Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
jaryszek
Memorable Member
Memorable Member

DirectLake over OneLake dataset with RLS or SSO Enabled?

‎12-22-2025 02:00 AM

Hello,

https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/execute-queries-in-group

To use Service Principals, make sure the admin tenant setting Allow service principals to use Power BI APIs under Developer settings is enabled. However, regardless of the admin tenant setting, Service Principals aren't supported for datasets with RLS per RLS limitations or datasets with SSO enabled.

1. What does it mean dataset with SSO enabled? If i have it? Where to check it

2. How to check if RLS is set up? I didnt check anything...

Best,
Jacek

Labels:
Message 1 of 11
769 Views
0
10 REPLIES 10
v-pnaroju-msft
Community Support
Community Support

yesterday

Hi jaryszek,

Thank you for the followup, and please accept my apologies for any inconvenience caused.
According to the documentation, “Service Principals aren't supported for datasets with RLS per RLS limitations or datasets with SSO enabled,” which implies that Service Principals may use the Execute Queries API for datasets provided no RLS is defined and no data source with SSO is configured.
Datasets - Execute Queries In Group - REST API (Power BI Power BI REST APIs) | Microsoft Learn
The documentation does not explicitly list Direct Lake over OneLake semantic models as a limitation. Therefore, I stated: “If the semantic model is Direct Lake over OneLake, no RLS roles are defined, and the tenant setting ‘Allow service principals to use Power BI APIs’ is enabled, then Service Principal and the ExecuteQueries REST API are supported and function as designed. Direct Lake does not use data source SSO, so SSO is not applicable in this scenario.”
I sincerely apologize for any inconvenience caused if I misunderstood the limitation earlier.

Thank you.

Message 10 of 11
186 Views
0
jaryszek
Memorable Member
Memorable Member
In response to v-pnaroju-msft

yesterday

Yes, but support thinks something else. 
Can you please contact me in private message and connect on Teams to explain this? 

Especially this statement:
"

  • Datasets that are hosted in Azure Analysis Services or that have a live connection to an on-premises Azure Analysis Services model aren't supported."


This means that DirectLake is not supported?

So in other words, Service Principal can run this query but not on DirectLake? 

And the next question about executeQueries json body:

{
  "queries": [
    {
      "query": "EVALUATE VALUES(MyTable)"
    }
  ],
  "serializerSettings": {
    "includeNulls": true
  },
  "impersonatedUserName": "someuser@mycompany.com"
}


Why use impersonatedUserName? If this will enforce RLS ? 


Edit:
Answer from support:
When we create a Direct Lake mode dataset, it will by default use SSO to data source(SQL endpoint), when share report with other viewer, the triggered query to AS engine will use the sign-in user credential to run the "Discover OLS/RLS permission check query" which will be deny as this user have no ReadData permission to run the SELECT commands.

If anybody can explain this will be great

Best,
Jacek


Message 11 of 11
61 Views
0
v-pnaroju-msft
Community Support
Community Support

Friday

Hi jaryszek,

Thank you for the update and kindly keep us informed.

We are following up to enquire whether you have had an opportunity to submit the idea to the Ideas Forum using the link: Fabric Ideas - Microsoft Fabric Community. Please note that the Microsoft product team regularly reviews this platform for popular feature requests. Ideas that receive substantial support are more likely to be prioritized for inclusion in future releases.
Please continue using the Microsoft Fabric community for further queries.

Thank you.

Message 8 of 11
312 Views
0
jaryszek
Memorable Member
Memorable Member
In response to v-pnaroju-msft

yesterday

This is not an idea. 
This is a matter of whether DirectLake can be used with this query or not. 

I asked the support guys to contact you and explain what is possible and what is not. On Forum, you think that it is possible to use this query with DirectLake. Support Guys think differently. 

Issue is taking a 2 week now without any answer...

Best,
Jacek




Message 9 of 11
222 Views
0
jaryszek
Memorable Member
Memorable Member

Wednesday

Still topic is not solved. Waiting for supports guys to check if this is possible or not. 

Best,
Jacek

Message 7 of 11
386 Views
0
v-pnaroju-msft
Community Support
Community Support

‎12-26-2025 10:46 AM

Hi jaryszek,

Thank you for the followup.

Based on my understanding, Power BI enforces a strict separation between application identity or Service Principal and user identity or delegated authentication. Features that require evaluation of an actual user (for example, RLS or data source SSO) cannot be used with app-only execution.

Please consider the following approach, which may help resolve the issue:

  1. Using a Service Principal for Power BI embedding in a JavaScript application is supported when application level security is acceptable and per-user data filtering is not required. In this model, all users access the report under the same application identity. Power BI does not evaluate individual end user identities within the dataset. If your requirement is per-user data security, the appropriate approach is RLS with delegated user authentication. This cannot be combined with Service Principal only query execution.

  2. If the semantic model is Direct Lake over OneLake, no RLS roles are defined, and the tenant setting “Allow service principals to use Power BI APIs” is enabled, then Service Principal and the ExecuteQueries REST API are supported and function as designed. Direct Lake does not use data source SSO, so SSO is not applicable in this scenario.

For further reference, please consult the following links:
Embed content in your Power BI embedded analytics application - Power BI | Microsoft Learn
Embed Power BI content in an embedded analytics application with service principal and an applicatio...

We hope the information helps to resolve the issue. Should you have any further queries, please feel free to contact the Microsoft Fabric community.

Thank you.

Message 5 of 11
571 Views
0
jaryszek
Memorable Member
Memorable Member
In response to v-pnaroju-msft

‎12-29-2025 12:24 AM

"

  1. If the semantic model is Direct Lake over OneLake, no RLS roles are defined, and the tenant setting “Allow service principals to use Power BI APIs” is enabled, then Service Principal and the ExecuteQueries REST API are supported and function as designed. Direct Lake does not use data source SSO, so SSO is not applicable in this scenario."

    It is not true, unfortunately. 
    For the ExecuteQueries REST API:
    "Datasets that are hosted in Azure Analysis Services or that have a live connection to an on-premises Azure Analysis Services model aren't supported."

    Please read the docs carefully. 
    I confirmed with support. 

    Best,
    Jacek

Message 6 of 11
483 Views
0
v-pnaroju-msft
Community Support
Community Support

‎12-22-2025 11:34 AM

Hi jaryszek,

Thank you for your inquiry submitted via the Microsoft Fabric Community Forum.

Based on my understanding, Service Principals are not supported for executing queries against semantic models that have Row Level Security (RLS) or data source Single Sign On (SSO) enabled, because both require evaluation of an actual user identity, whereas a Service Principal represents an application identity.

Please note that an SSO enabled dataset refers to data source SSO (delegation of user identity to data sources such as Azure SQL, SAP or Snowflake in DirectQuery scenarios), and not to Power BI sign-in. Direct Lake over OneLake does not use or support data source SSO, as it reads Delta files directly from OneLake.

To check SSO for non-Direct Lake models, navigate to Semantic model → Settings → Data source credentials. If OAuth or Kerberos with the “Use SSO” option is configured, SSO is enabled.

RLS exists only if it has been explicitly created. Verify its presence in Power BI Desktop via Modeling → Manage roles, or in the Service via Semantic model → Security. If no roles are defined, RLS is not present.

Please follow the approach below which may help resolve the issue:

  1. Using a Service Principal with the Execute Queries API against a Direct Lake (OneLake) semantic model is a valid approach provided that no RLS is defined.

Additionally, please refer to the links below:
Direct Lake overview - Microsoft Fabric | Microsoft Learn
Row-level security (RLS) with Power BI - Microsoft Fabric | Microsoft Learn
Overview of single sign-on for on-premises data gateways - Power BI | Microsoft Learn

If you require support for Service Principal with RLS or SSO, we request that you submit an idea on the Ideas portal at: https://ideas.fabric.microsoft.com.

We hope this information helps to resolve your issue. Should you have any further queries, please feel free to contact the Microsoft Fabric community.

Thank you.

Message 2 of 11
715 Views
0
jaryszek
Memorable Member
Memorable Member
In response to v-pnaroju-msft

‎12-23-2025 06:53 AM

And one more:

 

If SSO is not enabled using DirectLake and I do not have RLS, service principal should work for ExecuteQueries feature? 

Best,
Jacek

Message 4 of 11
675 Views
0
jaryszek
Memorable Member
Memorable Member
In response to v-pnaroju-msft

‎12-23-2025 12:20 AM

Thank you, 

okey I have external app based on javascript and embedding power bi there. 
What in this case? 

I am using service principal as safety layer to get access token and use reports within that app. 
But running queries using only specific user logged in can be problematic...for security reasons mainly.

 

Best,
Jacek

Message 3 of 11
690 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All