Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Compete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.

Reply
sanu
Regular Visitor

Embedding Power BI report with RLS enabled on Apps Own Data

‎07-11-2025 08:37 AM

Hi Community,

I'm looking for some assistance with embedding a few of my Power BI reports. Let me provide some context:

I have an Admin Report published to the Power BI Service.
I've also created a Client Report, which is a replica of the Admin Report but connects to the Admin report’s semantic model. I’ve configured Row-Level Security (RLS) in the Admin Report using the User table, with a rule: Email = Username()

and that will be used in the client report.

So my Admin report works without RLS and Client report will filters based on user logged into the client application.

Now, I want to embed these reports into a client-facing application using the App Owns Data model. To support this, I’ve added a service principal as an admin in the Power BI workspace.

However, while trying to embed the Client Report, I’m encountering issues such as:

  • 403 Forbidden errors
  • Schema errors
  • In some cases, the embed token fails to generate

     

     

    Even i tried to embed the Admin report which is directly connected to the source however it also fails to embed or load.

    Interestingly, other reports from the same workspace are embedding successfully. This makes me wonder — could the issues be related to:

    • The report using DirectQuery to a Power BI semantic model?
    • The presence of RLS?

      For reference, my backend is built in PHP and the frontend is Angular.

      If anyone has experienced something similar or has insights to share, I’d greatly appreciate the help!

      Thank you!

      @amitchandak 

Labels:
Message 1 of 8
346 Views
0
2 ACCEPTED SOLUTIONS
anilelmastasi
Super User
Super User

‎07-12-2025 10:25 AM
RLS in a Power BI dataset requires a user identity, and in App Owns Data embedding with service principals, there’s no user context (no effective identity).
Power BI doesn’t allow service principals to impersonate users for enforcing RLS — the embedded report fails silently or throws 403 Forbidden or embed token errors.
 
For reference:
Assigning users to roles within the Power BI service doesn't affect RLS or OLS when using an embed token (App owns data scenario only).
 
To solve this problem:
- Use “User Owns Data” instead of “App Owns Data”
- If your users can log in with Microsoft 365 accounts, switch to User Owns Data embedding.
- This passes the user identity, so RLS works as expected.
- You can embed securely, and RLS filters apply.
 
If this solved your issue, please mark it as the accepted solution.

View solution in original post

Message 2 of 8
304 Views
0
v-pnaroju-msft
Community Support
Community Support

‎07-16-2025 07:27 AM

Hi sanu,

Thank you for your follow-up.

As per my understanding, you are embedding a client report that connects via DirectQuery to a Power BI semantic model with Row-Level Security (RLS) enabled. Since you are using the App Owns Data model with a service principal, the embedding fails because EffectiveIdentity does not function when the dataset uses DirectQuery to another Power BI dataset. Consequently, RLS cannot be applied, and you may encounter errors such as 403 Forbidden, token generation failure, and schema load issues.

Please find below some options that might help resolve the issue:

  1. If users can authenticate using Microsoft Entra ID (formerly Azure Active Directory), consider embedding via the User Owns Data model. RLS will function automatically, as the signed-in user's identity is passed through.

  2. If the App Owns Data model is mandatory, redesign the dataset to remove DirectQuery connections to another Power BI dataset. Instead, use Import mode or DirectQuery to a database, and then apply EffectiveIdentity in the embed token to enforce RLS securely.

We hope this information proves helpful in resolving your issue. Should you have any further queries, please feel free to contact the Microsoft Fabric community.

Thank you.

View solution in original post

Message 5 of 8
209 Views
0
7 REPLIES 7
sanu
Regular Visitor

‎07-23-2025 10:45 AM

Thank you all for the support.

Message 8 of 8
138 Views
0
v-pnaroju-msft
Community Support
Community Support

‎07-22-2025 05:11 AM

Hi sanu,

We just wanted to check if the information we gave helped fix your problem.
If you still need any help, please don’t hesitate to reach out to the Microsoft Fabric community.

Thank you.

Message 7 of 8
154 Views
0
v-pnaroju-msft
Community Support
Community Support

‎07-19-2025 10:26 AM

Hi sanu,

We would like to follow up and see whether the details we shared have resolved your problem.
If you need any more assistance, please feel free to connect with the Microsoft Fabric community.

Thank you.

Message 6 of 8
187 Views
0
v-pnaroju-msft
Community Support
Community Support

‎07-16-2025 07:27 AM

Hi sanu,

Thank you for your follow-up.

As per my understanding, you are embedding a client report that connects via DirectQuery to a Power BI semantic model with Row-Level Security (RLS) enabled. Since you are using the App Owns Data model with a service principal, the embedding fails because EffectiveIdentity does not function when the dataset uses DirectQuery to another Power BI dataset. Consequently, RLS cannot be applied, and you may encounter errors such as 403 Forbidden, token generation failure, and schema load issues.

Please find below some options that might help resolve the issue:

  1. If users can authenticate using Microsoft Entra ID (formerly Azure Active Directory), consider embedding via the User Owns Data model. RLS will function automatically, as the signed-in user's identity is passed through.

  2. If the App Owns Data model is mandatory, redesign the dataset to remove DirectQuery connections to another Power BI dataset. Instead, use Import mode or DirectQuery to a database, and then apply EffectiveIdentity in the embed token to enforce RLS securely.

We hope this information proves helpful in resolving your issue. Should you have any further queries, please feel free to contact the Microsoft Fabric community.

Thank you.

Message 5 of 8
210 Views
0
sanu
Regular Visitor

‎07-14-2025 11:02 PM

Thank you for the solution provided and are there anything we can do in the backend side to get the user identity and enforce RLS on the dataset? Any working solultion. Thank you

Message 4 of 8
233 Views
0
v-pnaroju-msft
Community Support
Community Support

‎07-14-2025 12:12 AM

Thankyou @anilelmastasi for your response.

Hi sanu,

We appreciate your inquiry through the Microsoft Fabric Community Forum.

We would like to inquire whether have you got the chance to check the solution provided by @anilelmastasi to resolve the issue. We hope the information provided helps to clear the query.
Should you have any further queries, kindly feel free to contact the Microsoft Fabric community.

Thank you.

Message 3 of 8
259 Views
anilelmastasi
Super User
Super User

‎07-12-2025 10:25 AM
RLS in a Power BI dataset requires a user identity, and in App Owns Data embedding with service principals, there’s no user context (no effective identity).
Power BI doesn’t allow service principals to impersonate users for enforcing RLS — the embedded report fails silently or throws 403 Forbidden or embed token errors.
 
For reference:
Assigning users to roles within the Power BI service doesn't affect RLS or OLS when using an embed token (App owns data scenario only).
 
To solve this problem:
- Use “User Owns Data” instead of “App Owns Data”
- If your users can log in with Microsoft 365 accounts, switch to User Owns Data embedding.
- This passes the user identity, so RLS works as expected.
- You can embed securely, and RLS filters apply.
 
If this solved your issue, please mark it as the accepted solution.
Message 2 of 8
305 Views
0

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All