Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
WayneT
Regular Visitor

Populating TokenRequest EffectiveIdentity object what AAD Service Principal name should be used?

‎12-23-2021 03:07 PM

We display reports to users of our SaaS application by embedding them. The config to get the embed url uses a Service Principal.
For a time we have been using a JavaScript filter to filter report data based on a user's group. This is problematic because a user could potentially hack it and see other groups data.

We have attempted to implement Row Level Security (RLS) while getting the embed token using the code below.

Each user does not have a user account in AAD, so we want to use the Service Principal of the Enterprise Application registered in AAD that we use to get the access token for talking to the api.

Using the C# SDK no matter what username I put in to the EffectiveIdentity it returns a status code of 'Unauthorized'.
Have tried:

  • Name
  • Application Id
  • Object Id

Has anyone else had experience with this and can give me an idea what value should be used for the username property?

 

            var tokenRequest = new GenerateTokenRequestV2(

                reports: new List<GenerateTokenRequestV2Report>() { new GenerateTokenRequestV2Report(reportId) },

                datasets: datasetIds.Select(datasetId => new GenerateTokenRequestV2Dataset(datasetId.ToString())).ToList(),

                targetWorkspaces: targetWorkspaceId != Guid.Empty ? new List<GenerateTokenRequestV2TargetWorkspace>() { new GenerateTokenRequestV2TargetWorkspace(targetWorkspaceId) } : null
            );

            tokenRequest.Identities = new List<EffectiveIdentity> {
            new EffectiveIdentity("[Service Principal Object Id]" 
            //                    //,reports: new List<string>() { reportId.ToString() }
                                ,datasets: datasetIds.Select(datasetId => datasetId.ToString()).ToList()
            //                    ,roles: new[] { "CommunityAdmin" }
            //                    //, customData:"0ea41e5e-13aa-4a15-8fdc-a7b152dfb089"
            )                 
            };

 

 

Labels:
Message 1 of 2
1,097 Views
0
1 ACCEPTED SOLUTION
Anonymous
Not applicable

‎12-27-2021 12:31 AM

Hi @WayneT ,

As mentioned in this official documentation:

  • Service principals cannot be added to an RLS role. Accordingly, RLS won’t be applied for apps using a service principal as the final effective identity.

yingyinr_0-1640593779652.png

Applying user and role to an embed token

Best Regards

View solution in original post

Message 2 of 2
999 Views
0
1 REPLY 1
Anonymous
Not applicable

‎12-27-2021 12:31 AM

Hi @WayneT ,

As mentioned in this official documentation:

  • Service principals cannot be added to an RLS role. Accordingly, RLS won’t be applied for apps using a service principal as the final effective identity.

yingyinr_0-1640593779652.png

Applying user and role to an embed token

Best Regards

Message 2 of 2
1,000 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All