Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
MattStannett
Frequent Visitor

PowerBI Embedded (App Owns Data) Creating embed token with effective identity fails

The error message I get is:

 

Creating embed token for accessing dataset <my-data-set-guid> requries effective identity username to be identical to the caller's principal name.

 

I am using PowerBI Embedded inside a .NET Core 2.2 Web App with a master account (as opposed to a service principal). Behind the scenes is Azure Active Directory and Azure Analysis Services with Live Connection. I am trying to pass in an effective identity based off the currently logged in user so that their permissions are used for loading the report.

 

My code is as follows:

// In Razor Page Get method
ClaimsPrincipal user = _httpContextAccessor.HttpContext.User;
List<Claim> claims = user.Claims.ToList();
string name = claims.FirstOrDefault(c => c.Type == "name")?.Value;
string preferredName = claims.FirstOrDefault(c => c.Type == "preferred_username")?.Value;
string roles = claims.FirstOrDefault(c => c.Type == ClaimTypes.Role)?.Value;
string upn = claims.FirstOrDefault(c => c.Type == ClaimTypes.Upn)?.Value;

var SelectedReport = await _reportRepository.GetReportForIdAsync(reportId.Value, upn, roles);

// In Repository
public async Task<EmbeddedReportConfig> GetReportForIdAsync(Guid reportId, string name, string roles)
{
    try
    {
        AzureToken azureToken = await _authenticationHandler.GetAzureTokenDataAsync();

        using (PowerBIClient powerBiClient = new PowerBIClient(new Uri(_powerBiSettings.ApiUrl), azureToken.TokenCredentials))
        {
            Report powerBiReport = await powerBiClient.Reports.GetReportAsync(_powerBiSettings.WorkspaceId, reportId.ToString());

            var rolesList = new List<string>();

            if (!string.IsNullOrWhiteSpace(roles))
            {
                rolesList.AddRange(roles.Split(','));
            }

            List<EffectiveIdentity> rowLevelSecurityIdentity = new List<EffectiveIdentity>
            {
                new EffectiveIdentity(
                    name,
                    roles: rolesList,
                    datasets: new List<string> {powerBiReport.DatasetId}
                )
            };
            GenerateTokenRequest powerBiTokenRequestParameters = new GenerateTokenRequest("View", null, identities: rowLevelSecurityIdentity);

            EmbedToken powerBiTokenResponse = await powerBiClient.Reports.GenerateTokenInGroupAsync(_powerBiSettings.WorkspaceId, powerBiReport.Id, powerBiTokenRequestParameters);

            return new EmbeddedReportConfig
            {
                ReportId = Guid.Parse(powerBiReport.Id),
                Name = powerBiReport.Name,
                EmbedUrl = powerBiReport.EmbedUrl,
                AccessToken = powerBiTokenResponse.Token
            };
        }
    }
    catch (HttpOperationException ex)
    {
        // https://community.powerbi.com/t5/Developer/quot-shouldn-t-have-effective-identity-quot-error-when-passing/td-p/433730
        // https://docs.microsoft.com/en-us/power-bi/developer/embedded-row-level-security
        //Bad Request
        var content = ex.Response.Content;
        Console.WriteLine(content);
    }

    return null;
}

As you can see I pass in the user's UPN for the Effective Identity name. If I sign in as the master user (for embedding) then the request for the token will succeed, but if I use any other account that belongs to the same AAD tenant then it fails with the error message above.

 

I see that others have run into this issue before here. Using the CustomData functionality as mentioned here will not work as not all of the data tables are tagged with the UPN, there are separate roles setup inside Azure Analysis Services.

 

I noticed some mention of adding UPN mapping (link1, link2) but I'm not sure if I can use this because the BI Analyst setup the Data Gateway inside the Azure Portal rather than in the PowerBI portal.

I have tried using the sample App Owns Data application but I run into the same issue.

1 ACCEPTED SOLUTION
MattStannett
Frequent Visitor

I finally got this resolved and posted my solution on my question thread.

View solution in original post

2 REPLIES 2
MattStannett
Frequent Visitor

I finally got this resolved and posted my solution on my question thread.

I have avery basic Azure Analysis Services data-model, and 0365 PBI Pro license. I;m able to use my 0365 id in PBI desktop and connect to the AAS datamodel and create a report with live-connect option, and even publish to PBI Service. Though I always get an error when i publish that i dont have permissions to do so, the report is published along with the dataset, and the dataset i'm later able to set the credentials to connect to the AAS with oauth2 using my 0365 id. This id is also in administrators role of the AAS.

 

Within PBI Service, i'm able to view and refresh the report without any issue and even the datasets schedules refresh's work correctly.

 

Problem when embedding the report in app-owns data sample:

If i set the username to "service-principal-ibj-id" the embed token generation goe through fine. Any other username like my 0365 id it fails saying "requries effective identity username to be identical to the caller's principal name". But at the last point when the report is loading data, it fails with error "Unable to connect to the data model

We cannot open the report because Power BI is unable to connect to the data model in Azure Analysis Services."
 
I followed the service principal docs to create a role called "Customers" in AAS and even added the SP and my 0365 id as users in the Membership. But still the same result. 
 
What am i missing? Anything in Azure/AAD/AAS settings that i have missed?

 

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.