Explicit Measures Podcast 512: Publish to Web vs. Embedded – Security & Public-Facing Reports
Mar 19, 2026
They dig into security differences between public Publish to Web and Power BI Embedded. They debate whether embedding truly protects data when no authentication is used. They compare how row-level security and URL filters behave under each approach. They discuss workspace best practices, licensing tradeoffs, scalability, and when to keep data private or aggregate before publishing.
AI Snips
Chapters
Transcript
Episode notes
Lock Down Publish To Web Workflow
- Do restrict who can publish to web and create a dedicated workspace for public reports to avoid accidental leaks of internal data.
- Mike recommends limiting publish-to-web permission, training authors, and using one workspace as the single source for public items.
Embedding Versus Publish To Web Authentication
- Embedded always requires authentication so a public iframe using standard embedded will prompt sign-in and won't work anonymously.
- Tommy clarifies embedded enforces Entra ID authentication unless you implement external identity for app-owned scenarios.
Use Secure Embed To Enforce Row Level Security
- Do use secure publish (secure embed) or pure embedding when you need row-level security because anonymous publish-to-web cannot enforce RLS.
- Mike says secure publish requires users in Entra ID so RLS can map identities to rules before rendering.