Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
Elderin
Frequent Visitor

Specifying EffectiveIdentity when Retrieving a PowerBI Embedded Report Creation Token

 

I work for a SaaS company with multiple customer tenants.  Each customer has access to their own data but should never see other customer's data.   In order to achieve this, I pass the customer's tenant id as the username when retrieving tokens.  That tenant id is then used to filter the report data.

 

This seems to work well when embedding existing reports but we also want to allow customers to create their own reports via the embedded interface.  However, when I specify the EffectiveIdentity and attempt to retrieve a creation token, I get a "Forbidden" error that states that EffectiveIdentities are not allowed for report creation tokens.  Without being able to specify the EffectiveIdentity, I'm unable to filter the data and report creators essentially end up having access to data from all tenants.

 

Is there another way to specify identities for report creation tokens?  Please see my current code below (notice how I commented out effective identities when creating the generateTokenParameters).  The hardcoded "24" below is the customer tenant id which I'm unable to specify without an error.

 

                    string roles = "Default";

                    var rls = new EffectiveIdentity("24", new List<string> { this.AppConfig.PowerBI_DataSetId });
                    if (!string.IsNullOrWhiteSpace(roles))
                    {
                        var rolesList = new List<string>();
                        rolesList.AddRange(roles.Split(','));
                        rls.Roles = rolesList;
                    }
                    
                    GenerateTokenRequest generateTokenRequestParameters;
                    generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: TokenAccessLevel.Create, datasetId: this.AppConfig.PowerBI_DataSetId, allowSaveAs:true);//, identities: new List<EffectiveIdentity> { rls });
                    
                    var tokenResponse = await client.Reports.GenerateTokenForCreateInGroupAsync(this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId, generateTokenRequestParameters);
                    
                    // Generate Embed Configuration.
                    model.EmbedConfig.EmbedToken = tokenResponse;
                    model.EmbedConfig.DatasetId = this.AppConfig.PowerBI_DataSetId;
                    model.EmbedConfig.EmbedUrl = string.Format("https://app.powerbi.com//reportEmbed?groupId={0}", this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId);

 

1 ACCEPTED SOLUTION
Eric_Zhang
Microsoft Employee
Microsoft Employee


@Elderin wrote:

 

I work for a SaaS company with multiple customer tenants.  Each customer has access to their own data but should never see other customer's data.   In order to achieve this, I pass the customer's tenant id as the username when retrieving tokens.  That tenant id is then used to filter the report data.

 

This seems to work well when embedding existing reports but we also want to allow customers to create their own reports via the embedded interface.  However, when I specify the EffectiveIdentity and attempt to retrieve a creation token, I get a "Forbidden" error that states that EffectiveIdentities are not allowed for report creation tokens.  Without being able to specify the EffectiveIdentity, I'm unable to filter the data and report creators essentially end up having access to data from all tenants.

 

Is there another way to specify identities for report creation tokens?  Please see my current code below (notice how I commented out effective identities when creating the generateTokenParameters).  The hardcoded "24" below is the customer tenant id which I'm unable to specify without an error.

 

                    string roles = "Default";

                    var rls = new EffectiveIdentity("24", new List<string> { this.AppConfig.PowerBI_DataSetId });
                    if (!string.IsNullOrWhiteSpace(roles))
                    {
                        var rolesList = new List<string>();
                        rolesList.AddRange(roles.Split(','));
                        rls.Roles = rolesList;
                    }
                    
                    GenerateTokenRequest generateTokenRequestParameters;
                    generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: TokenAccessLevel.Create, datasetId: this.AppConfig.PowerBI_DataSetId, allowSaveAs:true);//, identities: new List<EffectiveIdentity> { rls });
                    
                    var tokenResponse = await client.Reports.GenerateTokenForCreateInGroupAsync(this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId, generateTokenRequestParameters);
                    
                    // Generate Embed Configuration.
                    model.EmbedConfig.EmbedToken = tokenResponse;
                    model.EmbedConfig.DatasetId = this.AppConfig.PowerBI_DataSetId;
                    model.EmbedConfig.EmbedUrl = string.Format("https://app.powerbi.com//reportEmbed?groupId={0}", this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId);

 


@Elderin

Based on my test, when creating an embedded token for reports creation specifying the attribute identities in the JSON body, it returns error message "Creating embed token for accessing dataset 05dxxxxx9090a4c shouldn't have effective identity". So I think it is not supported at this moment. You can submit your idea at Power BI Ideas and vote it up.

View solution in original post

1 REPLY 1
Eric_Zhang
Microsoft Employee
Microsoft Employee


@Elderin wrote:

 

I work for a SaaS company with multiple customer tenants.  Each customer has access to their own data but should never see other customer's data.   In order to achieve this, I pass the customer's tenant id as the username when retrieving tokens.  That tenant id is then used to filter the report data.

 

This seems to work well when embedding existing reports but we also want to allow customers to create their own reports via the embedded interface.  However, when I specify the EffectiveIdentity and attempt to retrieve a creation token, I get a "Forbidden" error that states that EffectiveIdentities are not allowed for report creation tokens.  Without being able to specify the EffectiveIdentity, I'm unable to filter the data and report creators essentially end up having access to data from all tenants.

 

Is there another way to specify identities for report creation tokens?  Please see my current code below (notice how I commented out effective identities when creating the generateTokenParameters).  The hardcoded "24" below is the customer tenant id which I'm unable to specify without an error.

 

                    string roles = "Default";

                    var rls = new EffectiveIdentity("24", new List<string> { this.AppConfig.PowerBI_DataSetId });
                    if (!string.IsNullOrWhiteSpace(roles))
                    {
                        var rolesList = new List<string>();
                        rolesList.AddRange(roles.Split(','));
                        rls.Roles = rolesList;
                    }
                    
                    GenerateTokenRequest generateTokenRequestParameters;
                    generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: TokenAccessLevel.Create, datasetId: this.AppConfig.PowerBI_DataSetId, allowSaveAs:true);//, identities: new List<EffectiveIdentity> { rls });
                    
                    var tokenResponse = await client.Reports.GenerateTokenForCreateInGroupAsync(this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId, generateTokenRequestParameters);
                    
                    // Generate Embed Configuration.
                    model.EmbedConfig.EmbedToken = tokenResponse;
                    model.EmbedConfig.DatasetId = this.AppConfig.PowerBI_DataSetId;
                    model.EmbedConfig.EmbedUrl = string.Format("https://app.powerbi.com//reportEmbed?groupId={0}", this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId);

 


@Elderin

Based on my test, when creating an embedded token for reports creation specifying the attribute identities in the JSON body, it returns error message "Creating embed token for accessing dataset 05dxxxxx9090a4c shouldn't have effective identity". So I think it is not supported at this moment. You can submit your idea at Power BI Ideas and vote it up.

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.