Power BI is turning 10, and we’re marking the occasion with a special community challenge. Use your creativity to tell a story, uncover trends, or highlight something unexpected.
Get startedJoin us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.
I work for a SaaS company with multiple customer tenants. Each customer has access to their own data but should never see other customer's data. In order to achieve this, I pass the customer's tenant id as the username when retrieving tokens. That tenant id is then used to filter the report data.
This seems to work well when embedding existing reports but we also want to allow customers to create their own reports via the embedded interface. However, when I specify the EffectiveIdentity and attempt to retrieve a creation token, I get a "Forbidden" error that states that EffectiveIdentities are not allowed for report creation tokens. Without being able to specify the EffectiveIdentity, I'm unable to filter the data and report creators essentially end up having access to data from all tenants.
Is there another way to specify identities for report creation tokens? Please see my current code below (notice how I commented out effective identities when creating the generateTokenParameters). The hardcoded "24" below is the customer tenant id which I'm unable to specify without an error.
string roles = "Default"; var rls = new EffectiveIdentity("24", new List<string> { this.AppConfig.PowerBI_DataSetId }); if (!string.IsNullOrWhiteSpace(roles)) { var rolesList = new List<string>(); rolesList.AddRange(roles.Split(',')); rls.Roles = rolesList; } GenerateTokenRequest generateTokenRequestParameters; generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: TokenAccessLevel.Create, datasetId: this.AppConfig.PowerBI_DataSetId, allowSaveAs:true);//, identities: new List<EffectiveIdentity> { rls }); var tokenResponse = await client.Reports.GenerateTokenForCreateInGroupAsync(this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId, generateTokenRequestParameters); // Generate Embed Configuration. model.EmbedConfig.EmbedToken = tokenResponse; model.EmbedConfig.DatasetId = this.AppConfig.PowerBI_DataSetId; model.EmbedConfig.EmbedUrl = string.Format("https://app.powerbi.com//reportEmbed?groupId={0}", this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId);
Solved! Go to Solution.
@Elderin wrote:
I work for a SaaS company with multiple customer tenants. Each customer has access to their own data but should never see other customer's data. In order to achieve this, I pass the customer's tenant id as the username when retrieving tokens. That tenant id is then used to filter the report data.
This seems to work well when embedding existing reports but we also want to allow customers to create their own reports via the embedded interface. However, when I specify the EffectiveIdentity and attempt to retrieve a creation token, I get a "Forbidden" error that states that EffectiveIdentities are not allowed for report creation tokens. Without being able to specify the EffectiveIdentity, I'm unable to filter the data and report creators essentially end up having access to data from all tenants.
Is there another way to specify identities for report creation tokens? Please see my current code below (notice how I commented out effective identities when creating the generateTokenParameters). The hardcoded "24" below is the customer tenant id which I'm unable to specify without an error.
string roles = "Default"; var rls = new EffectiveIdentity("24", new List<string> { this.AppConfig.PowerBI_DataSetId }); if (!string.IsNullOrWhiteSpace(roles)) { var rolesList = new List<string>(); rolesList.AddRange(roles.Split(',')); rls.Roles = rolesList; } GenerateTokenRequest generateTokenRequestParameters; generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: TokenAccessLevel.Create, datasetId: this.AppConfig.PowerBI_DataSetId, allowSaveAs:true);//, identities: new List<EffectiveIdentity> { rls }); var tokenResponse = await client.Reports.GenerateTokenForCreateInGroupAsync(this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId, generateTokenRequestParameters); // Generate Embed Configuration. model.EmbedConfig.EmbedToken = tokenResponse; model.EmbedConfig.DatasetId = this.AppConfig.PowerBI_DataSetId; model.EmbedConfig.EmbedUrl = string.Format("https://app.powerbi.com//reportEmbed?groupId={0}", this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId);
Based on my test, when creating an embedded token for reports creation specifying the attribute identities in the JSON body, it returns error message "Creating embed token for accessing dataset 05dxxxxx9090a4c shouldn't have effective identity". So I think it is not supported at this moment. You can submit your idea at Power BI Ideas and vote it up.
@Elderin wrote:
I work for a SaaS company with multiple customer tenants. Each customer has access to their own data but should never see other customer's data. In order to achieve this, I pass the customer's tenant id as the username when retrieving tokens. That tenant id is then used to filter the report data.
This seems to work well when embedding existing reports but we also want to allow customers to create their own reports via the embedded interface. However, when I specify the EffectiveIdentity and attempt to retrieve a creation token, I get a "Forbidden" error that states that EffectiveIdentities are not allowed for report creation tokens. Without being able to specify the EffectiveIdentity, I'm unable to filter the data and report creators essentially end up having access to data from all tenants.
Is there another way to specify identities for report creation tokens? Please see my current code below (notice how I commented out effective identities when creating the generateTokenParameters). The hardcoded "24" below is the customer tenant id which I'm unable to specify without an error.
string roles = "Default"; var rls = new EffectiveIdentity("24", new List<string> { this.AppConfig.PowerBI_DataSetId }); if (!string.IsNullOrWhiteSpace(roles)) { var rolesList = new List<string>(); rolesList.AddRange(roles.Split(',')); rls.Roles = rolesList; } GenerateTokenRequest generateTokenRequestParameters; generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: TokenAccessLevel.Create, datasetId: this.AppConfig.PowerBI_DataSetId, allowSaveAs:true);//, identities: new List<EffectiveIdentity> { rls }); var tokenResponse = await client.Reports.GenerateTokenForCreateInGroupAsync(this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId, generateTokenRequestParameters); // Generate Embed Configuration. model.EmbedConfig.EmbedToken = tokenResponse; model.EmbedConfig.DatasetId = this.AppConfig.PowerBI_DataSetId; model.EmbedConfig.EmbedUrl = string.Format("https://app.powerbi.com//reportEmbed?groupId={0}", this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId);
Based on my test, when creating an embedded token for reports creation specifying the attribute identities in the JSON body, it returns error message "Creating embed token for accessing dataset 05dxxxxx9090a4c shouldn't have effective identity". So I think it is not supported at this moment. You can submit your idea at Power BI Ideas and vote it up.
This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.
Check out the June 2025 Power BI update to learn about new features.
User | Count |
---|---|
4 | |
4 | |
3 | |
3 | |
3 |