Security (RLS) — filters data based on the embedding user's identity or tenant context. Enforced at the data engine level, not the application layer.
- Object-Level Security (OLS) — hides entire tables or columns from specific roles. Independent of RLS.
- Embed token expiration — tokens expire after 1 hour by default. Implement server-side token refresh to maintain user sessions without re-authentication.
- JavaScript SDK permissions — disable export, disable print, restrict filter changes, hide specific visuals. Configured in the Power BI JavaScript SDK on the client side.
Capacity planning for Embedded deployments
Size capacity based on four factors. Undersize capacity and you get throttling and slow report loads. Oversize capacity and you overspend by 2–3x.
- Concurrent users — how many people view reports simultaneously at peak load.
- Dataset size and complexity — large datasets with complex DAX require more memory per query.
- Render frequency — how often reports refresh or load (auto-refresh vs. user-triggered).
- Peak usage patterns — business-hours-only vs. 24/7 vs. month-end reporting spikes.
Fabric F-SKU vs. A-SKU for Embedded
Microsoft deprecated the A-SKU (Azure Embedded capacity). Use Fabric F-SKUs for all new Embedded deployments.
- Fabric advantages over A-SKU: unified billing with other Fabric workloads, Direct Lake mode support, OneLake integration, and Copilot integration for natural language queries.
- Fabric F2 ($263/month) — small workloads, up to 4 GB memory, roughly 30 reports with light concurrent use.
- Fabric F4 ($526/month) — mid-market Embedded deployment, 50–100 concurrent users with standard report complexity.
- Fabric F64 ($5,257/month) — enterprise Embedded with high concurrency, Copilot, and HIPAA Trusted Workspace support.
Multi-tenant SaaS architecture
Most enterprise SaaS platforms use a hybrid approach for Embedded tenancy. There is no single right answer — choose based on compliance and customization requirements.
- Shared workspace with RLS — all tenants share one Power BI workspace. RLS enforces tenant isolation. Efficient, low management overhead. Best for standard reports.
- Isolated workspace per tenant — each tenant has its own workspace. Higher management overhead but cleaner audit trails. Required for HIPAA and SOC 2 tenants with strict data isolation requirements.
- Hybrid — standard tenants use shared workspace + RLS. Premium tenants get isolated workspaces. Most scalable architecture for SaaS platforms with mixed compliance requirements.
Frequently asked questions
Does Power BI Embedded require Power BI licenses for end users?
In the App Owns Data model, no. End users do not need Power BI licenses. The capacity (Fabric F-SKU or A-SKU) covers all viewer access. Report authors still need Power BI Pro to publish reports to the capacity workspace.
What is an embed token and how long does it last?
An embed token is a JWT generated server-side that grants access to a specific report, dataset, or dashboard. It expires after 1 hour by default. Configure server-side token refresh so user sessions persist without requiring re-authentication every hour.
How do I enforce tenant isolation in a multi-tenant SaaS app?
Use Row-Level Security with the embedding user's tenant ID as the filter context. The embed token carries the tenant identity to the RLS DAX rule. For strict isolation requirements, use separate workspaces per tenant with dedicated datasets.
What capacity do I need for 500 concurrent users?
Start with Fabric F16 ($1,313/month) for 500 concurrent users with standard report complexity. Upgrade to F32 or F64 if reports use complex DAX, large datasets, or real-time streaming. EPC Group provides capacity sizing analysis as part of Embedded deployment engagements.
Schedule an Embedded Analytics assessment
EPC Group has delivered 200+ Power BI Embedded projects for SaaS companies, customer portals, and enterprise applications. Talk to an architect about embed model selection, capacity sizing, and multi-tenant security design. Call (888) 381-9725 or request a 30-minute discovery call.
Frequently Asked Questions
What is Power BI Embedded?
Power BI Embedded is Microsoft's platform for integrating interactive Power BI reports, dashboards, and visualizations directly into custom applications, portals, and websites. Instead of users navigating to the Power BI service (app.powerbi.com), embedded analytics renders Power BI content within your application's UI using the Power BI JavaScript SDK. The end user interacts with fully interactive reports (filters, slicers, drill-down, export) without needing a Power BI license. Power BI Embedded uses Azure capacity (A-series SKUs) or Microsoft Fabric capacity (F-series SKUs) billed to the application owner, not to individual users.
How much does Power BI Embedded cost?
Power BI Embedded pricing depends on the capacity SKU. Azure Embedded capacities start at A1 ($1/hour, ~$735/month) with 3 GB RAM and 1 v-core. The most common enterprise SKUs are A4 ($8/hour, ~$5,880/month, 25 GB RAM) and A5 ($16/hour, ~$11,760/month, 50 GB RAM). Microsoft Fabric capacities start at F2 ($0.36/hour, ~$263/month) and scale to F2048. Fabric F64 ($6,059/month) is the most popular enterprise SKU as it includes Power BI Premium features. Actual cost depends on usage patterns — capacities can be paused during off-hours to reduce costs by 40-60%. There are no per-user fees for embedded content consumers.
What is the difference between "App Owns Data" and "User Owns Data"?
"App Owns Data" (also called "embed for your customers") uses a service principal or master account to authenticate with Power BI. End users do not need Power BI licenses or Azure AD accounts — the application handles all authentication. This is the model for SaaS products, customer-facing portals, and public websites. "User Owns Data" (also called "embed for your organization") requires each user to authenticate with their own Azure AD account and Power BI Pro/PPU license. This model is for internal enterprise portals where users already have Microsoft 365 licenses. Choose App Owns Data for external/customer-facing scenarios and User Owns Data for internal employee scenarios.
How do I choose the right Power BI Embedded capacity size?
Capacity sizing depends on four factors: concurrent users (how many people view reports simultaneously), dataset size and complexity (large datasets with complex DAX require more memory), render frequency (how often reports refresh or load), and peak usage patterns. Start with the Power BI Embedded capacity planning tool and monitor actual usage during pilot. Rule of thumb: A1 supports 5-10 concurrent viewers, A2 supports 10-25, A4 supports 25-100, and A5 supports 100-500. For Fabric: F2 supports 5-15, F8 supports 15-50, F32 supports 50-200, F64 supports 200-1,000. Always load-test before production launch and configure autoscaling for variable demand.
Can Power BI Embedded handle multi-tenant SaaS applications?
Yes. Multi-tenant embedding is one of the most common Power BI Embedded patterns. There are two approaches: single workspace with row-level security (RLS) where one dataset serves all tenants and RLS filters data by tenant ID, and workspace-per-tenant where each tenant gets an isolated workspace with their own dataset. Single workspace with RLS is simpler and more cost-effective for tenants with similar data structures. Workspace-per-tenant provides stronger data isolation (required for some compliance scenarios) and allows per-tenant customization. EPC Group recommends RLS-based multi-tenancy for up to 50 tenants and workspace-per-tenant for larger or compliance-heavy deployments.
Does Power BI Embedded work with Microsoft Fabric?
Yes. Microsoft Fabric capacities (F-series SKUs) can host Power BI Embedded workloads. Fabric F64 and above include all Power BI Premium features (paginated reports, AI, large datasets, deployment pipelines). The Power BI JavaScript SDK works identically with Fabric-hosted workspaces. Key advantages of Fabric over legacy A-series capacities: unified billing with other Fabric workloads (data engineering, data science), Direct Lake mode for dramatically faster report performance, OneLake integration for centralized data access, and Copilot integration for natural language queries. EPC Group recommends Fabric F-series for new embedded analytics projects.
How do I secure embedded Power BI reports?
Security for embedded reports operates at multiple layers: row-level security (RLS) filters data based on the embedding user's identity or tenant context, object-level security (OLS) hides entire tables or columns from specific roles, embed tokens include the user's security context and expire after a configurable period (default 1 hour), and the Power BI JavaScript SDK enforces permissions client-side (disable export, disable print, restrict filter changes). For App Owns Data, generate embed tokens server-side using the Power BI REST API with the appropriate RLS identity. Never expose the service principal credentials or embed token generation endpoint to client-side code.