Why you shouldn’t use Power BI “Publish to web” and what to use instead

In this blog post I will try and guide you through Power BI’s functionality Publish to web as well as the security aspects of sharing your data. How does it work, when should I and when shouldn’t I use it?

What is it?

Power BI’s Publish to web functionality has been widely used since it’s release to general availability in 2016. This is a great feature for businesses or people wanting to share their reports to others in an easy way and at low cost, since it requires no extra licensing and minimal development work.

With only a few clicks you get a shareable link or even a ready to go iframe html script which you can use to post on simply any website. It doesn’t get much easier then this to share your insights with the world. Not only is it easy to work with, it is also completely free as it doesn’t require any additional licensing to use. You can even use this function with the free license of Power BI, meaning you can create and share your insights to the world at no cost at all. However using this function comes with some possible pitfalls.

Accessing Publish to web function
With only a few clicks you have your links ready to go

Before I explain more about when to be careful, let me tell you a few examples for when this functionality could be useful.

  • Maybe you want to show your beautiful reports to the world on your own blog using open data sources?
  • Businesses can share their public data on their website for everyone to see and present it in an interactive way with all the benefits coming from Power BI – but without any extra licensing. As a great example – Microsoft are using it to present their quarterly financial statements. You can find it here.
  • Journalists and news sites can easily build up and present interactive data stories with the power of Power BI.

During the last couple of years I’ve been seeing a lot of discussions about using the publish to web function. Some people use it within their businesses to share reports and insights with their organisation. In these situations, the reports are often added on a sharepoint or intranet site and therefore closed behind authentication and locked doors… At least that is what many think.
This is where the title comes into play, Why you should’t use Power BI “Publish to web” function.

When using the publish to web functionality, the user are faced with a warning informing that the data they are about to publish can be accessed by anyone on the internet. Hopefully users take this seriously, especially in cases when the data they are about to publish contains sensitive or confidential information in some form.

Warning message when creating an embedded link using publish to web function

This is exactly what could happen and you should be taking this information seriously even when you do not have the intention to share the link directly with anyone that shouldn’t get access to the data.

Why/when you shouldn’t use Publish to web

So why is it a risk? Well, whenever you are creating an embedded link through Publish to web, what is actually happening is that the report gets a generated web url that is unique for that report only. This link could then be shared with your colleagues or put in an iframe html script to embedd it on a webpage.
Whenever a public url is created, it should always be defined as accessible by everyone and anyone, even if you haven’t physically shared it with anyone as there are many ways to search and crawl the internet for web urls.
Let me show you an example and use a simple google search that will give you all the information needed. Try this google search for example:
https://www.google.com/search?q=site%3Aapp.powerbi.com%2Fview%3F

This search will give you url:s which are generated from the Power BI publish to web function. At the time of writing this post, the search result gives around 67 300 results. That is more then 67 thousand Power BI reports accessible by anyone knowing how to search properly using google, or any other search engine.
Lets only hope that all these reports are published with the knowledge that anyone can access it, and that they do not contain any sensitive data. However, my guess is that this is not the case.

So, I now hope I got your attention on why you should never use publish to web function when wanting to share sensitive data to anyone using Power BI, and lets get over the the part of what you should use.

What should I use?

This question doesn’t have one answer as there are multiple ways on how to share your reports throughout your organisation, or even outside of it. All methods having different pros and cons depending on your specific need. Below I will go through most of the methods briefly. One thing which are same throughout all methods is that it will require some form of licensing if you want to apply security and control how and to whom your data is being shared.

  • Using Power BI share functionality. This enables you, who have a Power BI Pro license, to share your reports or dashboards to other users within your organisation. The users who want to be able to see the shared reports also needs to have a Power BI Pro license. This way you can control exactly who you want to be able to see your data.
  • Using Power BI workspaces and Power BI Apps. This can be used with either Power BI Premium capacity or Power BI Pro licenses. This way you can collaborate and administrate reports and dashboards together with other colleagues before distributing to either single users, groups or the entire organisation. When sharing Power BI apps that are using dedicated capacity through Power BI Premium, end users does not require any licencing for reading since they are covered by the the Power BI Premium capacity.
  • Using Secure Embed. This is a function that was released in January 2019 (you can read the announcement on the Power BI blog here) and behaves pretty much the same way as the publish to web function, meaning you can publish the report on a web page or portal. However it has one major difference as It is using Azure AD authentication, which means that you need to log in to your Azure AD account (powerbi.com) and have the report shared with you to be able to see it’s content. This also means that any user wanting to get access to the report needs to have at least a Power BI Pro license in order to access the report.
  • Using Power BI Embedded capacity. This can be used whenever you want to truly embed your reports or dashboards into your web page or any other application. It also gives you the option to build custom applications and views since it is using the Power BI REST and JavaScript API’s. This, however, will require some additional development work since you need to build it into your application. There are no single links to use which will give you a nicely embedded report as it does in the publish to web function. Furthermore Power BI embedded can be used to also securely share content to people outside of your organisation, even applying row level security and it doesn’t require any additional user licensing like Power BI Pro for end users since they are covered by the embedded capacity.

Why is it called Publish to web?

This is a great question and one I cannot answer, however I believe that the name could be somewhat confusing to a lot of users, especially those with low experience with the platform. And since it’s so easy for users to activate the function, damage could in some cases be done without users knowing it, if the function isn’t disabled by the Power BI Administrator on beforehand.

There is a great user voice idea posted by Jorge Segarra which suggest that the function should be renamed to a better suitable name. You should go vote for it!
https://ideas.powerbi.com/forums/265200-power-bi-ideas/suggestions/36330670-rename-publish-to-web

We have now come to the end, and I hope that this blog post have given you enough information on the risks of using the Publish to web functionality but also in which cases it could be used with great benefit. Furthermore I have given some examples on what you should use when searching for a way to share your content within (or outside of) your organisation.

Please let me know in the comments if you have any questions or comments. I would love to read your thoughts on this.

6 thoughts on “Why you shouldn’t use Power BI “Publish to web” and what to use instead”

  1. I am pretty sure embedded needs pro licence to be viewed by other users

    This year I tried and that wasn’t working because other colleagues hadn’t pro licences

    Reply
    • Hi and thank you for reading.
      You are correct, however, Power BI Embedded comes with two ways to embed.
      The method you are referring to are called “User owns data” or simply embedding for your organisation. This is simply put a way to extend your Power BI Service through the embedding API and does require Power BI Pro licensed for all viewers as you mentioned.
      The other method is called “App owns data” which is a way to embed for external users who do not have a Power BI pro license or even an Azure AD account in your tenant.
      You can read more about it here: https://docs.microsoft.com/en-us/power-bi/developer/embed-sample-for-customers

      Reply
  2. Great blog post! Very informative with a nice list of options to use instead of the publish to web feature.
    A couple of months ago I created a ‘gallery’ of publicly published reports, you can find it on my blog here:
    https://www.moderndata.ai/2018/10/daves-gallery-of-public-reports/

    I’d like to comment that a part of the state information is incorrect:
    “Using Power BI Premium capacity with the share functionality. This enables you to share your reports in the same way as the first option, but it doesn’t require the users reading your reports to have a Power BI Pro license since they are covered by the Power BI Premium capacity.”
    If you share a report or dashboard using the ‘direct sharing’ capability (the Share button), the users still need a Pro licens. Only if you share the content via an App takes away this requirement.

    Furthermore it would be better to specify that the Azure Power BI Embedded option does require a license/product/service, but does not require additional per-user licenses (thus no Power BI Pro license per viewer).

    Reply

Leave a Comment