Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during Fabric Data Days. Don't miss your chance! Request now

Reply
Anonymous
Not applicable

Implementing RLS on Embedded where report token is received by Azure AD REST call.

‎06-01-2018 08:41 AM

Hello Everyone, 

 

I am attempting to implement RLS in our .Net Core application of embedding power BI. here is our current TokenDataCall

 

        /// <summary>
        /// Gets Token Credentials and access token for use with authenticating PowerBi api calls
        /// </summary>
        /// <returns></returns>
        public async Task<(TokenCredentials tokenCredentials, string accessToken)> GetTokenDataAsync()
        {
            try
            {
                var authorityUrl = $"{_azureSettings.Instance}{_azureSettings.TenantId}/oauth2/token";

                var oauthEndpoint = new Uri(authorityUrl);

                using (var client = new HttpClient())
                {
                    var result = await client.PostAsync(oauthEndpoint, new FormUrlEncodedContent(new[]
                    {
                        new KeyValuePair<string, string>("resource", _powerBiSettings.ResourceAddress),
                        new KeyValuePair<string, string>("client_id", _azureSettings.ClientId),
                        new KeyValuePair<string, string>("grant_type", "password"),
                        new KeyValuePair<string, string>("username", _powerBiSettings.MasterUser),
                        new KeyValuePair<string, string>("password", _powerBiSettings.MasterKey),
                        new KeyValuePair<string, string>("scope", "openid"),
                    }));

                    var content = await result.Content.ReadAsStringAsync();

                    var authenticationResult = JsonConvert.DeserializeObject<OAuthResult>(content);
                    return (new TokenCredentials(authenticationResult.AccessToken, _azureSettings.TokenType), authenticationResult.AccessToken);
                }
            }
            catch (Exception ex)
            {
                _logger.LogError(ex, ex.Message);
                throw;
            }
        }

        private class OAuthResult
        {
            [JsonProperty("token_type")]
            public string TokenType { get; set; }
            [JsonProperty("scope")]
            public string Scope { get; set; }
            [JsonProperty("expires_in")]
            public int ExpiresIn { get; set; }
            [JsonProperty("ext_expires_in")]
            public int ExtExpiresIn { get; set; }
            [JsonProperty("expires_on")]
            public int ExpiresOn { get; set; }
            [JsonProperty("not_before")] 
            public int NotBefore { get; set; }
            [JsonProperty("resource")]
            public Uri Resource { get; set; }
            [JsonProperty("access_token")]
            public string AccessToken { get; set; }
            [JsonProperty("refresh_token")]
            public string RefreshToken { get; set; }
        }

I haven't found any documentation on how to use this token call to pass in the "Role" and "username" parameters found here.

https://docs.microsoft.com/en-us/power-bi/developer/embedded-row-level-security

 

Is there anyway to add those into the dictionary and for it to return the correct report access token with filtered data? 

 

Thanks, 

Labels:
Message 1 of 3
1,973 Views
2 ACCEPTED SOLUTIONS
v-jiascu-msft
Microsoft Employee
Microsoft Employee

‎06-04-2018 06:51 AM

Hi @Anonymous,

 

If you use the Rest API, it could be like below. Please refer to #applying-user-and-role-to-an-embed-token.

{   
    "accessLevel": "View",
    "identities": [     
        {      
            "username": "EffectiveIdentity",
            "roles": [ "Role1", "Role2" ],
            "datasets": [ "fe0a1aeb-f6a4-4b27-a2d3-b5df3bb28bdc" ]
        }   
    ] 
}

I tested it successfully with Postman.

 

Implementing RLS on Embedded where report token is received by Azure AD REST call.png 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Best Regards,

Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Message 2 of 3
2,054 Views
0
Anonymous
Not applicable
In response to v-jiascu-msft

‎06-06-2018 06:50 AM

Fixed,

 

I was confused because we were embedding the report through the Azure AD token, I am not sure how to implement RLS through the Azure AD token, like so.

 

 try
            {
                var tokenData = await _authenticationHandler.GetTokenDataAsync();

                using (var client = new PowerBIClient(new Uri(_powerBiSettings.MainAddress), tokenData.tokenCredentials))
                {
                    var report = await client.Reports.GetReportAsync(_powerBiSettings.GroupId, id.ToString());
                    
                    return new ReportDetail
                    {
                        Id = Guid.Parse(report.Id),
                        Name = report.Name,
                        EmbedUrl = report.EmbedUrl,
                        AccessToken = tokenData.accessToken
                    };
                }
            }

To fix this we just imbed the power BI report token instead with RLS identity.

 

            try
            {
                var tokenData = await _authenticationHandler.GetTokenDataAsync();

                using (var client = new PowerBIClient(new Uri(_powerBiSettings.MainAddress), tokenData.tokenCredentials))
                {
                    var report = await client.Reports.GetReportAsync(_powerBiSettings.GroupId, id.ToString());

                    var identity = new List<EffectiveIdentity>
                    {
                        new EffectiveIdentity("MasterUser", //TODO: Change this to use azure identity
                            roles: new List<string> {"User"},
                            datasets: new List<string> {report.DatasetId})
                    };

                    var generateTokenRequestParameters = new GenerateTokenRequest("view", null, identities: identity);

                    var tokenResponse = await client.Reports.GenerateTokenInGroupAsync(_powerBiSettings.GroupId, report.Id, generateTokenRequestParameters);

                    return new ReportDetail
                    {
                        Id = Guid.Parse(report.Id),
                        Name = report.Name,
                        EmbedUrl = report.EmbedUrl,
                        AccessToken = tokenResponse.Token
                    };
                }
            }

Be sure to set the token type to embed rather than AAD token in the Javascript config. 

 

Thanks for your help.

View solution in original post

Message 3 of 3
2,029 Views
0
2 REPLIES 2
v-jiascu-msft
Microsoft Employee
Microsoft Employee

‎06-04-2018 06:51 AM

Hi @Anonymous,

 

If you use the Rest API, it could be like below. Please refer to #applying-user-and-role-to-an-embed-token.

{   
    "accessLevel": "View",
    "identities": [     
        {      
            "username": "EffectiveIdentity",
            "roles": [ "Role1", "Role2" ],
            "datasets": [ "fe0a1aeb-f6a4-4b27-a2d3-b5df3bb28bdc" ]
        }   
    ] 
}

I tested it successfully with Postman.

 

Implementing RLS on Embedded where report token is received by Azure AD REST call.png 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Best Regards,

Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 3
2,055 Views
0
Anonymous
Not applicable
In response to v-jiascu-msft

‎06-06-2018 06:50 AM

Fixed,

 

I was confused because we were embedding the report through the Azure AD token, I am not sure how to implement RLS through the Azure AD token, like so.

 

 try
            {
                var tokenData = await _authenticationHandler.GetTokenDataAsync();

                using (var client = new PowerBIClient(new Uri(_powerBiSettings.MainAddress), tokenData.tokenCredentials))
                {
                    var report = await client.Reports.GetReportAsync(_powerBiSettings.GroupId, id.ToString());
                    
                    return new ReportDetail
                    {
                        Id = Guid.Parse(report.Id),
                        Name = report.Name,
                        EmbedUrl = report.EmbedUrl,
                        AccessToken = tokenData.accessToken
                    };
                }
            }

To fix this we just imbed the power BI report token instead with RLS identity.

 

            try
            {
                var tokenData = await _authenticationHandler.GetTokenDataAsync();

                using (var client = new PowerBIClient(new Uri(_powerBiSettings.MainAddress), tokenData.tokenCredentials))
                {
                    var report = await client.Reports.GetReportAsync(_powerBiSettings.GroupId, id.ToString());

                    var identity = new List<EffectiveIdentity>
                    {
                        new EffectiveIdentity("MasterUser", //TODO: Change this to use azure identity
                            roles: new List<string> {"User"},
                            datasets: new List<string> {report.DatasetId})
                    };

                    var generateTokenRequestParameters = new GenerateTokenRequest("view", null, identities: identity);

                    var tokenResponse = await client.Reports.GenerateTokenInGroupAsync(_powerBiSettings.GroupId, report.Id, generateTokenRequestParameters);

                    return new ReportDetail
                    {
                        Id = Guid.Parse(report.Id),
                        Name = report.Name,
                        EmbedUrl = report.EmbedUrl,
                        AccessToken = tokenResponse.Token
                    };
                }
            }

Be sure to set the token type to embed rather than AAD token in the Javascript config. 

 

Thanks for your help.

Message 3 of 3
2,030 Views
0

Helpful resources

Announcements
Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

October Power BI Update Carousel

Power BI Monthly Update - October 2025

Check out the October 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All