Embeded powerbi report with service principal usin...

Anonymous · ‎04-10-2020

Hi,

i've got an on premise SSAS instance which is configured in powerbi using gateway, configuration is proper as report using dataset from SSAS works from app.powebi and even from embedded report if token is requested using username/password flow.

From security reasons our client demand was to introduce service principal, it is turned on, set as admin on workspace, i've added 'ReadOverrideEffectiveIdentity' to service principle using powerbi dataset api.

Currently when i request embedd token using clientSecret (service principal) it requires EffectiveIdentity to be passed (which was not passed before in this path).

I;ve tested two different approaches:

-passed EffectiveIdentity with identifier = ServicePrincipalObjectId

* i can see in developer tools that https://wabi-north-europe-redirect.analysis.windows.net/powerbi/metadata/models/5330774/?modelOption...

returned 401

-passed currently logged userId (this is normally passed for other datasets pointing directly to database):

*report is embedded but when it's loadingvisuals i get 401 and i can see that 'https://wabi-north-europe- redirect.analysis.windows.net/explore/querydata'

returned "{"error":{"code":"RLSNotAuthorizedForImpersonation","pbi.error":{"code":"RLSNotAuthorizedForImpersonation","parameters":{},"details":[],"exceptionCulprit":1}}}"

Do you have any ideas what should i check next and what is wrong?

I've based my work mostly on:

https://prologika.com/power-bi-embedded-service-principals-and-ssas/

https://docs.microsoft.com/en-us/power-bi/developer/embedded/embedded-row-level-security#on-premises...

https://docs.microsoft.com/en-us/power-bi/developer/embedded/embedded-row-level-security#working-wit...

Thanks in advance