Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

A new Data Days event is coming soon! This time we’re going bigger than ever. Fabric, Power BI, SQL, AI and more. Don't miss out.

Reply
WayneT
Regular Visitor

Populating TokenRequest EffectiveIdentity object what AAD Service Principal name should be used?

‎12-23-2021 03:07 PM

We display reports to users of our SaaS application by embedding them. The config to get the embed url uses a Service Principal.
For a time we have been using a JavaScript filter to filter report data based on a user's group. This is problematic because a user could potentially hack it and see other groups data.

We have attempted to implement Row Level Security (RLS) while getting the embed token using the code below.

Each user does not have a user account in AAD, so we want to use the Service Principal of the Enterprise Application registered in AAD that we use to get the access token for talking to the api.

Using the C# SDK no matter what username I put in to the EffectiveIdentity it returns a status code of 'Unauthorized'.
Have tried:

  • Name
  • Application Id
  • Object Id

Has anyone else had experience with this and can give me an idea what value should be used for the username property?

 

            var tokenRequest = new GenerateTokenRequestV2(

                reports: new List<GenerateTokenRequestV2Report>() { new GenerateTokenRequestV2Report(reportId) },

                datasets: datasetIds.Select(datasetId => new GenerateTokenRequestV2Dataset(datasetId.ToString())).ToList(),

                targetWorkspaces: targetWorkspaceId != Guid.Empty ? new List<GenerateTokenRequestV2TargetWorkspace>() { new GenerateTokenRequestV2TargetWorkspace(targetWorkspaceId) } : null
            );

            tokenRequest.Identities = new List<EffectiveIdentity> {
            new EffectiveIdentity("[Service Principal Object Id]" 
            //                    //,reports: new List<string>() { reportId.ToString() }
                                ,datasets: datasetIds.Select(datasetId => datasetId.ToString()).ToList()
            //                    ,roles: new[] { "CommunityAdmin" }
            //                    //, customData:"0ea41e5e-13aa-4a15-8fdc-a7b152dfb089"
            )                 
            };

 

 

Labels:
Message 1 of 2
1,280 Views
0
1 ACCEPTED SOLUTION
Anonymous
Not applicable

‎12-27-2021 12:31 AM

Hi @WayneT ,

As mentioned in this official documentation:

  • Service principals cannot be added to an RLS role. Accordingly, RLS won’t be applied for apps using a service principal as the final effective identity.

yingyinr_0-1640593779652.png

Applying user and role to an embed token

Best Regards

View solution in original post

Message 2 of 2
1,182 Views
0
1 REPLY 1
Anonymous
Not applicable

‎12-27-2021 12:31 AM

Hi @WayneT ,

As mentioned in this official documentation:

  • Service principals cannot be added to an RLS role. Accordingly, RLS won’t be applied for apps using a service principal as the final effective identity.

yingyinr_0-1640593779652.png

Applying user and role to an embed token

Best Regards

Message 2 of 2
1,183 Views
0

Helpful resources

Announcements
May Power BI Update Carousel

Power BI Monthly Update - May 2026

Check out the May 2026 Power BI update to learn about new features.

Fabric SQL PBI Data Days

Data Days 2026 coming soon!

Sign up to receive a private message when registration opens and key events begin.

New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

View All