The ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM.
Get registeredCompete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.
Hi Community,
I'm looking for some assistance with embedding a few of my Power BI reports. Let me provide some context:
I have an Admin Report published to the Power BI Service.
I've also created a Client Report, which is a replica of the Admin Report but connects to the Admin report’s semantic model. I’ve configured Row-Level Security (RLS) in the Admin Report using the User table, with a rule: Email = Username()
and that will be used in the client report.
So my Admin report works without RLS and Client report will filters based on user logged into the client application.
Now, I want to embed these reports into a client-facing application using the App Owns Data model. To support this, I’ve added a service principal as an admin in the Power BI workspace.
However, while trying to embed the Client Report, I’m encountering issues such as:
Even i tried to embed the Admin report which is directly connected to the source however it also fails to embed or load.
Interestingly, other reports from the same workspace are embedding successfully. This makes me wonder — could the issues be related to:
For reference, my backend is built in PHP and the frontend is Angular.
If anyone has experienced something similar or has insights to share, I’d greatly appreciate the help!
Thank you!
@amitchandak
Solved! Go to Solution.
Hi sanu,
Thank you for your follow-up.
As per my understanding, you are embedding a client report that connects via DirectQuery to a Power BI semantic model with Row-Level Security (RLS) enabled. Since you are using the App Owns Data model with a service principal, the embedding fails because EffectiveIdentity does not function when the dataset uses DirectQuery to another Power BI dataset. Consequently, RLS cannot be applied, and you may encounter errors such as 403 Forbidden, token generation failure, and schema load issues.
Please find below some options that might help resolve the issue:
If users can authenticate using Microsoft Entra ID (formerly Azure Active Directory), consider embedding via the User Owns Data model. RLS will function automatically, as the signed-in user's identity is passed through.
If the App Owns Data model is mandatory, redesign the dataset to remove DirectQuery connections to another Power BI dataset. Instead, use Import mode or DirectQuery to a database, and then apply EffectiveIdentity in the embed token to enforce RLS securely.
We hope this information proves helpful in resolving your issue. Should you have any further queries, please feel free to contact the Microsoft Fabric community.
Thank you.
Thank you all for the support.
Hi sanu,
We just wanted to check if the information we gave helped fix your problem.
If you still need any help, please don’t hesitate to reach out to the Microsoft Fabric community.
Thank you.
Hi sanu,
We would like to follow up and see whether the details we shared have resolved your problem.
If you need any more assistance, please feel free to connect with the Microsoft Fabric community.
Thank you.
Hi sanu,
Thank you for your follow-up.
As per my understanding, you are embedding a client report that connects via DirectQuery to a Power BI semantic model with Row-Level Security (RLS) enabled. Since you are using the App Owns Data model with a service principal, the embedding fails because EffectiveIdentity does not function when the dataset uses DirectQuery to another Power BI dataset. Consequently, RLS cannot be applied, and you may encounter errors such as 403 Forbidden, token generation failure, and schema load issues.
Please find below some options that might help resolve the issue:
If users can authenticate using Microsoft Entra ID (formerly Azure Active Directory), consider embedding via the User Owns Data model. RLS will function automatically, as the signed-in user's identity is passed through.
If the App Owns Data model is mandatory, redesign the dataset to remove DirectQuery connections to another Power BI dataset. Instead, use Import mode or DirectQuery to a database, and then apply EffectiveIdentity in the embed token to enforce RLS securely.
We hope this information proves helpful in resolving your issue. Should you have any further queries, please feel free to contact the Microsoft Fabric community.
Thank you.
Thank you for the solution provided and are there anything we can do in the backend side to get the user identity and enforce RLS on the dataset? Any working solultion. Thank you
Thankyou @anilelmastasi for your response.
Hi sanu,
We appreciate your inquiry through the Microsoft Fabric Community Forum.
We would like to inquire whether have you got the chance to check the solution provided by @anilelmastasi to resolve the issue. We hope the information provided helps to clear the query.
Should you have any further queries, kindly feel free to contact the Microsoft Fabric community.
Thank you.