Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
MarkPalmberg
Kudo Commander
Kudo Commander

Organizational access to Azure Data Warehouse Query Without Gateway or Workspace Access

‎02-25-2025 07:49 AM

I have a paginated report sitting in a workspace for which I've created an app. The data source for the report is a SQL query against our Azure data warehouse. One audience in my app is premissioned to my entire organization. Everyone in the organization can *load* the paginated report, but users without workspace access get this error when trying to run it:

MarkPalmberg_0-1740498119931.png

Users who are in a group with access to my workspace are able to load *and* run the report. The datasource for the report is a personal cloud connection using a system user account.

I *could* create a new data gateway for my data source, but I suspect that the VNet we're using is causing performance issues with our reports, so I'm trying to avoid that option until I can't. 

I'd also rather not grant workspace access to the entire org, though I understand this would probably resolve my current issue.

 

Is there a way to enable all users in my org to run this report without creating a data gateway entry for the data source (supposedly not needed for cloud data sources) and without giving the entire org access -- even at View -- to my workspace?

Labels:
Message 1 of 4
226 Views
0
1 ACCEPTED SOLUTION
nilendraFabric
Super User
Super User

‎02-25-2025 08:45 AM

Hello @MarkPalmberg 

 

The core issue stems from how Power BI handles data source authentication and workspace permissions in app-based distribution. When users run a paginated report, two separate permissions are required:
1. Report Access (via the app)
2. Data Source Access (via workspace/data source configuration)
Your setup creates a permissions gap because:
• Organizational users can access the report through the app
• The personal cloud connection credentials aren’t inherited by app users
• Azure Data Warehouse requires explicit authentication that isn’t propagating through the app

 

Try this:

 

Create an Azure AD service principal with read-only SQL permissions on Azure Data Warehouse.
• In Power BI, configure the dataset connection to use service principal authentication (client ID + certificate).

 

In Power BI dataset settings:
• Set data source authentication to OAuth2 (Azure AD).
• Enable “Report viewers use their own credentials” to force Azure AD passthrough.

Map users/groups to RLS roles in the dataset to filter data dynamically.

Use certificate-based authentication (not secrets) for the service principal to avoid token expiration.

Grant users App access (Viewer role) in the workspace.
• Add the service principal as a Contributor to the workspace.

 

hope this helps 

View solution in original post

Message 2 of 4
207 Views
0
3 REPLIES 3
v-veshwara-msft
Community Support
Community Support

‎03-20-2025 09:48 AM

Hi @MarkPalmberg ,
Just wanted to check if the provided response by @nilendraFabric  has resolved your query. If so please mark the helpful reply as Accepted solution to help others benefit in the community. If still need assistance , please reach out.
Thank you.

Message 4 of 4
129 Views
0
nilendraFabric
Super User
Super User

‎02-25-2025 08:45 AM

Hello @MarkPalmberg 

 

The core issue stems from how Power BI handles data source authentication and workspace permissions in app-based distribution. When users run a paginated report, two separate permissions are required:
1. Report Access (via the app)
2. Data Source Access (via workspace/data source configuration)
Your setup creates a permissions gap because:
• Organizational users can access the report through the app
• The personal cloud connection credentials aren’t inherited by app users
• Azure Data Warehouse requires explicit authentication that isn’t propagating through the app

 

Try this:

 

Create an Azure AD service principal with read-only SQL permissions on Azure Data Warehouse.
• In Power BI, configure the dataset connection to use service principal authentication (client ID + certificate).

 

In Power BI dataset settings:
• Set data source authentication to OAuth2 (Azure AD).
• Enable “Report viewers use their own credentials” to force Azure AD passthrough.

Map users/groups to RLS roles in the dataset to filter data dynamically.

Use certificate-based authentication (not secrets) for the service principal to avoid token expiration.

Grant users App access (Viewer role) in the workspace.
• Add the service principal as a Contributor to the workspace.

 

hope this helps 

Message 2 of 4
208 Views
0
MarkPalmberg
Kudo Commander
Kudo Commander
In response to nilendraFabric

‎03-24-2025 06:26 AM

Thanks for the reply, @nilendraFabric . We have an Azure Entra service account, but it's not set up as a "service principal" in our Fabric tenant; I'll have to read up on how those 2 things differ.

Message 3 of 4
117 Views
0

Helpful resources

Announcements
Fabric July 2025 Monthly Update Carousel

Fabric Monthly Update - July 2025

Check out the July 2025 Fabric update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All