Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
WayneT
Regular Visitor

Populating TokenRequest EffectiveIdentity object what AAD Service Principal name should be used?

We display reports to users of our SaaS application by embedding them. The config to get the embed url uses a Service Principal.
For a time we have been using a JavaScript filter to filter report data based on a user's group. This is problematic because a user could potentially hack it and see other groups data.

We have attempted to implement Row Level Security (RLS) while getting the embed token using the code below.

Each user does not have a user account in AAD, so we want to use the Service Principal of the Enterprise Application registered in AAD that we use to get the access token for talking to the api.

Using the C# SDK no matter what username I put in to the EffectiveIdentity it returns a status code of 'Unauthorized'.
Have tried:

  • Name
  • Application Id
  • Object Id

Has anyone else had experience with this and can give me an idea what value should be used for the username property?

 

            var tokenRequest = new GenerateTokenRequestV2(

                reports: new List<GenerateTokenRequestV2Report>() { new GenerateTokenRequestV2Report(reportId) },

                datasets: datasetIds.Select(datasetId => new GenerateTokenRequestV2Dataset(datasetId.ToString())).ToList(),

                targetWorkspaces: targetWorkspaceId != Guid.Empty ? new List<GenerateTokenRequestV2TargetWorkspace>() { new GenerateTokenRequestV2TargetWorkspace(targetWorkspaceId) } : null
            );

            tokenRequest.Identities = new List<EffectiveIdentity> {
            new EffectiveIdentity("[Service Principal Object Id]" 
            //                    //,reports: new List<string>() { reportId.ToString() }
                                ,datasets: datasetIds.Select(datasetId => datasetId.ToString()).ToList()
            //                    ,roles: new[] { "CommunityAdmin" }
            //                    //, customData:"0ea41e5e-13aa-4a15-8fdc-a7b152dfb089"
            )                 
            };

 

 

1 ACCEPTED SOLUTION
Anonymous
Not applicable

Hi @WayneT ,

As mentioned in this official documentation:

  • Service principals cannot be added to an RLS role. Accordingly, RLS won’t be applied for apps using a service principal as the final effective identity.

yingyinr_0-1640593779652.png

Applying user and role to an embed token

Best Regards

View solution in original post

1 REPLY 1
Anonymous
Not applicable

Hi @WayneT ,

As mentioned in this official documentation:

  • Service principals cannot be added to an RLS role. Accordingly, RLS won’t be applied for apps using a service principal as the final effective identity.

yingyinr_0-1640593779652.png

Applying user and role to an embed token

Best Regards

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.