Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Fabric Community site will be in read-only mode on Monday, Feb 24 from 12:01 AM to 8 AM PST for scheduled upgrades.

Reply
devJC
Regular Visitor

AD group access issue for embedded reports

‎02-11-2025 09:13 AM

We have an app embedding PBI reports that are published to an App space in powerBI. Users are granted access using AD group that has been added to the App audience in PBI.

When new users access the embedded report, they see an unauthorized screen. The error persists until the user manually logs into apps.powerbi.com. Refreshing the client UI/embed shows the report as expected.

Removing users from the AD group has a similar effect where the user can view the embedded report despite having been removed from the AD group. Only after logging directly into apps.powerbi.com will the embedded report display the unauthorized screen.

 

Is this a caching or configuration issue on the PBI side or a synchronization issue with AD?

Any help is appreciated.

Labels:
Message 1 of 9
232 Views
0
8 REPLIES 8
v-tsaipranay
Community Support
Community Support

‎02-12-2025 03:50 AM

hi @devJC ,

Thanks for reaching out to the Microsoft fabric community forum.

 

It seems that the issue is likely due to caching, either on the Power BI side or the user's session (token caching), rather than an AD synchronization problem. I recommend focusing on proper token refresh and investigating the caching mechanisms in Power BI and your embedded app.

Kindly review the troubleshooting steps provided below:

  • Implement logic on your app’s embedded client to force reauthentication when users are added or removed from AD groups.
  • Investigate how your embedded Power BI tokens are issued and ensure appropriate token expiration policies are in place.
  • Make sure there are no significant delays in the synchronization between your AD groups and Power BI.
  • Ensure that the browser cache is not interfering with the authorization process.

I am also including a similar thread that has already been accepted as a solution. Please take a look at it for better understanding:

Solved: Users cannot access report but are members of a re... - Microsoft Fabric Community

 

I hope my suggestions give you good ideas, if you need any further assistance, feel free to reach out.

 

If this post helps, then please give us Kudos and consider Accept it as a solution to help the other members find it more quickly.

 

Thank you. 

Message 4 of 9
177 Views
devJC
Regular Visitor
In response to v-tsaipranay

‎02-12-2025 06:28 AM

Thanks for the response! I need a couple more clarifications if you can assist.

PowerBI tokens are issued under the powerbi scope using MSAL library in React. The expiration is 30m.

We have tested new users with incognito browser window (no cache, forced clean signin). They still get the unauthorized view until directly accessing powerbi.apps.com. Upon logging into powerbi, the user can access the report.
I am skeptical if the PowerBI security/roles are configured correctly for embedded reports.
Reports and semantic models live in the same workspace and the report is added to the App.
The AD usergroup is added as an audience at the App level and nowhere else.
Does PBI cascade/cache the user's credentials at login?

It seems the AD Group in powerBI is cached/stale. How would this be refreshed when new users are added?
We have used the PBI API user RefreshPermissions call with no effect.

Thanks!

Message 5 of 9
165 Views
0
v-tsaipranay
Community Support
Community Support
In response to devJC

‎02-14-2025 03:02 AM

Hello @devJC ,

 

It seems you're facing issues with user access to embedded Power BI reports, specifically regarding Azure AD group permissions and token management.

Power BI caches user permissions, and when a user logs in, their credentials and permissions are validated against the Azure AD group memberships. If new users are added to an AD group, there may be a delay before those changes take effect in Power BI due to caching. The RefreshUserPermissions API call is meant to update the user's permissions, but if it's not working as expected, it could be due to a few reasons:

  • As tokens expire every 30 minutes, ensure users have a fresh token after their permissions are updated.
  • If your reports use RLS, confirm that roles are correctly configured, and users have the necessary permissions to view the data.
  • Verify that the AD group is properly set as an audience in the app settings and that there are no additional restrictions at the report or dataset level.

I am including a similar thread that might help you. Please have a look into it:

Solved: Powerbi Embed - user owns data - react application... - Microsoft Fabric Community

Additionally, please refer to the following documentation for a better understanding:

Permission tokens needed to embed a Power BI app - Power BI | Microsoft Learn

Troubleshoot Power BI embedded analytics application - Power BI | Microsoft Learn

 

If this post helps, then please give us Kudos and consider Accept it as a solution to help the other members find it more quickly.

 

Thank you. 

Message 6 of 9
112 Views
v-tsaipranay
Community Support
Community Support
In response to v-tsaipranay

Sunday

Hi @devJC  ,

I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.


Thank you.

Message 7 of 9
81 Views
0
devJC
Regular Visitor
In response to v-tsaipranay

Tuesday

@v-tsaipranay,

I have reviewed both of your responses and I have verified each of the points. Our problem does not seem to be a token issue. Here is our token acquisition process:

  1. User is onboarded to AD group in advance
  2. After waiting several days, the user logs into the application
  3. Using the MSAL library for React, we request a new token with the method acquireTokenSilent and set the scope to https://analysis.windows.net/powerbi/api/.default
  4. Permissions present in the token are App.Read.All, Dashboard.Read.All, Dataset.Read.All, Report.Read.All, UserState.ReadWrite.All, and Workspace.Read.All
  5. Synchronization does not seem to be an issue since new users are able to directly log in to apps.powerbi.com and access authorized content available for their group

Still, access to embedded report is restricted:

  • Reports do not use RLS, only different audiences at the App level
  • Acquiring a new token days (or weeks) after being added to the AD group or after calling RefreshUserPermissions endpoint has no effect
  • Users can access embedded reports normally after directly logging into apps.powerbi.com
  • Users can access embedded reports weeks after being removed from the AD group and up until they directly log into apps.powerbi.com
  • Users added/removed individually to the App (not AD group) do not experience the embed issue

The most likely culprit is your comment:

Power BI caches user permissions, and when a user logs in, their credentials and permissions are validated against the Azure AD group memberships.

 

I will be testing removing/readding the user group audience to the app in powerBI to test if that forces a refresh.
If PowerBI caches AD group members/permissions and does not automatically refresh those permissions until a user manually logs in, then this effectively breaks embedded reports that use AD groups to manage access. In response, we will require some configuration to manage an automatic refresh AD group members/permissions within PowerBI on a schedule until this problem is resolved. Are there any examples of how to accomplish this?

Thank you.

Message 8 of 9
68 Views
0
v-tsaipranay
Community Support
Community Support
In response to devJC

Thursday

Hello @devJC 

Thank you for your patience and for the detailed analysis you’ve provided. Based on your findings and our investigation, we can confirm that Power BI caches AD group memberships for embedded users, and this cache is only refreshed when users manually log in to the Power BI service.

 

Since Power BI does not provide an automatic refresh mechanism for AD group permissions in embedded scenarios, we recommend the following approaches:

 

Manually Remove and Re-Add the AD Group to the App Audience. This is a workaround that can be tested manually first. Removing and re-adding the AD group forces Power BI to re-evaluate group membership. If successful, proceed with automating the process using the Power BI REST API or Power Automation.

 

If you need any further assistance, feel free to reach out.

 

Thank you.

 

 

Message 9 of 9
21 Views
0
GilbertQ
Super User
Super User

‎02-11-2025 02:04 PM

Hi @devJC 

 

Could I please ask for more clarification in terms of how you are embedding the reports? Are you embedding the reports in sharepoint, or are you using power bi embedded?





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 2 of 9
194 Views
0
devJC
Regular Visitor
In response to GilbertQ

‎02-12-2025 06:02 AM

We are embedding using the powerbi-client-react library in React (typescript).
The embedding works as expected except for new/removed users.

Message 3 of 9
168 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

FebPBI_Carousel

Power BI Monthly Update - February 2025

Check out the February 2025 Power BI update to learn about new features.

Feb2025 Sticker Challenge

Join our Community Sticker Challenge 2025

If you love stickers, then you will definitely want to check out our Community Sticker Challenge!

Feb2025 NL Carousel

Fabric Community Update - February 2025

Find out what's new and trending in the Fabric community.

View All