Hi @Scheneyder ,
Thank you for reaching out to Microsoft Community.
Because the report is using DirectQuery and the RLS is implemented in Databricks instead of Power BI, the embedded scenario may not be forwarding the end-user’s identity to Databricks.
When the identity is not passed, Databricks evaluates the security rules with no user context and returns zero rows, which results in a blank report page rather than an error.
Recommended Steps to Resolve
Enable SSO on the Semantic Model
In Power BI Service, go to Semantic Model → Settings → Data source credentials.
Change authentication to OAuth2 (Organizational Account).
Enable Single Sign-On (SSO) so the user identity can flow to the data source.
Pass the User Identity in the Embed Token
When generating the embed token, include EffectiveIdentity.
Provide the logged-in user’s UPN along with the AAD access token (identity blob) so Power BI can delegate the identity downstream.
Use On-Behalf-Of (OBO) Authentication
The SaaS application must obtain an Azure AD token for the signed-in user, not rely solely on a Service Principal.
Implement the MSAL OBO flow to exchange the user token for a Power BI access token.
Confirm Databricks Is Configured for AAD Passthrough
Ensure the Databricks SQL Warehouse/cluster has Azure AD authentication enabled.
This allows Databricks to evaluate functions like current_user() using the propagated identity.
Test with a simple query or visual: SELECT current_user()
If configured correctly, it should return the actual end-user email, not a service principal.
Once identity propagation is working end-to-end, Databricks RLS will evaluate correctly and the embedded report should display data instead of a blank page.
Hope this helps.
Best Regards.
