Solved: PBE with Service Principal: Creating embed token f...

rbroida · ‎09-18-2021

We created a PBIX using a live connection to a SSAS database running in an Azure virtual machine. We published the PBIX to a workspace in Power BI Service, where the dataset connects to the SSAS database through an on-premise data gateway on the Azure VM. Reports from the PBIX display correctly in the Power BI Service portal, so we know the data gateway is working.

We now want to embed the reports in the "for customers" (app owns the data) sample in .NET Framework that we downloaded from Github. If we configure the web.config to supply MasterUser credentials, then the sample works. But if we use ServicePrincipal credentials, it fails.

We set up an AAD application and configured web.config following the instructions here: Embed Power BI content in an embedded analytics application with service principal and an applicatio... The web.config file contains the correct values for authenticationType, applicationId, workspaceId, reportId, applicationSecret, and tenant. But when we run the sample we get this error message:

Status: BadRequest (400)
Response: {"error":{"code":"InvalidRequest","message":"Creating embed token for accessing dataset xxx-xxx-xxx-xxx-xxx requires effective identity to be provided"}}
RequestId: xxx-xxx-xxx-xxx-xxx

Does Power BI Embedded even support this scenario? That is, when using a service principal, does Power BI embedded work with a dataset that has a live connection to a SSAS database via an on-premise data gateway? If so, why are we not providing an "effective identity"?

@Xiaoxin Sheng

V-lianl-msft · ‎09-20-2021

Power BI and SSAS both leverage AD so that means that any user you pass from Power BI to SSAS needs to be known in AD.You must grant the service principal ReadOverrideEffectiveIdentity permission. Otherwise, the service principal can’t delegate the user identity to the gateway.

Please refer to :

https://prologika.com/power-bi-embedded-service-principals-and-ssas/

View solution in original post

V-lianl-msft · ‎09-20-2021

Power BI and SSAS both leverage AD so that means that any user you pass from Power BI to SSAS needs to be known in AD.You must grant the service principal ReadOverrideEffectiveIdentity permission. Otherwise, the service principal can’t delegate the user identity to the gateway.

Please refer to :

https://prologika.com/power-bi-embedded-service-principals-and-ssas/

rbroida · ‎09-21-2021

Thank you V-liani. The blog post you linked explains what to do. Please put this information in the Microsoft documentation! We shouldn't need to chase down blogs to find this out.

rbroida · ‎09-20-2021

UPDATE: We were able to prove that our ServicePrincipal registration works with datasets that connect through the on-premise data gateway to a SQL Server database instead of to SSAS.

So again our question for Microsoft is: does Power BI embedded support ServicePrincipal authentication for a report whose dataset uses a live connection to a SSAS database via an on-premise data gateway?

If so, what additional steps are needed to avoid the "effective identity" error?

If not, where is this limitation documented?

PBE with Service Principal: Creating embed token for accessing dataset requires effective identity

Helpful resources

Join us at the Microsoft Fabric Community Conference

We want your feedback!

Microsoft Fabric Community Conference 2025

A Year in Review - December 2024

Join us at the 2025 Microsoft Fabric Community Conference