Skip to main content
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Frequent Visitor

PowerBI Embedded (App Owns Data) Creating embed token with effective identity fails

The error message I get is:


Creating embed token for accessing dataset <my-data-set-guid> requries effective identity username to be identical to the caller's principal name.


I am using PowerBI Embedded inside a .NET Core 2.2 Web App with a master account (as opposed to a service principal). Behind the scenes is Azure Active Directory and Azure Analysis Services with Live Connection. I am trying to pass in an effective identity based off the currently logged in user so that their permissions are used for loading the report.


My code is as follows:

// In Razor Page Get method
ClaimsPrincipal user = _httpContextAccessor.HttpContext.User;
List<Claim> claims = user.Claims.ToList();
string name = claims.FirstOrDefault(c => c.Type == "name")?.Value;
string preferredName = claims.FirstOrDefault(c => c.Type == "preferred_username")?.Value;
string roles = claims.FirstOrDefault(c => c.Type == ClaimTypes.Role)?.Value;
string upn = claims.FirstOrDefault(c => c.Type == ClaimTypes.Upn)?.Value;

var SelectedReport = await _reportRepository.GetReportForIdAsync(reportId.Value, upn, roles);

// In Repository
public async Task<EmbeddedReportConfig> GetReportForIdAsync(Guid reportId, string name, string roles)
        AzureToken azureToken = await _authenticationHandler.GetAzureTokenDataAsync();

        using (PowerBIClient powerBiClient = new PowerBIClient(new Uri(_powerBiSettings.ApiUrl), azureToken.TokenCredentials))
            Report powerBiReport = await powerBiClient.Reports.GetReportAsync(_powerBiSettings.WorkspaceId, reportId.ToString());

            var rolesList = new List<string>();

            if (!string.IsNullOrWhiteSpace(roles))

            List<EffectiveIdentity> rowLevelSecurityIdentity = new List<EffectiveIdentity>
                new EffectiveIdentity(
                    roles: rolesList,
                    datasets: new List<string> {powerBiReport.DatasetId}
            GenerateTokenRequest powerBiTokenRequestParameters = new GenerateTokenRequest("View", null, identities: rowLevelSecurityIdentity);

            EmbedToken powerBiTokenResponse = await powerBiClient.Reports.GenerateTokenInGroupAsync(_powerBiSettings.WorkspaceId, powerBiReport.Id, powerBiTokenRequestParameters);

            return new EmbeddedReportConfig
                ReportId = Guid.Parse(powerBiReport.Id),
                Name = powerBiReport.Name,
                EmbedUrl = powerBiReport.EmbedUrl,
                AccessToken = powerBiTokenResponse.Token
    catch (HttpOperationException ex)
        //Bad Request
        var content = ex.Response.Content;

    return null;

As you can see I pass in the user's UPN for the Effective Identity name. If I sign in as the master user (for embedding) then the request for the token will succeed, but if I use any other account that belongs to the same AAD tenant then it fails with the error message above.


I see that others have run into this issue before here. Using the CustomData functionality as mentioned here will not work as not all of the data tables are tagged with the UPN, there are separate roles setup inside Azure Analysis Services.


I noticed some mention of adding UPN mapping (link1, link2) but I'm not sure if I can use this because the BI Analyst setup the Data Gateway inside the Azure Portal rather than in the PowerBI portal.

I have tried using the sample App Owns Data application but I run into the same issue.

Frequent Visitor

I finally got this resolved and posted my solution on my question thread.

View solution in original post

Frequent Visitor

I finally got this resolved and posted my solution on my question thread.

I have avery basic Azure Analysis Services data-model, and 0365 PBI Pro license. I;m able to use my 0365 id in PBI desktop and connect to the AAS datamodel and create a report with live-connect option, and even publish to PBI Service. Though I always get an error when i publish that i dont have permissions to do so, the report is published along with the dataset, and the dataset i'm later able to set the credentials to connect to the AAS with oauth2 using my 0365 id. This id is also in administrators role of the AAS.


Within PBI Service, i'm able to view and refresh the report without any issue and even the datasets schedules refresh's work correctly.


Problem when embedding the report in app-owns data sample:

If i set the username to "service-principal-ibj-id" the embed token generation goe through fine. Any other username like my 0365 id it fails saying "requries effective identity username to be identical to the caller's principal name". But at the last point when the report is loading data, it fails with error "Unable to connect to the data model

We cannot open the report because Power BI is unable to connect to the data model in Azure Analysis Services."
I followed the service principal docs to create a role called "Customers" in AAS and even added the SP and my 0365 id as users in the Membership. But still the same result. 
What am i missing? Anything in Azure/AAD/AAS settings that i have missed?


Helpful resources

Europe Fabric Conference

Europe’s largest Microsoft Fabric Community Conference

Join the community in Stockholm for expert Microsoft Fabric learning including a very exciting keynote from Arun Ulag, Corporate Vice President, Azure Data.

July 2024 Power BI Update

Power BI Monthly Update - July 2024

Check out the July 2024 Power BI update to learn about new features.

July Newsletter

Fabric Community Update - July 2024

Find out what's new and trending in the Fabric Community.