topic Re: Populating TokenRequest EffectiveIdentity object what AAD Service Principal name should be used? in Developer https://community.fabric.microsoft.com/t5/Developer/Populating-TokenRequest-EffectiveIdentity-object-what-AAD/m-p/2256608#M33625 <P>Hi&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/235907">@WayneT</a>&nbsp;,</P> <P>As mentioned in <A href="https://docs.microsoft.com/en-us/power-bi/admin/service-admin-rls#considerations-and-limitations" target="_self"><STRONG>this official documentation</STRONG></A>:</P> <UL> <LI>Service principals cannot be added to an RLS role. Accordingly, RLS won’t be applied for apps using a service principal as the final effective identity.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="yingyinr_0-1640593779652.png" style="width: 999px;"><img src="https://community.fabric.microsoft.com/t5/image/serverpage/image-id/648640iAF5EB23C95BB9342/image-size/large?v=v2&amp;px=999" role="button" title="yingyinr_0-1640593779652.png" alt="yingyinr_0-1640593779652.png" /></span></P> <P><A href="https://docs.microsoft.com/en-us/power-bi/developer/embedded/embedded-row-level-security#applying-user-and-role-to-an-embed-token" target="_self"><STRONG>Applying user and role to an embed token</STRONG></A></P> <P>Best Regards</P> Mon, 27 Dec 2021 08:31:31 GMT Anonymous 2021-12-27T08:31:31Z Populating TokenRequest EffectiveIdentity object what AAD Service Principal name should be used? https://community.fabric.microsoft.com/t5/Developer/Populating-TokenRequest-EffectiveIdentity-object-what-AAD/m-p/2254415#M33607 <P>We display reports to users of our SaaS application by embedding them. The config to get the embed url uses a Service Principal.<BR />For a time we have been using a JavaScript filter to filter report data based on a user's group. This is problematic because a user could potentially hack it and see other groups data.<BR /><BR />We have attempted to implement Row Level Security (RLS) while getting the embed token using the code below.<BR /><BR />Each user does not have a user account in AAD, so we want to use the Service Principal of the Enterprise Application registered in AAD that we use to get the access token for talking to the api.<BR /><BR />Using the C# SDK no matter what username I put in to the EffectiveIdentity it returns a status code of 'Unauthorized'.<BR />Have tried:</P><UL><LI>Name</LI><LI>Application Id</LI><LI>Object Id</LI></UL><P>Has anyone else had experience with this and can give me an idea what value should be used for the username property?<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="csharp"> var tokenRequest = new GenerateTokenRequestV2( reports: new List&lt;GenerateTokenRequestV2Report&gt;() { new GenerateTokenRequestV2Report(reportId) }, datasets: datasetIds.Select(datasetId =&gt; new GenerateTokenRequestV2Dataset(datasetId.ToString())).ToList(), targetWorkspaces: targetWorkspaceId != Guid.Empty ? new List&lt;GenerateTokenRequestV2TargetWorkspace&gt;() { new GenerateTokenRequestV2TargetWorkspace(targetWorkspaceId) } : null ); tokenRequest.Identities = new List&lt;EffectiveIdentity&gt; { new EffectiveIdentity("[Service Principal Object Id]" // //,reports: new List&lt;string&gt;() { reportId.ToString() } ,datasets: datasetIds.Select(datasetId =&gt; datasetId.ToString()).ToList() // ,roles: new[] { "CommunityAdmin" } // //, customData:"0ea41e5e-13aa-4a15-8fdc-a7b152dfb089" ) };</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 23 Dec 2021 23:07:18 GMT https://community.fabric.microsoft.com/t5/Developer/Populating-TokenRequest-EffectiveIdentity-object-what-AAD/m-p/2254415#M33607 WayneT 2021-12-23T23:07:18Z Re: Populating TokenRequest EffectiveIdentity object what AAD Service Principal name should be used? https://community.fabric.microsoft.com/t5/Developer/Populating-TokenRequest-EffectiveIdentity-object-what-AAD/m-p/2256608#M33625 <P>Hi&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/235907">@WayneT</a>&nbsp;,</P> <P>As mentioned in <A href="https://docs.microsoft.com/en-us/power-bi/admin/service-admin-rls#considerations-and-limitations" target="_self"><STRONG>this official documentation</STRONG></A>:</P> <UL> <LI>Service principals cannot be added to an RLS role. Accordingly, RLS won’t be applied for apps using a service principal as the final effective identity.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="yingyinr_0-1640593779652.png" style="width: 999px;"><img src="https://community.fabric.microsoft.com/t5/image/serverpage/image-id/648640iAF5EB23C95BB9342/image-size/large?v=v2&amp;px=999" role="button" title="yingyinr_0-1640593779652.png" alt="yingyinr_0-1640593779652.png" /></span></P> <P><A href="https://docs.microsoft.com/en-us/power-bi/developer/embedded/embedded-row-level-security#applying-user-and-role-to-an-embed-token" target="_self"><STRONG>Applying user and role to an embed token</STRONG></A></P> <P>Best Regards</P> Mon, 27 Dec 2021 08:31:31 GMT https://community.fabric.microsoft.com/t5/Developer/Populating-TokenRequest-EffectiveIdentity-object-what-AAD/m-p/2256608#M33625 Anonymous 2021-12-27T08:31:31Z