What is Power BI Embedded and how does it work for ISVs?

Power BI Embedded enables ISVs (Independent Software Vendors) to integrate interactive dashboards and reports directly into their applications. Customers see analytics within your app's UI, branded with your logo, without needing their own Power BI licenses. The ISV uses the "App Owns Data" model where a service principal authenticates with Power BI on behalf of all end users. The ISV pays for Azure or Fabric capacity (not per-user licenses), and end users interact with fully interactive visualizations — filters, slicers, drill-through, export — as a native part of the ISV's product. EPC Group has delivered Power BI Embedded implementations for over 200 ISV and SaaS clients across healthcare, financial services, education, and logistics.

How much does Power BI Embedded cost for ISVs?

Power BI Embedded pricing is capacity-based, not per-user. Azure A-SKUs start at A1 ($1/hour, approximately $735/month) with 3 GB RAM and 1 v-core. The most common ISV SKUs are A2 ($2/hour, approximately $1,470/month) for early-stage products and A4 ($8/hour, approximately $5,880/month) for production workloads supporting 25-100 concurrent users. Microsoft Fabric F-SKUs start at F2 ($0.36/hour, approximately $263/month) and scale to F2048. Fabric F64 ($6,059/month) is the most popular ISV choice as it includes Power BI Premium features. Both A-SKUs and F-SKUs can be paused when not in use, reducing costs by 40-60% for applications with predictable usage windows. There are zero per-user fees for embedded content consumers — this is the key ISV advantage.

What is the difference between App Owns Data and User Owns Data for ISVs?

"App Owns Data" (embed for your customers) is the correct model for ISVs. Your application uses a service principal or master account to authenticate with Power BI, generates embed tokens server-side, and serves embedded reports to end users who have no Power BI accounts or Azure AD identities. This is how SaaS products, customer portals, and commercial software embed analytics. "User Owns Data" (embed for your organization) requires each user to sign in with their own Azure AD account and Power BI Pro license — this model is for internal enterprise apps, not ISV products. EPC Group recommends App Owns Data for 100% of ISV implementations and provides architecture guidance to ensure proper service principal configuration, token lifecycle management, and capacity planning.

How do ISVs handle multi-tenant data isolation in Power BI Embedded?

Multi-tenant isolation in Power BI Embedded uses two primary patterns. Row-Level Security (RLS) multi-tenancy stores all tenant data in a single dataset and applies DAX filters based on a tenant identifier passed via the embed token — this is cost-effective and simpler to manage for up to 50-100 tenants with similar data structures. Workspace-per-tenant multi-tenancy creates isolated workspaces and datasets for each customer, providing complete data separation — required for compliance-heavy industries (HIPAA, SOC 2) or tenants exceeding 1 GB of data. A hybrid approach uses RLS for small tenants and dedicated workspaces for enterprise customers. EPC Group designs the isolation architecture based on regulatory requirements, data volume per tenant, and scalability targets.

Can ISVs white-label Power BI Embedded reports?

Yes. Power BI Embedded supports full white-labeling. ISVs apply custom themes (colors, fonts, logos) to match their application branding, hide the Power BI navigation pane and action bar, embed reports in custom page layouts using the Power BI JavaScript SDK, disable or customize the filter pane, and control which interactions users can perform (disable export, restrict drill-through, hide specific visuals). End users never see the Power BI brand unless the ISV chooses to display it. The embedded report looks and feels like a native feature of the ISV application. EPC Group builds custom React and Angular embedding components that provide seamless white-labeled analytics experiences for ISV clients.

How do I choose between Azure A-SKUs and Fabric F-SKUs for my ISV product?

For new ISV projects in 2026, EPC Group recommends Microsoft Fabric F-SKUs over legacy Azure A-SKUs. F-SKUs include all Power BI Premium features at F64 and above (paginated reports, AI visuals, large datasets, deployment pipelines, Copilot). F-SKUs support Direct Lake mode for near-real-time report rendering without scheduled refreshes. F-SKUs provide unified billing with other Fabric workloads (data engineering, data science). F-SKUs offer more granular scaling options (F2 through F2048). A-SKUs remain valid for ISVs already in production on Azure Embedded capacities or those needing pause/resume automation via Azure Resource Manager APIs. The key decision factor: if your ISV product already uses Azure data services, stay with A-SKUs for billing simplicity; if starting fresh, choose Fabric F-SKUs for the richer feature set.

What security certifications does Power BI Embedded support for ISV compliance?

Power BI Embedded inherits Microsoft Azure's comprehensive compliance certifications: SOC 1/2/3, ISO 27001, ISO 27018, HIPAA BAA, FedRAMP High, HITRUST, PCI DSS, and GDPR. For ISVs serving regulated industries, the key security layers are: Row-Level Security (RLS) for tenant data isolation enforced at the data engine level, Object-Level Security (OLS) for hiding sensitive columns or tables from specific user roles, embed token expiration (configurable, default 1 hour) with server-side generation preventing client-side tampering, Azure Private Link for network-level isolation, customer-managed encryption keys (BYOK) for data-at-rest encryption, and data residency controls via Azure region selection. EPC Group architects ISV embedded analytics solutions that meet HIPAA, SOC 2, and FedRAMP requirements with documented security controls for audit readiness.

Power BI Embedded for ISVs: Complete Guide

Power BI Embedded for ISVs: Complete Guide 2026

Last updated: 2026 · Read time: 12 min

Power BI Embedded gives ISVs (Independent Software Vendors) a way to embed interactive analytics directly into their commercial software. ISVs use the App Owns Data model with service principal authentication — end users never need Power BI licenses. This guide covers multi-tenant RLS, A/F-SKU pricing, embed token auth, and step-by-step implementation. Based on 200+ ISV projects.

Key facts

EPC Group: 200+ Power BI Embedded ISV projects delivered.
ISVs must use App Owns Data — not User Owns Data. End users of commercial software do not have Power BI licenses.
Fabric F-SKU replaces the deprecated A-SKU for all new ISV Embedded deployments.
Embed tokens expire after 1 hour — server-side token refresh is required for ISV applications.
Row-Level Security is the only supported method for tenant data isolation in a shared workspace. Misconfigured RLS exposes one customer's data to another.

Why App Owns Data is the only ISV option

ISV applications sell to customers who do not have Power BI accounts. User Owns Data requires every viewer to authenticate with Azure AD and hold a Power BI license. That model works for internal enterprise apps — not for commercial software sold to external customers.

App Owns Data uses a service principal. Your application authenticates on behalf of all users. Users see reports without ever touching Power BI or Microsoft authentication.

Multi-tenant architecture options

ISVs must decide how to isolate customer data before building the Embedded architecture. Choose based on your compliance requirements and tenant count.

Option 1: Shared workspace with RLS (recommended for 50–10,000 tenants)

All tenant data lives in one dataset. Row-Level Security filters data based on the embedding user's tenant ID. One workspace, one dataset, one capacity — low management overhead.

Efficient: one refresh pipeline for all tenants.
Cost-effective: one Fabric capacity covers all tenants.
Risk: RLS misconfiguration exposes data across tenants. Test RLS in every release.

Option 2: Isolated workspace per tenant (for regulated industries)

Each customer gets their own Power BI workspace and dataset. Required for HIPAA, SOC 2 Type II, and FedRAMP customers who have data isolation requirements.

Complete data isolation — no cross-tenant risk.
Higher management overhead — workspace automation required at scale (Azure DevOps + Power BI REST API).
Higher cost — more capacity needed per tenant at equivalent concurrency.

Option 3: Hybrid (recommended for mixed compliance tiers)

Standard tenants use shared workspace + RLS. Premium or regulated tenants get isolated workspaces. This is the most scalable architecture for ISVs serving both SMB and enterprise customers.

Security layers for ISV Embedded deployments

ISV Embedded security requires all 6 layers below. Missing any one creates compliance or data leakage risk.

Row-Level Security (RLS) — tenant data isolation enforced at the data engine level. Configured in the Power BI semantic model using DAX roles.
Object-Level Security (OLS) — hides sensitive columns or tables from specific user roles. Independent of RLS.
Embed token expiration — configurable, default 1 hour. Server-side token generation prevents client-side tampering.
Azure Private Link — network-level isolation for regulated industries. Prevents Power BI traffic from traversing public internet.
Customer-managed encryption keys (BYOK) — data-at-rest encryption with customer-controlled keys. Required for some HIPAA and FINRA deployments.
Data residency controls — Azure region selection for capacity determines where Power BI stores data. Required for EU data sovereignty compliance.

ISV branding and UI customization

ISVs embed Power BI inside their own application UI. Users should not see any Power BI branding.

Apply custom themes (colors, fonts, logos) using Power BI Desktop theme JSON files.
Hide the Power BI navigation pane and action bar using JavaScript SDK settings.
Embed reports in custom page layouts using the Power BI JavaScript SDK container configuration.
Disable or customize the filter pane to match your application's UX.
Control which user interactions are permitted: disable export, restrict drill-through, hide specific visuals.

Designing reports for embedded consumption

Reports embedded in an ISV application behave differently than reports viewed in the Power BI service. Design specifically for the embedded context.

Test in the actual application container size — not the Power BI Desktop canvas.
Use custom visual layouts for responsive design across different container dimensions.
Implement bookmarks and report events for application-controlled navigation (no Power BI page tabs visible).
Disable Power BI chrome elements (filter pane, page tabs) that conflict with your application's navigation.

Fabric F-SKU pricing for ISVs

Fabric F-SKU is the recommended capacity for ISV Embedded deployments. The A-SKU (Azure Embedded) is deprecated for new projects.

F2 ($263/month) — up to 4 GB memory. Suitable for development and small-tenant pilot deployments.
F4 ($526/month) — mid-market ISV deployment. Up to 50 concurrent users with standard report complexity.
F8 ($657/month) — growing ISV with 100–200 concurrent users.
F32 ($2,628/month) — large ISV with 500+ concurrent users. Supports Direct Lake mode.
F64 ($5,257/month) — enterprise ISV scale. HIPAA Trusted Workspace. Copilot integration. Highest performance SLA.

ISV capacity costs scale with tenant growth. Build capacity right-sizing reviews into your quarterly financial planning.

Step-by-step implementation flow

Follow these 7 steps in order. Steps 1–4 are architecture and security. Steps 5–7 are development.

Register an Azure AD application for service principal authentication.
Create a Power BI workspace and assign the service principal as a Member or Admin.
Build the semantic model with RLS roles for tenant isolation.
Test RLS with Power BI Desktop "View as Role" feature — verify no cross-tenant data is visible.
Generate embed tokens server-side using the Power BI REST API (/GenerateToken endpoint).
Embed the report in your application using the Power BI JavaScript SDK.
Implement server-side token refresh — rotate tokens before the 1-hour expiration to maintain user sessions.

Frequently asked questions

Do my customers need Power BI licenses for Embedded?

No. In the App Owns Data model, your ISV capacity covers viewer access. End users see reports through your application without a Power BI account. Report authors (ISV employees who build reports) need Power BI Pro licenses.

How do I ensure one customer can't see another customer's data?

Configure Row-Level Security in the semantic model. Set a DAX role that filters data to the tenant ID passed in the embed token. Test every RLS role using "View as Role" in Power BI Desktop before deploying to Production. Run automated RLS validation in your CI/CD pipeline.

What is the embed token and how do I generate it?

The embed token is a JWT that grants access to a specific report with a specific user identity. Generate it server-side using the Power BI REST API (/GenerateToken). Pass the token to the client-side JavaScript SDK. Implement a server-side refresh endpoint to rotate tokens before they expire (default: 1 hour).

Can I use Power BI Copilot in my ISV Embedded application?

Yes, on Fabric F64+ capacity with Copilot enabled. Your end users can ask natural language questions about the embedded report data without a Microsoft 365 Copilot license. EPC Group configures Copilot in Embedded as part of ISV implementation engagements.

Schedule an ISV Embedded consultation

EPC Group has delivered 200+ Power BI Embedded projects for ISVs across healthcare tech, fintech, HR software, and supply chain platforms. Talk to an architect about multi-tenant design, RLS patterns, and capacity planning. Call (888) 381-9725 or request a 30-minute discovery call.

Power BI Embedded for ISVs: Complete Guide 2026

Last updated: 2026 · Read time: 12 min

Key facts

EPC Group: 200+ Power BI Embedded ISV projects delivered.
ISVs must use App Owns Data — not User Owns Data. End users of commercial software do not have Power BI licenses.
Fabric F-SKU replaces the deprecated A-SKU for all new ISV Embedded deployments.
Embed tokens expire after 1 hour — server-side token refresh is required for ISV applications.
Row-Level Security is the only supported method for tenant data isolation in a shared workspace. Misconfigured RLS exposes one customer's data to another.

Why App Owns Data is the only ISV option

App Owns Data uses a service principal. Your application authenticates on behalf of all users. Users see reports without ever touching Power BI or Microsoft authentication.

Multi-tenant architecture options

ISVs must decide how to isolate customer data before building the Embedded architecture. Choose based on your compliance requirements and tenant count.

Option 1: Shared workspace with RLS (recommended for 50–10,000 tenants)

All tenant data lives in one dataset. Row-Level Security filters data based on the embedding user's tenant ID. One workspace, one dataset, one capacity — low management overhead.

Efficient: one refresh pipeline for all tenants.
Cost-effective: one Fabric capacity covers all tenants.
Risk: RLS misconfiguration exposes data across tenants. Test RLS in every release.

Option 2: Isolated workspace per tenant (for regulated industries)

Each customer gets their own Power BI workspace and dataset. Required for HIPAA, SOC 2 Type II, and FedRAMP customers who have data isolation requirements.

Complete data isolation — no cross-tenant risk.
Higher management overhead — workspace automation required at scale (Azure DevOps + Power BI REST API).
Higher cost — more capacity needed per tenant at equivalent concurrency.

Option 3: Hybrid (recommended for mixed compliance tiers)

Standard tenants use shared workspace + RLS. Premium or regulated tenants get isolated workspaces. This is the most scalable architecture for ISVs serving both SMB and enterprise customers.

Security layers for ISV Embedded deployments

ISV Embedded security requires all 6 layers below. Missing any one creates compliance or data leakage risk.

Row-Level Security (RLS) — tenant data isolation enforced at the data engine level. Configured in the Power BI semantic model using DAX roles.
Object-Level Security (OLS) — hides sensitive columns or tables from specific user roles. Independent of RLS.
Embed token expiration — configurable, default 1 hour. Server-side token generation prevents client-side tampering.
Azure Private Link — network-level isolation for regulated industries. Prevents Power BI traffic from traversing public internet.
Customer-managed encryption keys (BYOK) — data-at-rest encryption with customer-controlled keys. Required for some HIPAA and FINRA deployments.
Data residency controls — Azure region selection for capacity determines where Power BI stores data. Required for EU data sovereignty compliance.

ISV branding and UI customization

ISVs embed Power BI inside their own application UI. Users should not see any Power BI branding.

Apply custom themes (colors, fonts, logos) using Power BI Desktop theme JSON files.
Hide the Power BI navigation pane and action bar using JavaScript SDK settings.
Embed reports in custom page layouts using the Power BI JavaScript SDK container configuration.
Disable or customize the filter pane to match your application's UX.
Control which user interactions are permitted: disable export, restrict drill-through, hide specific visuals.

Designing reports for embedded consumption

Reports embedded in an ISV application behave differently than reports viewed in the Power BI service. Design specifically for the embedded context.

Test in the actual application container size — not the Power BI Desktop canvas.
Use custom visual layouts for responsive design across different container dimensions.
Implement bookmarks and report events for application-controlled navigation (no Power BI page tabs visible).
Disable Power BI chrome elements (filter pane, page tabs) that conflict with your application's navigation.

Fabric F-SKU pricing for ISVs

Fabric F-SKU is the recommended capacity for ISV Embedded deployments. The A-SKU (Azure Embedded) is deprecated for new projects.

F2 ($263/month) — up to 4 GB memory. Suitable for development and small-tenant pilot deployments.
F4 ($526/month) — mid-market ISV deployment. Up to 50 concurrent users with standard report complexity.
F8 ($657/month) — growing ISV with 100–200 concurrent users.
F32 ($2,628/month) — large ISV with 500+ concurrent users. Supports Direct Lake mode.
F64 ($5,257/month) — enterprise ISV scale. HIPAA Trusted Workspace. Copilot integration. Highest performance SLA.

ISV capacity costs scale with tenant growth. Build capacity right-sizing reviews into your quarterly financial planning.

Step-by-step implementation flow

Follow these 7 steps in order. Steps 1–4 are architecture and security. Steps 5–7 are development.

Register an Azure AD application for service principal authentication.
Create a Power BI workspace and assign the service principal as a Member or Admin.
Build the semantic model with RLS roles for tenant isolation.
Test RLS with Power BI Desktop "View as Role" feature — verify no cross-tenant data is visible.
Generate embed tokens server-side using the Power BI REST API (/GenerateToken endpoint).
Embed the report in your application using the Power BI JavaScript SDK.
Implement server-side token refresh — rotate tokens before the 1-hour expiration to maintain user sessions.

Key Facts

Power BI Embedded for ISVs: Complete Guide 2026

Key facts

Why App Owns Data is the only ISV option

Multi-tenant architecture options

Option 1: Shared workspace with RLS (recommended for 50–10,000 tenants)

Option 2: Isolated workspace per tenant (for regulated industries)

Option 3: Hybrid (recommended for mixed compliance tiers)

Security layers for ISV Embedded deployments

ISV branding and UI customization

Designing reports for embedded consumption

Fabric F-SKU pricing for ISVs

Step-by-step implementation flow

Frequently asked questions

Do my customers need Power BI licenses for Embedded?

How do I ensure one customer can't see another customer's data?

What is the embed token and how do I generate it?

Can I use Power BI Copilot in my ISV Embedded application?

Schedule an ISV Embedded consultation

Ready to get started?

Key Facts

Power BI Embedded for ISVs: Complete Guide 2026

Key facts

Why App Owns Data is the only ISV option

Multi-tenant architecture options

Option 1: Shared workspace with RLS (recommended for 50–10,000 tenants)

Option 2: Isolated workspace per tenant (for regulated industries)

Option 3: Hybrid (recommended for mixed compliance tiers)

Security layers for ISV Embedded deployments

ISV branding and UI customization

Designing reports for embedded consumption

Fabric F-SKU pricing for ISVs

Step-by-step implementation flow

Frequently asked questions

Do my customers need Power BI licenses for Embedded?

How do I ensure one customer can't see another customer's data?

What is the embed token and how do I generate it?

Can I use Power BI Copilot in my ISV Embedded application?

Schedule an ISV Embedded consultation

Ready to get started?