Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join the FabCon + SQLCon recap series. Up next: Power BI, Real-Time Intelligence, IQ and AI, and Data Factory take center stage. All sessions are available on-demand after the live show. Register now

Reply
MJG2112
Advocate II
Advocate II

Visuals Not Working when using Direct Access Queries

‎04-15-2026 12:01 PM

The background.  When a user is granted access to a report, then they are assigned to a role in the RLS and given a non-shareable link to the report. All approved users get the same link. Admins have direct access to all reports. Every report has its own semantic model. Each one of those models has one or more data sources. Most data sources are imported, with a small number being direct access to other semantic models. The latter approach is new to us.


Every report in the service has data source credentials using:

Authentication method: OAuth2

Privacy level setting: Organisational

Account: a non-specific service account


One of the reports using direct access sources has been shared with a user. They have been assigned to a role in the RLS and given the non-shareable report link. All as per our normal process. The report creator and I can see all the visuals in the report. We are both workspace admins. The user can open the report, but all the visuals are broken.

 

The error message is the common ‘Error fetching data for this visual’, but points to a problem with the direct access queries to one of the upstream sources.

 

I’ve done a lot of reading and used Copilot to find an answer to the problem. In summary, the resolution I reached is give the user read access to the upstream semantic models. My research highlighted the use of Entra groups as a way to assign multiple users to the semantic models. We don’t currently use those as we haven’t found a need to. In this case we just added the single user. This partly worked in the sense that the error message then highlighted the user not having RLS access to the upstream reports. None of the information I found suggested this was necessary. It’s not a problem to add one user to the RLS for the upstream reports, but it is when that number could be significantly more. I don’t know if it’s possible to add Entra groups in the RLS.

 

I’ve got lots of information, but I’d like views from experts on here who’ve experienced and resolved this problem themselves.

Labels:
Message 1 of 6
319 Views
1 ACCEPTED SOLUTION
cengizhanarslan
Super User
Super User

‎04-16-2026 11:13 AM

When a report connects to an upstream semantic model via live connection, Power BI evaluates the viewing user's own identity against the upstream model directly. Your service account OAuth2 credentials are irrelevant for this connection type, which is why users need both Read permission and RLS access on the upstream model regardless of how the downstream report is configured. Adding Entra ID security groups directly to RLS roles in the upstream semantic model is fully supported and is the correct scalable solution: add the group to the RLS role via the upstream model's Security settings, grant the group Read permission on the model, and then manage all user access by adding or removing members from the Entra group in Entra ID admin without ever touching Power BI again.

_________________________________________________________
If this helped, ✓ Mark as Solution | Kudos appreciated
Connect on LinkedIn | Follow on Medium
AI-assisted tools are used solely for wording support. All conclusions are independently reviewed.

View solution in original post

Message 6 of 6
184 Views
5 REPLIES 5
cengizhanarslan
Super User
Super User

‎04-16-2026 11:13 AM

When a report connects to an upstream semantic model via live connection, Power BI evaluates the viewing user's own identity against the upstream model directly. Your service account OAuth2 credentials are irrelevant for this connection type, which is why users need both Read permission and RLS access on the upstream model regardless of how the downstream report is configured. Adding Entra ID security groups directly to RLS roles in the upstream semantic model is fully supported and is the correct scalable solution: add the group to the RLS role via the upstream model's Security settings, grant the group Read permission on the model, and then manage all user access by adding or removing members from the Entra group in Entra ID admin without ever touching Power BI again.

_________________________________________________________
If this helped, ✓ Mark as Solution | Kudos appreciated
Connect on LinkedIn | Follow on Medium
AI-assisted tools are used solely for wording support. All conclusions are independently reviewed.
Message 6 of 6
185 Views
MJG2112
Advocate II
Advocate II

‎04-16-2026 07:52 AM

@lbendlin OK. What about the semantic model permissions and RLS for all the upstream sources/reports?

 

Message 5 of 6
207 Views
0
MJG2112
Advocate II
Advocate II

‎04-16-2026 12:25 AM

@lbendlin It's workspace viewers.

Message 3 of 6
236 Views
0
lbendlin
Super User
Super User
In response to MJG2112

‎04-16-2026 07:39 AM

Your users need to be workspace viewers in all participating workspaces.

Message 4 of 6
214 Views
0
lbendlin
Super User
Super User

‎04-15-2026 03:51 PM

Please clarify if you are sharing to workspace viewers, or to app users.

 

Note that for composite models your report users must have installed all the apps from all paticipating semantic models (or be given viewer access to those workspaces)

Message 2 of 6
267 Views
0

Helpful resources

Announcements
April Power BI Update Carousel

Power BI Monthly Update - April 2026

Check out the April 2026 Power BI update to learn about new features.

New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

FabCon and SQLCon Highlights Carousel

FabCon &SQLCon Highlights

Experience the highlights from FabCon & SQLCon, available live and on-demand starting April 14th.

View All