Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Issue with REST API and impersonating an user by service principal

Hi, 

 

I noted a potential bug with API rest call Datasets - Execute Queries In Group - REST API (Power BI Power BI REST APIs) | Microsoft Learn

 
When using service principal (authorised to use Rest API by tenant admin) to execute query against dataset with RLS by impersonating user beeing added to one of the RLS roles (that do not have access to Rest API) I get 401 - unathorised request. 
 
Same service principal in the same workspace can query successfully any other dataset withouth RLS. 
thx, 
Status: Investigating
Comments
Anonymous
Not applicable

Hi  @skowronp123 

Is the error occurring because of the following restriction?

vyetao1msft_0-1692956304850.png

 

Best Regards,
Community Support Team _ Ailsa Tao

 

skowronp123
Frequent Visitor

Hi my understanding is that this api should work with SP since there is impersonation option I body of the request. 
my understanding is that SP should authenticate to workspace and then based on the impersonated user run query on any dataset with RLS. 

CharlesSaulnier
Regular Visitor

I may add: since the "impersonation" part of the request body does not work, why then have it as a key we can use? This is a serious limitation to any semantic model that has RLS enabled, which is a relatively common scenario in our organisation, especially with production-use models.

 

If impersonation is not possible, then is there any non-interactive way to authenticate as a selected user to run the API call? the Connect-PowerBIServiceAccount PowerShell cmdlet no longer supports user / password credentials, so we are stuck in a loop with the Service principal limitations on the Execute Query API.

samsonfrb
Frequent Visitor

I have the same issue & similar requirements.
We want to automate queries that use INFO.XXX DAX functions (ex. list of tables, columns) so the RLS roles are of no consequence. We would like to use something like "invalid.user@myorg.com" in impersonatedUserName while executing executeQueries REST API with a Service Principal. That user would not be part of any RLS role but we are not trying to access any data (only metadata on the model).

Frederick

Parrunis
Frequent Visitor

Hi @samsonfrb@skowronp123  

I am facing the same issue.

I would like to execute INFO.XXX DAX queries to my datasets via executeQueries REST API with a Service Principal, but the ones with RLS are impossible to access.

The ImpersonatedUserName is useless since the Service Principal cannot authenticate to a dataset with RLS.

According to the documentation:

Parrunis_0-1713772959409.png

 

Any solutions? 

samsonfrb
Frequent Visitor

Unfortunately, for now, I exclude them from my scan.

Frederick

This widget could not be displayed.