Solved: Re: dynamical RLS cause bad token error when embed...

TingSun · ‎01-22-2025

Hi there,

We are trying to embed our power bi content in salesforce so that customers can login to salesforce with their salesforce credential and see power bi reports instead of login to power bi service using their power bi credential.

It worked well before we implemented the dynamical RLS. Steps taken:

1) create a service principal in Entra, and granted it User.Read permission for Microsoft Graph

2) added this service principal to workspace as admin where the report located. The service principal has access to the dataset as well as the report itself.

3) in the report, added a role, [Email] ==USERNAME() (we also tried USERPRINCIPALNAME())

Error message: DEBUG|GenerateToken API call failed. Status: Bad Request, Body: {"error":{"code":"InvalidRequest","message":"Creating embed token for accessing dataset XXX-XXX-XXX-XXX requires effective identity to be provided"}}

We tried different codes to pass the identities and roles etc. like directly in the URL or as below:

{

"accessLevel": "View",

"identities": [

{

"username": "example@domain.com",

"roles": [],

"datasets": ["<DatasetId>"]

}

]

}

but still get the same error message.

Can someone help or did you encounter similar error message? Thanks a lot!

mariussve1 · ‎01-22-2025

Hi,

You first need to retrieve the token from the backend:

I assume you’ve already created a SPN (App user) with the correct access to the workspace and sufficient permissions for the APIs that will be used!

Then, you need to use the following:
POST https://login.microsoftonline.com/<tenantid>/oauth2/token grant_type: client_credentials resource: https://analysis.windows.net/powerbi/api client_id: <clientid> secret: <secret>

When you run this, you will receive a token. This token should be used in the frontend to provide access to the report and the model:

POST https://api.powerbi.com/v1.0/myorg/GenerateToken
Note: Remember to include Content-Type: application/json in the header.
Authorization: Bearer <token from backend call up here>

Body (JSON):

{
  "datasets": [
    {
      "id": "<datasetid>"
    }
  ],
  "reports": [
    {
      "id": "<reportid>"
    }
  ],
  "accessLevel": "View",
  "identities": [
    {
      "username": "<username>",
      "roles": [
        "<rolename>"
      ],
      "datasets": [
        "<datasetid>"
      ]
    }
  ],
  "lifetimeInMinutes": 10
}

That should do the trick! 🙂 I recommend using something like Postman to test the process conceptually; it makes it easier to identify where things might go wrong.

Br
Marius
BI Fabrikken
www.bifabrikken.no

View solution in original post

mariussve1 · ‎02-02-2025

Hi,

Sorry for the late answer, but could you please try this:

#example-of-generating-an-embed-token-for-two-datasets-with-rls-identities-and-a-single-report-with-...

Br
Marius
BI Fabrikken
www.bifabrikken.no

View solution in original post

TingSun · ‎01-30-2025

Hi There,

We have another challenge now. Thanks to the json code provided, we were able to make the API call. We even tried on more complex reports using dynamical RLS, all worked so far.

However, in real world, our reports are connected to datasets and as soon as we try with the real life reports, we got error message: GenerateToken API call failed. Status: Bad Request, Body: {"error":{"code":"InvalidRequest","message":"Embedding a report with a model which has a Direct Query connection to another model is not supported with V1 embed token"}}

Does someone know the possible solution for it? Thanks a lot!

mariussve1 · ‎02-02-2025

Hi,

Sorry for the late answer, but could you please try this:

#example-of-generating-an-embed-token-for-two-datasets-with-rls-identities-and-a-single-report-with-...

Br
Marius
BI Fabrikken
www.bifabrikken.no

TingSun

Thanks Marius. We managed to get rid of this direct query error message. However, we have a new challenge, most likely the last one for our project... Some of our reports are complex and are based on more than one datasets. So we have reportID, datasetID (and this datasetID is based on two other semantic models), so we have datasetID2 and datasetID3. We cannot find the right way to pass these 3 dataset ids in our request body. Someone has an idea? what's the syntax for it?

{
  "datasets": [
    {
      "id": "<datasetid>"
    }
  ],
  "reports": [
    {
      "id": "<reportid>"
    }
  ],
  "accessLevel": "View",
  "identities": [
    {
      "username": "<username>",
      "roles": [
        "<rolename>"
      ],
      "datasets": [
        "<datasetid>"
      ]
    }
  ],
  "lifetimeInMinutes": 10
}

How to passing these 3 dataset ids in the following body?

TingSun · ‎01-24-2025

Thank you for the replies. I will test them out and will let you guys know.

v-yiruan-msft · ‎01-22-2025

Hi @TingSun ,

According to the following official documentation, a username and a role are required when generating the embed token. For a service principal, token generation fails if don't provide the above info(username and role).

Using standard cloud based row-level security with embedded content in Power BI embedded analytics

Best Regards

Community Support Team _ Rena
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

mariussve1 · ‎01-22-2025

Hi,

You first need to retrieve the token from the backend:

I assume you’ve already created a SPN (App user) with the correct access to the workspace and sufficient permissions for the APIs that will be used!

Then, you need to use the following:
POST https://login.microsoftonline.com/<tenantid>/oauth2/token grant_type: client_credentials resource: https://analysis.windows.net/powerbi/api client_id: <clientid> secret: <secret>

When you run this, you will receive a token. This token should be used in the frontend to provide access to the report and the model:

POST https://api.powerbi.com/v1.0/myorg/GenerateToken
Note: Remember to include Content-Type: application/json in the header.
Authorization: Bearer <token from backend call up here>

Body (JSON):

{
  "datasets": [
    {
      "id": "<datasetid>"
    }
  ],
  "reports": [
    {
      "id": "<reportid>"
    }
  ],
  "accessLevel": "View",
  "identities": [
    {
      "username": "<username>",
      "roles": [
        "<rolename>"
      ],
      "datasets": [
        "<datasetid>"
      ]
    }
  ],
  "lifetimeInMinutes": 10
}

That should do the trick! 🙂 I recommend using something like Postman to test the process conceptually; it makes it easier to identify where things might go wrong.

Br
Marius
BI Fabrikken
www.bifabrikken.no

TingSun · ‎01-25-2025

Thank you, Marius. Your code worked like a magic. 🙂

dynamical RLS cause bad token error when embed Power BI content in Salesforce

Helpful resources

Join us at the Microsoft Fabric Community Conference

Join our Community Sticker Challenge 2025

Power BI Monthly Update - January 2025

Fabric Community Update - January 2025

New Offer! Become a Certified Fabric Data Engineer

dynamical RLS cause bad token error when embed Power BI content in Salesforce

Helpful resources

Join us at the Microsoft Fabric Community Conference

Join our Community Sticker Challenge 2025

Power BI Monthly Update - January 2025

Fabric Community Update - January 2025