Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Score big with last-minute savings on the final tickets to FabCon Vienna. Secure your discount

Reply
MarkPalmberg
Kudo Commander
Kudo Commander

Organizational access to Azure Data Warehouse Query Without Gateway or Workspace Access

‎02-25-2025 07:49 AM

I have a paginated report sitting in a workspace for which I've created an app. The data source for the report is a SQL query against our Azure data warehouse. One audience in my app is premissioned to my entire organization. Everyone in the organization can *load* the paginated report, but users without workspace access get this error when trying to run it:

MarkPalmberg_0-1740498119931.png

Users who are in a group with access to my workspace are able to load *and* run the report. The datasource for the report is a personal cloud connection using a system user account.

I *could* create a new data gateway for my data source, but I suspect that the VNet we're using is causing performance issues with our reports, so I'm trying to avoid that option until I can't. 

I'd also rather not grant workspace access to the entire org, though I understand this would probably resolve my current issue.

 

Is there a way to enable all users in my org to run this report without creating a data gateway entry for the data source (supposedly not needed for cloud data sources) and without giving the entire org access -- even at View -- to my workspace?

Labels:
Message 1 of 4
249 Views
0
1 ACCEPTED SOLUTION
nilendraFabric
Super User
Super User

‎02-25-2025 08:45 AM

Hello @MarkPalmberg 

 

The core issue stems from how Power BI handles data source authentication and workspace permissions in app-based distribution. When users run a paginated report, two separate permissions are required:
1. Report Access (via the app)
2. Data Source Access (via workspace/data source configuration)
Your setup creates a permissions gap because:
• Organizational users can access the report through the app
• The personal cloud connection credentials aren’t inherited by app users
• Azure Data Warehouse requires explicit authentication that isn’t propagating through the app

 

Try this:

 

Create an Azure AD service principal with read-only SQL permissions on Azure Data Warehouse.
• In Power BI, configure the dataset connection to use service principal authentication (client ID + certificate).

 

In Power BI dataset settings:
• Set data source authentication to OAuth2 (Azure AD).
• Enable “Report viewers use their own credentials” to force Azure AD passthrough.

Map users/groups to RLS roles in the dataset to filter data dynamically.

Use certificate-based authentication (not secrets) for the service principal to avoid token expiration.

Grant users App access (Viewer role) in the workspace.
• Add the service principal as a Contributor to the workspace.

 

hope this helps 

View solution in original post

Message 2 of 4
230 Views
0
3 REPLIES 3
v-veshwara-msft
Community Support
Community Support

‎03-20-2025 09:48 AM

Hi @MarkPalmberg ,
Just wanted to check if the provided response by @nilendraFabric  has resolved your query. If so please mark the helpful reply as Accepted solution to help others benefit in the community. If still need assistance , please reach out.
Thank you.

Message 4 of 4
152 Views
0
nilendraFabric
Super User
Super User

‎02-25-2025 08:45 AM

Hello @MarkPalmberg 

 

The core issue stems from how Power BI handles data source authentication and workspace permissions in app-based distribution. When users run a paginated report, two separate permissions are required:
1. Report Access (via the app)
2. Data Source Access (via workspace/data source configuration)
Your setup creates a permissions gap because:
• Organizational users can access the report through the app
• The personal cloud connection credentials aren’t inherited by app users
• Azure Data Warehouse requires explicit authentication that isn’t propagating through the app

 

Try this:

 

Create an Azure AD service principal with read-only SQL permissions on Azure Data Warehouse.
• In Power BI, configure the dataset connection to use service principal authentication (client ID + certificate).

 

In Power BI dataset settings:
• Set data source authentication to OAuth2 (Azure AD).
• Enable “Report viewers use their own credentials” to force Azure AD passthrough.

Map users/groups to RLS roles in the dataset to filter data dynamically.

Use certificate-based authentication (not secrets) for the service principal to avoid token expiration.

Grant users App access (Viewer role) in the workspace.
• Add the service principal as a Contributor to the workspace.

 

hope this helps 

Message 2 of 4
231 Views
0
MarkPalmberg
Kudo Commander
Kudo Commander
In response to nilendraFabric

‎03-24-2025 06:26 AM

Thanks for the reply, @nilendraFabric . We have an Azure Entra service account, but it's not set up as a "service principal" in our Fabric tenant; I'll have to read up on how those 2 things differ.

Message 3 of 4
140 Views
0

Helpful resources

Announcements
August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All