How is a Power BI engagement priced for enterprise workloads?

Pricing is modeled against three variables: the complexity of the semantic layer, the volume and velocity of source data, and the governance footprint required after go-live. A scoped implementation typically runs as a fixed-fee discovery sprint followed by a time-and-materials build, because dataset refresh patterns and row-level security rules almost always evolve once real user personas review early drafts. Licensing is separated from consulting fees and mapped against Power BI Pro, Premium Per User, and Fabric capacity SKUs so finance teams can plan capacity uplift independently of delivery cost. A typical mid-market rollout lands between 120 and 480 consulting hours across data modeling, DAX optimization, report design, and deployment pipelines. Fabric workloads add capacity sizing sessions to avoid over-provisioning F-SKUs on day one.

How long does a production-ready Power BI rollout take?

A single subject-area workspace with a conformed star schema, deployment pipeline, and row-level security ships in roughly six to eight weeks once source access is granted. Multi-domain rollouts that span finance, operations, and customer analytics typically run three to five months because the semantic model has to reconcile calendar, product, and organizational hierarchies that rarely align across source systems. Fabric lakehouse projects add four to six weeks for medallion design, Direct Lake tuning, and OneLake shortcut setup. Timelines compress when an authoritative data dictionary already exists and lengthen when stakeholders are discovering definitions (for example, what counts as "active customer") for the first time. Governance, training, and center-of-excellence enablement are run in parallel rather than sequentially.

What delivery methodology do you use for Power BI and Fabric projects?

Delivery runs on a five-stage pattern: Discover, Model, Visualize, Operationalize, and Enable. Discover captures questions stakeholders actually want answered, not just source tables. Model builds a Kimball-style star schema (or a medallion lakehouse in Fabric) with conformed dimensions and documented grains. Visualize produces reports against a shared theme file, applies accessibility tokens, and uses bookmarks and field parameters instead of bespoke page duplication. Operationalize wires up deployment pipelines, dataset refresh monitoring, and Azure DevOps or GitHub source control via TMDL. Enable delivers hands-on training for citizen developers and a lightweight center-of-excellence charter. Each stage ends with a demo and a written acceptance checklist, so scope creep is visible before it becomes rework.

How do you secure sensitive data inside Power BI reports?

Security is layered rather than relying on a single control. Row-level security and object-level security are enforced inside the semantic model using DAX filter expressions driven by Entra ID group membership, so filters survive refresh and cannot be bypassed by report-level tricks. Sensitivity labels from Microsoft Purview are applied at dataset and report scope and follow exports into Excel and PDF. Workspace roles follow a least-privilege pattern (Admin, Member, Contributor, Viewer) and are granted to Entra ID groups, never individuals. Private endpoints and VNet data gateways keep on-premises sources off the public internet, and tenant-level settings restrict publish-to-web, external sharing, and guest access. Every production dataset is audited quarterly against a written RLS test plan.

Can existing Excel and Tableau reports be migrated into Power BI?

Yes, but a migration is an opportunity to redesign rather than a literal port. Excel financial models usually translate cleanly into a semantic model: named ranges become dimensions, pivot tables become matrix visuals, and SUMIFS chains become well-formed DAX measures with variables. Tableau workbooks require more interpretation because Tableau extracts and Power BI datasets have different refresh and relationship semantics; calculated fields are rewritten as DAX, LOD expressions become CALCULATE patterns, and dashboard actions are rebuilt using bookmarks and drillthrough. A discovery audit catalogs every report, ranks them by business value, and retires the long tail of duplicates before migration starts. This typically reduces the report estate by 30–50 percent.

How do you optimize DAX performance on large semantic models?

DAX performance starts with the model, not the measure. Star schemas with integer surrogate keys, single-direction relationships, and calculated columns materialized in Power Query outperform ambiguous snowflakes every time. Measures are written using variables (VAR/RETURN) to avoid repeated context transitions, and expensive patterns like FILTER over entire tables are replaced with KEEPFILTERS and Boolean filter arguments. Aggregation tables and composite models offload detail-level queries from imported caches to Direct Lake or DirectQuery sources. Every measure that appears in a production report is profiled with DAX Studio and VertiPaq Analyzer; queries above a 2-second threshold on representative hardware are rewritten before release. Fabric capacity metrics are reviewed weekly to catch runaway refreshes and interactive CPU spikes.

Do you support Microsoft Fabric, OneLake, and Direct Lake workloads?

Fabric is now the default landing zone for new analytics workloads unless a client has a specific reason to stay on legacy Power BI Premium capacity. Engagements cover medallion architecture design in lakehouses, data engineering pipelines built in Fabric notebooks or Dataflows Gen2, shortcut-based integration with Azure Data Lake Storage and Amazon S3 through OneLake, and Direct Lake semantic models that skip import refresh entirely. Capacity sizing is based on measured workload patterns rather than vendor rules of thumb, and F-SKU scaling is automated through Azure Logic Apps or the Fabric REST API so off-hours costs stay predictable. Copilot in Fabric is configured with tenant-level data boundaries and audit logging before it is enabled for end users.

What training and enablement do end users receive after go-live?

Training is tiered by persona. Report consumers get a 45-minute guided tour covering filters, bookmarks, subscriptions, and mobile access. Analysts get a three-session workshop on self-service semantic model extensions, composite models, and publishing to workspaces that follow the governance pattern. Data modelers receive a two-day immersion on star schema design, DAX fundamentals, and deployment pipeline usage. Every session is recorded, indexed, and paired with a sandbox workspace seeded with representative sample data. A written center-of-excellence charter defines who owns certified datasets, who can promote a report to production, and how to request enhancements. Office hours run for 30 days post-launch so questions do not pile up into a formal change request.

How are Power BI deployments managed across dev, test, and production?

Every production workspace is paired with matching development and test workspaces wired through Power BI deployment pipelines. Datasets are source-controlled as TMDL files in Azure DevOps or GitHub so pull requests can be reviewed by a second modeler before merge. Environment-specific parameters (connection strings, sensitivity label rules, capacity assignments) are swapped at deployment time using parameter rules rather than manual edits. Fabric deployment pipelines handle lakehouses, notebooks, and data pipelines with the same promotion pattern. Refresh schedules, gateway assignments, and alerting are applied through the Power BI REST API so they survive redeployment. A written change-management checklist covers dataset certification, dependency impact analysis, and rollback procedure for every promotion to production.

Which industries and data sources do you support most often?

Heaviest experience sits in healthcare, financial services, energy, manufacturing, and public sector, because each of those verticals pushes a different dimension of Power BI: HIPAA-bound PHI handling, transaction-grain reconciliation, time-series sensor data, cost-center-driven manufacturing variance, and FedRAMP-aligned government reporting. Source systems frequently include Microsoft Dynamics 365, SAP ECC and S/4HANA, Salesforce, Workday, Epic and Cerner (Oracle Health), Infor, and a long tail of legacy ODBC databases connected through on-premises data gateways. Fabric engagements add Azure Data Lake Storage, Snowflake, Databricks, BigQuery, and Amazon S3 through OneLake shortcuts. Regardless of source, the modeling discipline is identical: conformed dimensions, documented grains, and a semantic layer that hides the join complexity from report authors.

Power BI Embedded for SaaS: Architecture and Pricing Guide (2026)

Quick Answer

Power BI Embedded lets SaaS builders embed dashboards and reports into their product without requiring Microsoft accounts for end users. The reference architecture is: one Fabric F SKU capacity, service principal authentication, dataset-per-tenant with dynamic RLS for most use cases, and cached embed tokens to reduce Entra round-trips. A well-designed embedded deployment handles 10,000+ end users on a single F64 capacity.

1. Licensing and Capacity Options

Three capacity SKUs support embedding: Fabric F SKUs, legacy A SKUs (Azure Power BI Embedded), and Premium P SKUs. In 2026 the guidance is straightforward: use F SKUs for new deployments.

SKU	Pause/Resume	Reserved Instance	Fabric Features	Best For
F SKU	Yes	Yes (36-60%)	Full	New SaaS deployments
A SKU	Yes	No	No	Legacy embedding only
P SKU	No	No	No	Existing Premium customers

For more on P-to-F migration, see the Fabric vs Premium migration guide.

2. Reference Architecture

The standard SaaS embedding architecture has six components:

SaaS front-end: React, Angular, or plain JavaScript using the Power BI JavaScript SDK.
Token-issuance service: server-side endpoint that authenticates as a service principal and returns an embed token.
Service principal: Microsoft Entra application with a client secret or certificate, granted Power BI Service Admin tenant role and Contributor on the target workspace.
Workspace: container for datasets, reports, and dashboards. For most deployments, one or a few workspaces are sufficient.
Dataset with dynamic RLS: semantic model with a UserSecurity bridge table filtered by a tenant_id claim passed through the embed token.
Fabric F SKU capacity: Azure-provisioned capacity backing all customer-facing content.

3. Authentication Pattern: Service Principal + Embed Tokens

// Node.js token issuance example
import { ConfidentialClientApplication } from '@azure/msal-node';
import axios from 'axios';

const msal = new ConfidentialClientApplication({
  auth: {
    clientId: process.env.PBI_CLIENT_ID!,
    clientSecret: process.env.PBI_CLIENT_SECRET!,
    authority: `https://login.microsoftonline.com/${process.env.PBI_TENANT_ID}`,
  },
});

export async function generateEmbedToken(
  reportId: string,
  datasetId: string,
  tenantId: string
) {
  const accessToken = await msal.acquireTokenByClientCredential({
    scopes: ['https://analysis.windows.net/powerbi/api/.default'],
  });

  const response = await axios.post(
    `https://api.powerbi.com/v1.0/myorg/groups/${WORKSPACE_ID}/reports/${reportId}/GenerateToken`,
    {
      accessLevel: 'View',
      identities: [
        {
          username: `tenant-${tenantId}`,
          roles: ['TenantRole'],
          datasets: [datasetId],
        },
      ],
    },
    { headers: { Authorization: `Bearer ${accessToken!.accessToken}` } }
  );

  return response.data.token;
}

The identities array passes the effective identity for RLS enforcement. The username field feeds USERPRINCIPALNAME() in the RLS DAX expression and serves as the tenant key. Cache embed tokens for 55 minutes (tokens expire after 60 minutes) to minimize Entra round-trips.

4. Multi-Tenant Isolation

Option A: Dataset-per-tenant with dynamic RLS (recommended for most SaaS)

One shared dataset contains all tenants’ data. A UserSecurity table maps tenant IDs to row filters. The dynamic RLS expression filters every table by tenant ID based on the identity passed in the embed token. Scales to tens of thousands of tenants on a single dataset.

Option B: Workspace-per-tenant

Each customer gets their own workspace with their own dataset. Strongest possible isolation. Use for enterprise customers that require physical separation for compliance reasons. Does not scale beyond a few hundred workspaces due to operational complexity.

Option C: Hybrid

Default customers share a dataset with dynamic RLS. Enterprise tier customers get dedicated workspaces. The provisioning pipeline determines at signup time which pattern a customer uses based on their subscription plan.

5. Cost Model and Capacity Sizing

Capacity sizing depends on three variables: concurrent user load, query complexity, and refresh frequency. A useful starting point:

F4 or F8: up to 100 concurrent users with simple report queries. ~$400 to $800 per month PAYG.
F16: up to 500 concurrent users. ~$1,300 per month PAYG.
F32: up to 2,000 concurrent users. ~$2,630 per month PAYG.
F64: up to 10,000 concurrent users. ~$5,258 per month PAYG.

These numbers assume typical dashboard traffic (one or two visual interactions per user per minute during active sessions). Heavy analytic workloads can reduce user capacity by 30 to 50 percent. Monitor the Fabric Capacity Metrics app and scale up when sustained utilization exceeds 70 percent during peak hours.

6. Performance Best Practices

Cache embed tokens server-side for 55 minutes. Do not request a new token on every page navigation.
Use Direct Lake mode for large fact tables. It delivers Import-mode performance without refresh schedules.
Pre-warm capacity before predictable traffic peaks (Monday morning, billing cycles) with synthetic queries.
Separate development workspaces from customer-facing workspaces. Development refreshes should not contend with end-user queries.
Enable auto-scale with a hard ceiling. Budget guardrails prevent runaway costs during anomalous traffic.
Design visuals with paginated data (top 10 customers, last 30 days) rather than unbounded tables. Pagination dramatically reduces CU consumption.

Frequently Asked Questions

What is Power BI Embedded for SaaS?

Power BI Embedded for SaaS is the Embed for Your Customers scenario where a software vendor embeds Power BI content into their application so that end users (the vendor's customers) see dashboards and reports inside the SaaS product without needing Microsoft accounts or Power BI licenses. The vendor owns a Fabric capacity or A SKU capacity, develops reports in their tenant, and uses service principal authentication to generate embed tokens that render reports in the SaaS UI.

What capacity do I need for embedding?

Two options. Fabric F SKUs (F2 and above) support embedding with pay-as-you-go billing and Azure Reserved Instance discounts. Legacy A SKUs (A1 through A6) are the purpose-built embedding-only capacities, sold through Azure with pause/resume support and no user licenses required on the capacity. As of 2026, Fabric F SKUs are the recommended choice because they unlock the full Fabric feature set and are the path forward. A SKUs remain available for existing customers but will eventually be deprecated.

How does authentication work in embedded scenarios?

The most common pattern is App Owns Data: your application authenticates to Power BI as a service principal, generates an embed token scoped to a specific report, and passes the token to the browser. Users of your application never authenticate to Power BI. Row-level security is enforced by passing an effective identity with the embed token. For B2B scenarios where your customers already have Microsoft accounts, the User Owns Data pattern is also supported but is rarely used for SaaS.

How do I isolate tenants in a multi-tenant SaaS?

The two architectures are workspace-per-tenant and dataset-per-tenant with RLS. Workspace-per-tenant gives the strongest isolation (each customer gets their own workspace with their own dataset) but does not scale beyond a few hundred tenants because workspace count becomes unmanageable. Dataset-per-tenant with dynamic RLS scales to tens of thousands of tenants but requires careful RLS design to prevent data leakage. For most SaaS products, start with a single dataset, dynamic RLS keyed on tenant ID, and scale to workspace-per-tenant only for enterprise customers that require it contractually.

What does Power BI Embedded cost?

Capacity cost is the primary line item. F2 starts at about $263 per month pay-as-you-go ($0.36/hour). F64 costs about $5,258 per month and matches P1/A4 compute. You also need Power BI Pro licenses for content developers ($10/user/month). End users of your SaaS do not need licenses. For most SaaS products, plan for $500 to $5,000 per month in Power BI capacity plus $50 to $500 per month in Pro licenses for your development team. Reserved Instances cut that by 40 to 60 percent once utilization stabilizes.

Can I paginate Power BI Embedded capacity as my SaaS grows?

Yes. The scaling pattern is horizontal: start with a small F SKU (F4 or F8), monitor utilization in the Fabric Capacity Metrics app, and scale up or out as user load increases. F SKUs can be resized through the Azure portal in under a minute with zero downtime. For very large SaaS, split customers across multiple capacities grouped by tier (free, pro, enterprise) so that throttling in one tier does not affect others.

Does embedding require custom development?

Yes, but less than most teams expect. The Power BI JavaScript SDK handles the browser-side embedding, and Microsoft provides sample code in React, Angular, and plain JavaScript. The custom work is on the server side: a token-issuance endpoint that authenticates as the service principal and generates scoped embed tokens. A typical initial implementation is 1 to 2 weeks for a single-tenant proof of concept, 4 to 6 weeks for a production multi-tenant deployment with RLS, provisioning workflows, and monitoring.

What are common embedded performance pitfalls?

Four common issues. First, issuing a new embed token on every page load instead of caching tokens, which causes unnecessary Azure Entra round-trips. Second, not pre-warming capacity before user peaks, leading to cold-start latency on the first morning queries. Third, failing to separate content development from customer-facing capacity, causing dev refreshes to throttle production queries. Fourth, enabling auto-scale without budget guardrails, resulting in surprise bills during traffic spikes.

Building an Embedded Analytics SaaS?

Our consultants architect multi-tenant Power BI Embedded deployments with RLS, token caching, and capacity sizing. Contact us for a design review.

Power BI Embedded for SaaS: Architecture and Pricing Guide