Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
jaryszek
Memorable Member
Memorable Member

DirectLake over OneLake dataset with RLS or SSO Enabled?

Monday

Hello,

https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/execute-queries-in-group

To use Service Principals, make sure the admin tenant setting Allow service principals to use Power BI APIs under Developer settings is enabled. However, regardless of the admin tenant setting, Service Principals aren't supported for datasets with RLS per RLS limitations or datasets with SSO enabled.

1. What does it mean dataset with SSO enabled? If i have it? Where to check it

2. How to check if RLS is set up? I didnt check anything...

Best,
Jacek

Labels:
Message 1 of 5
255 Views
0
4 REPLIES 4
v-pnaroju-msft
Community Support
Community Support

yesterday

Hi jaryszek,

Thank you for the followup.

Based on my understanding, Power BI enforces a strict separation between application identity or Service Principal and user identity or delegated authentication. Features that require evaluation of an actual user (for example, RLS or data source SSO) cannot be used with app-only execution.

Please consider the following approach, which may help resolve the issue:

  1. Using a Service Principal for Power BI embedding in a JavaScript application is supported when application level security is acceptable and per-user data filtering is not required. In this model, all users access the report under the same application identity. Power BI does not evaluate individual end user identities within the dataset. If your requirement is per-user data security, the appropriate approach is RLS with delegated user authentication. This cannot be combined with Service Principal only query execution.

  2. If the semantic model is Direct Lake over OneLake, no RLS roles are defined, and the tenant setting “Allow service principals to use Power BI APIs” is enabled, then Service Principal and the ExecuteQueries REST API are supported and function as designed. Direct Lake does not use data source SSO, so SSO is not applicable in this scenario.

For further reference, please consult the following links:
Embed content in your Power BI embedded analytics application - Power BI | Microsoft Learn
Embed Power BI content in an embedded analytics application with service principal and an applicatio...

We hope the information helps to resolve the issue. Should you have any further queries, please feel free to contact the Microsoft Fabric community.

Thank you.

Message 5 of 5
57 Views
0
v-pnaroju-msft
Community Support
Community Support

Monday

Hi jaryszek,

Thank you for your inquiry submitted via the Microsoft Fabric Community Forum.

Based on my understanding, Service Principals are not supported for executing queries against semantic models that have Row Level Security (RLS) or data source Single Sign On (SSO) enabled, because both require evaluation of an actual user identity, whereas a Service Principal represents an application identity.

Please note that an SSO enabled dataset refers to data source SSO (delegation of user identity to data sources such as Azure SQL, SAP or Snowflake in DirectQuery scenarios), and not to Power BI sign-in. Direct Lake over OneLake does not use or support data source SSO, as it reads Delta files directly from OneLake.

To check SSO for non-Direct Lake models, navigate to Semantic model → Settings → Data source credentials. If OAuth or Kerberos with the “Use SSO” option is configured, SSO is enabled.

RLS exists only if it has been explicitly created. Verify its presence in Power BI Desktop via Modeling → Manage roles, or in the Service via Semantic model → Security. If no roles are defined, RLS is not present.

Please follow the approach below which may help resolve the issue:

  1. Using a Service Principal with the Execute Queries API against a Direct Lake (OneLake) semantic model is a valid approach provided that no RLS is defined.

Additionally, please refer to the links below:
Direct Lake overview - Microsoft Fabric | Microsoft Learn
Row-level security (RLS) with Power BI - Microsoft Fabric | Microsoft Learn
Overview of single sign-on for on-premises data gateways - Power BI | Microsoft Learn

If you require support for Service Principal with RLS or SSO, we request that you submit an idea on the Ideas portal at: https://ideas.fabric.microsoft.com.

We hope this information helps to resolve your issue. Should you have any further queries, please feel free to contact the Microsoft Fabric community.

Thank you.

Message 2 of 5
201 Views
0
jaryszek
Memorable Member
Memorable Member
In response to v-pnaroju-msft

Tuesday

And one more:

 

If SSO is not enabled using DirectLake and I do not have RLS, service principal should work for ExecuteQueries feature? 

Best,
Jacek

Message 4 of 5
161 Views
0
jaryszek
Memorable Member
Memorable Member
In response to v-pnaroju-msft

Tuesday

Thank you, 

okey I have external app based on javascript and embedding power bi there. 
What in this case? 

I am using service principal as safety layer to get access token and use reports within that app. 
But running queries using only specific user logged in can be problematic...for security reasons mainly.

 

Best,
Jacek

Message 3 of 5
176 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All