Hi,

Apologies this is a question on Report Builder, I realise this is the Desktop forum... but where do I go?!?! 😁

I am currently working on a solution where a customer has data in Azure Databricks Unity Catalog, with RLS configured in a "gold" schema. Due to the RLS in the source, we need to use DirectQuery in Power BI to access the data. The end user needs to use Report Builder to build paginated reports, and is comfortable using this tool due to history in SSRS.

For additional info, if it will help, we have configured a large serverless SQL warehouse cluster in databricks.

Also, the reports are being deployed to an F64 SKU (not a trial capacity).

The problem I am having is that in the service I don't appear to be getting any AAD passthrough, so the DirectQuery is accessing the source using the user credentials that were used to configure the connection, and not using the credentials of the user viewing/running the report.

Here is what I have done so far:

I have a cloud connection configured in the service to access the Azure Databricks instance. Azure Active Directory has been selected for authentication method and "Use SSO via Azure AD for DirectQuery queries" has been enabled. Privacy level is set to "Organisational". I currently don't have permission to confirm if the initial catalog has been configured; I don't know if this makes a difference.

I have created a paginated report that uses NativeQuery in the mashup as the user(s) wants to be able to write/add SQL to the M code, similar to the "Query" experience when connecting Report Builder to SQL Server. This report has been configured to use the cloud connection created in the previous point.

The report is published to the service, but due to the fact there is no semantic model, I cannot see that it is possible to enable the "Report viewers can only access this data source with their own Power BI identities using DirectQuery" option.

When we test the report, the report is running under my security context, as I configured the report and connection.

We can observe this in two different ways:

1) Each tester can only see the data I am able to see in the source, as I can only see a subsection of data due to RLS.

2) When looking at query history in databricks we can see the "User" and the "Run as" user are both recorded as me.

I have looked at the Databrick specific documentation, and there is a suggestion that account SSO needs to be enabled, which I need to check the status of.

(I realise that the image says AWS, but I'm working on the basis that this could be the same requirement in Azure?)

I have also read that potentially a VNet data gateway may be required Use virtual network data gateway and data sources in Power BI | Microsoft Learn, however as I am unable to configure Data Source Settings, due to the use of Paginated Reports and DirectQuery, I'm unsure if this will work.

All documentation seems to be focused on Power BI Desktop (e.g., Connect Power BI to Azure Databricks - Azure Databricks | Microsoft Learn), and the Report Builder documentation that is available on this subject is minimal and brief at best.

One final thing to mention, creating an intermediary semantic model, that is connected to the source, that Report Builder could connect to is not a viable option.

Whilst it may be a solution, and one I am yet to test!, it will not be a solution that will be accepted by the report developer(s).

Has anybody come across this issue before, specifically with Paginated Reports when using DirectQuery to query Unity Catalog schemas in Azure Databricks, and if so please could you offer some advice.

Thanks in advance for any help that can be offered ✌️