Reporting Hub Architecture
Last updated
Last updated
The Reporting Hub is an Azure-based application that is installed and deployed within your Azure environment. It integrates with your existing Microsoft tenant and communicates with Power BI Embedded via Microsoft APIs. The following Azure services are required to run the Reporting Hub:
Power BI Embedded or Fabric Capacity
Azure App Service
Azure SQL Database
Below is a diagram highlighting the high level architecture.
The Reporting Hub communicates with Power BI Embedded via Microsoft APIs. The below list includes the key communication areas:
Connects to authorized Power BI Workspaces, Reports and Dashboards
Applies Row-level-security (RLS) based on authenticated user
Built-in capacity optimizer manages Power BI Embedded Capacity availability based on usage
Connections to data sources are established through Power BI
Works with all Power BI Embedded, Fabric and Power BI Premium Microsoft licenses
Important: Your data is NEVER accessed by, made available to, or, stored within the Reporting Hub web application.
Microsoft Entra ID (formerly called Azure Active Directory or AAD) is the default authentication method for the Reporting Hub. Entra ID B2B allows you to add guest users (outside of your tenant). Users and Groups are managed in Entra ID and are used to provide access to navigation options, reports and row-level security.
Note: The Reporting Hub also supports Okta, OpenID Connect & Auth0 authentication schemes. See Authentication Adminfor more information.
Power BI Embedded is the Microsoft license required to share Power BI content with un-licensed users. Your embedded capacity is applied to the Power BI workspaces you wish to make available to the Reporting Hub.
The Reporting Hub is a stand-alone application instance installed directly within your Azure environment. An Azure App Service is required to 'host' the application.
All the Reporting Hub application configuration data (logos, themes, navigation, report security, and audit logs) are stored in this Azure SQL Database.
The Reporting Hub license manager is a separate application that runs within the Reporting Hub Azure environment. Your locally deployed Reporting Hub application instance periodically communicates with the license manager to validate subscription.
Important: Communication between your application and the Reporting Hub license manager is a simple ping via strongly encrypted keys. No data of any kind is stored with the license manager. The Reporting Hub license manager can request and read the locally deployed Reporting Hub instance application log files by default. Read access to the application log files can be disabled and blocked by the customer if desired.
For more information on the Azure services required please reference:
Required Azure Services