There is a need to give external customers access to data in a Power BI Embedded dashboard which is very common in SaaS and multitenant applications.
Solution involves using a service principal and managed identities to authorize external users.
Managed identities provide an automatically managed identity in Azure AD for applications to use when connecting to resources that support Azure AD authentication.
Can be implemented using either a system-assigned or user-assigned managed identity.
To implement the solution:
Define a user-assigned managed identity (in a managed app).
Authorize the user-assigned managed identity to have the necessary privileges on the Power BI Embedded dashboard.
The solution is based on two concepts that you must be familiar with to implement the solution: Service principal and Managed identities.
Here is some background on those technologies:
Service principal usage for multitenancy apps in Power BI Embedded:
This article explains in detail how an ISV or any other Power BI Embedded app owner with many customers can use service principal profiles to map and manage each customer's data as part of their Power BI embed for your customers solution.
The full details are described here with only mentioning user-assigned or system-assigned managed identity as an option.
Azure Managed Identities is a service that allows Azure resources to authenticate cloud services without the need for storing credentials in code or configuration files. It does this by providing a unique identity for the resource in Azure Active Directory (Azure AD), which can then be used to authenticate to any service that supports Azure AD authentication. You can read more about managed identities here.
You can use either a system-assigned managed identity or a user-assigned system identity.
When you create a managed identity, it creates a service principal in the Azure AD tenant. This service principal needs to be configured just like any other service principal to access the Power BI REST API and workspaces.
Even though the solution is not yet fully documented (and not listed here), a similar solution has been documented for use with Azure Stream Analytics.
There is a UI issue where the friendly name of the service principal is not displayed once the access pane is closed and re-opened, making it harder to track.
Thanks to Ted Pattison and Yoav Dobrin for the help.