Currently the Service principal account cannot leverage the On-Premises Data Gateway since it is not a mail-enabled account. This prevents a Power BI Embedded solution to leverage an on-premises SSAS tabular model using the service principal. Instead we need a full-blown power BI pro license for a service account. Is it on the roadmap to add this capability?
Impossible to add a AAD SP to gateway users (As adim for example)
But it can be done VIA powershell
This issue has been fixed in Q2 2023.
It is now possible to use the GUI to add a SPN as a user to a both the gateway and to the datasources on the gateway.
How did you manage to add the group you service principal belongs?
I tried to do it but when I call PBI API to get list of gateways, the result is empty.
Currently this is not yet implemented by PowerBI. I've already asked the same question long back and found this idea is already asked and waiting for more votes.
Please provide you vote for the below idea.
I'll reach out to powerbi team and will try to find the ETA for this feature.
@Jayendran Thanks for the info! Let us know if you hear anything from the Power BI team on this issue.
Also, I read a Microsoft documents that states: Customers that configure row-level security (RLS) using an SQL Server Analysis Services (SSAS) on-premises live connection data source can enjoy the new service principal capability to manage users and their access to data in SSAS when integrating with Power BI Embedded. (https://docs.microsoft.com/en-us/power-bi/developer/embedded-row-level-security#on-premises-data-gat...). This articles implies, that even though you have to use the API to add it, it should work? Based on what your saying is this documentation wrong (or am I misunderstanding it?)
Thanks @brentcarlson for the link to the article. Based on the date of the post, the capabability was added after we initially attempted, so this may now be possible.
@AdamWidi Let us know if you get this working. So far, we haven't been able to see it work; even though the service principal shows up in the access list for the gateway now.
We still have not been able to get this work. We got the gateway to show the Service Principal using the API call; however we think the issue stems inside of SQL Server and/or SQL Server Analysis Services. When using Azure hosted SQL Analysis Servvices there is an option to add an appid (of the Service Principal); on-premise SQL Analysis Services does not give this option. We think this is why it is not working (and makes sense); as the Service Principal doesn't have access to SQL. We are looking at alternatives on how to translate the authentication from the gateway into SQL Analysis Services. The documenation implies this should work but doesn't give any details on how to make it work.
I did get a suggestion to try adding the Service Principal to an Azure AD group, make this group a gateway admin, and add user mapping in the gateway connection. Has anyone had success with this approach?
Was anyone ever able to solve this? I have the same issue. I was able to add the service principal to the data source on the on-premise gateway using the API; but it still doesn't seem to work even though the service principal now shows in the access list.
Followed the example here: https://docs.microsoft.com/en-us/rest/api/power-bi/gateways/adddatasourceuser - Tried using both ReadOverrideEffectiveIdentity and Read as the datasourceAccessRight
You need to add the service principal as gateway admin and not as datasource.I also have same issue as sp doenst have email id to get added it as an admin.Any one knows how to get this added?Thanks
Check out the November 2023 Power BI update to learn about new features.
Read the latest Fabric Community announcements, including updates on Power BI, Synapse, Data Factory and Data Activator.
130+ sessions, 130+ speakers, Product managers, MVPs, and experts. All about Power BI and Fabric. Attend online or watch the recordings.