If you ever wanted to try and use capabilities and features provided by Power BI Premium license, now is the time. Starting early Nov 2020 Microsoft Power BI team will be rolling out a new license type in preview. This new license is named: Power BI Premium Per User.
What is Power BI Premium Per User?
In our last post, we touched on two existing Power BI licenses: Power BI Pro and Power BI Premium. If you remember Power BI Premium is a capacity license. If you purchase 1 capacity of this license you can server consumption needs of 450 readers. Read the old post to understand this calculation. But then you have to pay a heft fee of close to $5000 per capacity per month.
Small and mid-size businesses who want to utilize the power of AI, paginated reports, more frequent refreshes, deployment pipelines, and many more features provided by Premium license today got demotivated by just hearing the price.
Power BI Premium per user is a new way to license premium features on a per user basis. With this new license, you get all the capabilities of a pro license along with premium features.
Power BI Pro and Power BI Premium are at the extreme ends of the spectrum. With Power BI Premium per user the gap fills (though only little).
What’s the difference between Power BI Premium and Power BI Premium Per User?
There are some differences. You can check the table below by Microsoft.
But there are still report sharing constraints which are outlined in the table below. Example: If you create and share a report in a workspace marked as PPU, a Pro user cannot view/access that report. So you will need all the users to have PPU license to “view” the report.
What’s the price for the Power BI Premium per user?
There is no official news on the price by Microsoft. However, the good news is it will be free to use in the preview period.
As per official source: “Premium per user will be uniquely affordable and highly competitive among individual user offerings in the industry”
We also don’t know if there will be a min. requirement for the number of PPU licenses.
What’s our thought?
Microsoft clearly says this new license will address the needs to provide a low cost entry point to get access to premium features. However, there will still be more cries than smiles when it comes to users who just need read access. Procuring a Pro or PPU license for them doesn’t make sense even now.
Have more questions?
Head to Microsoft official post on this to know more about scenarios and questions around this.
In our last post we talked about Power BI Pro and Power BI Premium. To recap, Power BI Pro is a per use license and is more towards content creation and consumption. On the other hand, Power BI Premium is a capacity license and is more for content consumption.
Rather than assigning a Pro license to every individual in your org, you can assign a premium capacity to a workspace to support large number of content viewers.
In this post we will tackle another Power BI offering – Power BI Embedded.
Power BI Embedded
Power BI Embedded is a Microsoft Azure service that lets independent software vendors (ISVs) and developers quickly embed visuals, reports, and dashboards into an application. This embedding is done through a capacity-based, hourly metered model.
Power BI Embedded is an offering by Microsoft where you can embed Power BI visuals, reports, and dashboards in a custom application or in associated Microsoft Services like Teams or SharePoint Online.
How does Power BI Embedded look like in reality?
Ok, here’s a screenshot of a Power BI report embedded inside a custom application. By custom application I mean an application which is not app.powerbi.com. It can be a plain vanilla website or a WordPress website or can be a heavy application with Reporting and Analytics section.
In the screenshot below, the sections highlighted in red are part of the custom application. The “SALES PERFORMANCE REPORT” or the part highlighted in green is the Power BI report securely embedded in the application.
You can embed a visual, report, dashboard and Q&A. We have used “report” as a general content for embedding. But the description apply to any of the contents.
How can I embed a Power BI report?
There are 3 ways to embed a Power BI report.
Publish to web. Simplest (and not secure) way of embedding is publishing your Power BI report to web for public access. Note: Anyone with the URL will have access to your report.
No-code Embedding – Simplest and secure. This approach gives you a secure URL to the Power BI report which you can put in your application. However, this will prompt you for Org authentication.
What licensing do I need to support Power BI Embedding?
Now, that’s a tricky question. For embedding you can choose – P SKU, EM SKU or A SKU.
The licensing to go for really depends on your specific scenario. The general answer to choosing the SKU is “where” the content will be consumed.
If the Power BI content will be consumed in a custom application then choose A SKU**
Choose EM SKU if the Power BI content will be consumed in Teams or SharePoint online (SPO).
Choose P SKU if the Power BI content will be consumed in a custom application or Teams or SPO.
**You can even choose a P SKU if you are an enterprise or a Large ISV.
The P SKU is an umbrella SKU which not only gives embedding capabilities but additional feature sets including large read users, AI features, and other enterprise features.
Typically, enterprises go with P SKUs.
How are P, EM and A SKUs different in terms of performance?
Here’s a quick summary of each of the SKUs node performance:
So an A4 node is same as a P1 node in terms of performance.
It is generally suggested to start with A1 to test and benchmark your capacities, and then take necessary steps to increase the capacity.
Is Power BI Embedded free to use?
No. For production workloads you have to choose from either of the licensing types. For dev workloads, yes you can embed without purchasing a capacity. However, you may hit the token limits and reports may not render.
Before investing your budgets in a modern BI tool for your organization, we strongly advise to evaluate your BI vendors security and architecture. Whether the tool is Power BI, Tableau, Qlik or Looker, each of these tools provide a cloud BI solution for your needs.
You have cloud and on-premise versions. Using the cloud version offers several known advantages. However, data security becomes the key. There are several questions that might be bothering you.
Is my data secure?
Where is my data stored?
What security options and best practices does the vendor implement?
How is the data movement?
Is the data encrypted? What all is encrypted?
Does this sound like you?
If you are looking for answers to above questions or evaluating Power BI as your go to modern Enterprise BI tool, I invite you to read Power BI security whitepaper which talks about Power BI security and architecture in detail.
Power BI is a SaaS platform by Microsoft hosted on Azure. It uses Azure services for its operation. There are Web Front End clusters and Back End clusters.
Front End cluster
The frontend cluster (WFE) is responsible for initiation and authentication to the Power BI service, sending static files and content.
Back End cluster
The Back-end cluster role comes into play once the authentication is done. This cluster is responsible for data, storage, visualization, connections, refresh, and other user interactions etc.
The Back End cluster is the heart. If you consider your data as your asset, then the Back End cluster is a critical asset.
You should particularly focus on items to the left of the dotted line above and items to the right of the dotted line. A request to get data, dashboards or reports goes to “Gateway Role” only. This Gateway Role decides where to route the request.
Snippet from the security paper:
The Gateway Role acts as a gateway between user requests and the Power BI service. Users do not interact directly with any roles other than the Gateway Role.
Important: It is imperative to note that only Azure API Management (APIM) and Gateway (GW) roles are accessible through the public Internet. They provide authentication, authorization, DDoS protection, Throttling, Load Balancing, Routing, and other capabilities.
The dotted line in the Back-End cluster image, above, clarifies the boundary between the only two roles that are accessible by users (left of the dotted line), and roles that are only accessible by the system. When an authenticated user connects to the Power BI Service, the connection and any request by the client is accepted and managed by the Gateway Role and Azure API Management, which then interacts on the user’s behalf with the rest of the Power BI Service. For example, when a client attempts to view a dashboard, the Gateway Role accepts that request then separately sends a request to the Presentation Role to retrieve the data needed by the browser to render the dashboard.
Top questions asked by customers
Where is my data stored?
The data that you upload along with Power BI Report (PBIX) is stored in Azure Blob Storage. The metadata – data about dashboards, reports, refresh cycles etc. is stored in Azure SQL Database.
The data is stored in the region same as the Power BI tenant’s region.
In the Power BI service, data is either at rest (data available to a Power BI user that is not currently being acted upon), or it is in process (for example: queries being run, data connections and models being acted upon, data and/or models being uploaded into the Power BI service, and other actions that users or the Power BI service may take on data that is actively being accessed or updated). Data that is in process is referred to as data in process. Data at rest in Power BI is encrypted. Data that is in transit, which means data being sent or received by the Power BI service, is also encrypted.The data at rest and in transit is encrypted.
Source: Power BI Whitepaper
Is Power BI Pro secure?
Power BI Pro is a shared environment. The Frontend and backend clusters could be shared between customers. Azure Blob Storage and Azure SQL Database could be shared between customers.
Is Power BI Premium secure?
When you initiate a Power BI Premium subscription, behind the scenes the back-end clusters are deployed to dedicated VMs. These VMs are dedicated to you and should not be shared between customers.
What happens when I login to app.powerbi.com?
Check this section in the whitepaper to know what happens behind the scenes when you try to access app.powerbi.com
All Power BI features in one page?
Check out this blog to see all Power BI features in one page!
Power BI is a great Modern BI tool. When evaluating Power BI for Enterprises, we walk them through the architecture and security implementations in Power BI. This boosts enterprise customer confidence to take next big step in modernizing their reporting and analytics.
Don’t hesitate to contact us today if you are looking for Power BI Enterprise deployment or want us to evaluate Power BI as your go to modern Enterprise BI tool.
Power BI Premium Per User (new!! – read the post here)
In this post we will cover Power BI Pro and Power BI Premium licensing model.
The licensing model to go with is determined by following three factors:
Number of users (creators, viewers, occasional viewers)
The first two factors are the most critical in deciding the licensing model.
It’s a choice between multiple Pro licenses or multiple Premium licenses.
What is Power BI Pro/Power BI Premium?
A Power BI Pro is a per user license currently costing around $10 per user per month, while Power BI Premium is a capacity license currently costing around $5000 per capacity node per month.
Yes, the cost difference is huge. But, wait, there are lots of things hidden in that $5000.
Power BI Premium is a capacity license. It can support 450 users report viewing needs (see example below)
Power BI Premium is for content consumption rather than content creation
Large number of external readers (out of org users with no Power BI license)
AI, Paginated reports, XMLA read/write and many other features
Note: With 1 Premium capacity node you get 8 cores, 25 GB RAM and 6 parallel refreshes.
What does all this mean?
If you want to create, author and publish reports, you definitely need Power BI Pro licenses. You cannot get away with that. Whether to go with Power BI Premium or not, it depends.
Say, if you have 500 users in your org and out of 500 users
50 users will be creating content
200 users will be frequently accessing the content
250 users will be occasionally accessing the content
Then, you require
50 Power BI Pro licenses
1 Premium capacity node
With the premium capacity node we can serve the “consumption” needs for 450 users.
How did we come up with that conclusion? A simple Power BI Premium calculator is available to help us decide number of licenses (link below).
But, say your org has 100 users with 50 creating content and 50 viewing, it’s recommended to go with 100 Pro licenses (total cost $1000 per month) than a premium capacity node unless you need additional features like AI, external readers etc.
Power BI Premium vs Power BI Pro – Which licensing model should I choose? The answer is here!
Power BI premium also comes with additional feature sets including AI, Incremental refresh, Power BI Report Server, Paginated (SSRS types) reports, XMLA read/write and others – or better to say Enterprise features.
Power BI Pro vs Power BI Premium
If you need a quick comparison between Power BI Pro and Power BI Premium feature sets, please check this table provided by Microsoft. (Click the image to view the entire table)
Phew! Finally, we were able to resolve the error “Request is not a valid SAML 2.0” when embedding Power BI Reports with federated authentication. It took us some time but thanks to the wonderful Microsoft support team who worked with us in debugging and isolating the issues.
Our scenario: Enterprise customer with Power BI Premium capacity planning to embed Power BI reports in an internal application using “App Owns Data” approach. There are scenarios why would you embed for enterprises (also called as organizational embedding), and scenarios why would you use “App Owns Data” approach over “User owns Data” approach. More about this in another blog post.
Ok, then why this error? How to solve it?
Why this error:
When you authenticate using master account the request goes to a federated server (in this case customer’s Identity Provider (IdP)), the IdP validates the credentials, sends back SAML assertion and TokenType, the Azure AD .NET libraries check the TokenType and assigns granttype. This granttype and SAML assertion is sent to Azure AD for confirmation.
In our particular case, the PingFederate Identity server was using a TokenType which Azure AD .NET SDK assumed to be of 2.0 and hence tagged granttype as “2.0” (urn:ietf:params:oauth:grant-type:saml2-bearer). But the assertion was not 2.0, it was actually 1.1.
Hence the error – Request is not a valid SAML 2.0 protocol message.
How to solve this error?
There are two ways to solve this error:
Create a cloud account on customer’s tenant which would not be federated (simple solution), example: firstname.lastname@example.org
Create SAML requests manually, fire to your IdP, modify the TokenType in the code and send this request to Azure AD. You will have to bypass using Azure AD libraries and construct your own requests. (complex solution)
We went ahead with solution 1, used this cloud account as our master account and were able to successfully embed the reports in enterprise internal applications.