Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
Anonymous
Not applicable

Error getting embed token with row level security

‎09-05-2019 08:17 PM

Hi All,

 

I am having trouble getting App Only Embed token using C# and also via Postman. 

 

1) I get the OAuth2 Access token for my service principal using App Id and Secret.

2) I try to post on https://api.powerbi.com/v1.0/myorg/groups/{GroupId}/{ReportId}/GenerateToken

 

with the below body:

{
"accessLevel": "View",
"identities": [
{
"username": "UserEmail@Company.com",
"roles": [ "SomeRole" ],
"datasets": ["DatasetId"]
}
]
}

 

Error:

{
"error": {
"code": "InvalidRequest",
"message": "Creating embed token for accessing dataset {DatasetId} requries gateway admin or datasource override effective identity access right"
}
}
Labels:
Message 1 of 5
4,458 Views
0
4 REPLIES 4
Anonymous
Not applicable

‎09-11-2019 02:08 PM

Things that finally worked for us:

 

1) Had to give the service principal the permission "ReadOverrideEffectiveIdentity" by running Microsoft's rest api call with the datasourceId and the gatewayid.

see this link for more info: 

https://docs.microsoft.com/en-us/power-bi/developer/embedded-row-level-security#on-premises-data-gat...

 

The identifier used in the JSON BODY Request is not the Azure AD service principal object Id, turns out that there is a separate identifier for the service principal when it is added to powerBi workspace as an admin.

 

running a rest call to get users on the workspace/report would give the actual identifier.

 

*This is wierd as the documentation doesnot say that, but have raised this concern with microsoft.

2) After this, a normal call to get embed token along with effective identity works fine.

 

 

 

Message 3 of 5
4,370 Views
lnoguera
Frequent Visitor
In response to Anonymous

‎05-03-2021 09:56 AM

After doing what worked for you (find the service principal identifier using the rest api and give the ReadOverrideEffectiveIdentity permissions to it), now we´re getting a different error: "Only folder user with reshare permissions can generate embed token".  Do you know what might be the cause of this?

Message 5 of 5
3,197 Views
0
Anonymous
Not applicable
In response to Anonymous

‎12-15-2020 01:50 PM

Incredible.  Almost a year after your post, I ran into the same issue.  Using the Microsoft sample app, the error was hidden from me.  I only saw 403 Forbidden returned.  Using Postman and APIs to generate an EmbedToken, I then saw the 

"Creating embed token for accessing dataset..."

mentioned above.  Your comment of "The identifier used in the JSON BODY Request is not the Azure AD service principal object Id, turns out that there is a separate identifier for the service principal when it is added to powerBi workspace as an admin." was finding a needle in a hay stack.  You were right!  Once I found the "identifier" of my service principal using the APIs against the Power BI Workspace, I updated the username in my sample app and bam!  I finally executed a successful end to end request.  

 

 

Message 4 of 5
3,688 Views
0
Jayendran
Solution Sage
Solution Sage

‎09-05-2019 11:26 PM

Hi,

 

Can you pls look this

https://community.powerbi.com/t5/Developer/Unable-to-get-RLS-security-to-work-with-an-app-owns-data/...

 

 

Message 2 of 5
4,428 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All