Solved: AD Security Group Not Found in Power BI: Embed Pow...

Anonymous · ‎01-31-2024

I'm currently facing difficulties in generating the embed token. My plan is to implement Row-Level Security (RLS) so that different users can only view their respective information on the Power BI dashboard that I am embedding.

I understand that the embed token is generated from the access token, and this access token is generated in different ways depending on how you want to authenticate. Following some topics in the Microsoft documentation, I adopted this model: https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal

I've already created the application in Azure and the client secret, thus obtaining the service principal. With this, I managed to generate the access token using the POST method on the API https://login.microsoftonline.com/{tenantID}/oauth2/token. I've also created a security group and added the application as a member.

However, when I attempt to enable the service principals to use Power BI APIs for the specific security group, I encounter the error 'You cannot use invalid or duplicate emails.' This occurs during the second step of stage 3, as outlined in the documentation mentioned in the link above.

I've tried using the security group's ID, the security group's name, the application's ID, and the application's name, but none of them can be located in the Power BI service administration.
I found a similar post here: https://community.fabric.microsoft.com/t5/Service/Adding-AD-security-groups-to-PowerBI-app-workspace..., but I would like more details on what might be missing from the AD side, as it mentions synchronization only.

Anonymous · ‎03-01-2024

Hello again! The solution is simpler than I thought. We have different directories on the Azure portal, and switching to the other one resolved the issue. It was necessary to recreate the application and security group because it's a different directory/subscription. See here: [https://learn.microsoft.com/en-us/azure/azure-portal/set-preferences]

View solution in original post

Anonymous · ‎02-01-2024

Hi @v-jialongy-msft
Yes, the group is already a Security type; otherwise, I wouldn't be able to add the service principal to the group since it doesn't have an email address

v-jialongy-msft · ‎02-12-2024

Hi @Anonymous

I followed your steps to create a security group.

I can implement the actions in the documentation

If you still can't achieve your goal, please provide us with detailed instructions so that I can help you better.

Best Regards,

Jayleny

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Anonymous · ‎03-01-2024

Hello again! The solution is simpler than I thought. We have different directories on the Azure portal, and switching to the other one resolved the issue. It was necessary to recreate the application and security group because it's a different directory/subscription. See here: [https://learn.microsoft.com/en-us/azure/azure-portal/set-preferences]

v-jialongy-msft · ‎01-31-2024

Hi @Anonymous

When you create a group, select Security Groups instead of Microsoft 365 Groups.

Best Regards,

Jayleny

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

AD Security Group Not Found in Power BI: Embed Power BI

Helpful resources

Join us at the Microsoft Fabric Community Conference

Power BI Monthly Update - February 2025

Fabric Community Update - February 2025

Join us at the 2025 Microsoft Fabric Community Conference

AD Security Group Not Found in Power BI: Embed Power BI

Helpful resources

Join us at the Microsoft Fabric Community Conference

Power BI Monthly Update - February 2025

Fabric Community Update - February 2025