Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
devJC
Frequent Visitor

AD group access issue for embedded reports

‎02-11-2025 09:13 AM

We have an app embedding PBI reports that are published to an App space in powerBI. Users are granted access using AD group that has been added to the App audience in PBI.

When new users access the embedded report, they see an unauthorized screen. The error persists until the user manually logs into apps.powerbi.com. Refreshing the client UI/embed shows the report as expected.

Removing users from the AD group has a similar effect where the user can view the embedded report despite having been removed from the AD group. Only after logging directly into apps.powerbi.com will the embedded report display the unauthorized screen.

 

Is this a caching or configuration issue on the PBI side or a synchronization issue with AD?

Any help is appreciated.

Labels:
Message 1 of 12
1,393 Views
0
1 ACCEPTED SOLUTION
v-tsaipranay
Community Support
Community Support
In response to devJC

‎02-20-2025 11:35 PM

Hello @devJC 

Thank you for your patience and for the detailed analysis you’ve provided. Based on your findings and our investigation, we can confirm that Power BI caches AD group memberships for embedded users, and this cache is only refreshed when users manually log in to the Power BI service.

 

Since Power BI does not provide an automatic refresh mechanism for AD group permissions in embedded scenarios, we recommend the following approaches:

 

Manually Remove and Re-Add the AD Group to the App Audience. This is a workaround that can be tested manually first. Removing and re-adding the AD group forces Power BI to re-evaluate group membership. If successful, proceed with automating the process using the Power BI REST API or Power Automation.

 

If you need any further assistance, feel free to reach out.

 

Thank you.

 

 

View solution in original post

Message 9 of 12
1,182 Views
11 REPLIES 11
v-tsaipranay
Community Support
Community Support

‎02-12-2025 03:50 AM

hi @devJC ,

Thanks for reaching out to the Microsoft fabric community forum.

 

It seems that the issue is likely due to caching, either on the Power BI side or the user's session (token caching), rather than an AD synchronization problem. I recommend focusing on proper token refresh and investigating the caching mechanisms in Power BI and your embedded app.

Kindly review the troubleshooting steps provided below:

  • Implement logic on your app’s embedded client to force reauthentication when users are added or removed from AD groups.
  • Investigate how your embedded Power BI tokens are issued and ensure appropriate token expiration policies are in place.
  • Make sure there are no significant delays in the synchronization between your AD groups and Power BI.
  • Ensure that the browser cache is not interfering with the authorization process.

I am also including a similar thread that has already been accepted as a solution. Please take a look at it for better understanding:

Solved: Users cannot access report but are members of a re... - Microsoft Fabric Community

 

I hope my suggestions give you good ideas, if you need any further assistance, feel free to reach out.

 

If this post helps, then please give us Kudos and consider Accept it as a solution to help the other members find it more quickly.

 

Thank you. 

Message 4 of 12
1,338 Views
devJC
Frequent Visitor
In response to v-tsaipranay

‎02-12-2025 06:28 AM

Thanks for the response! I need a couple more clarifications if you can assist.

PowerBI tokens are issued under the powerbi scope using MSAL library in React. The expiration is 30m.

We have tested new users with incognito browser window (no cache, forced clean signin). They still get the unauthorized view until directly accessing powerbi.apps.com. Upon logging into powerbi, the user can access the report.
I am skeptical if the PowerBI security/roles are configured correctly for embedded reports.
Reports and semantic models live in the same workspace and the report is added to the App.
The AD usergroup is added as an audience at the App level and nowhere else.
Does PBI cascade/cache the user's credentials at login?

It seems the AD Group in powerBI is cached/stale. How would this be refreshed when new users are added?
We have used the PBI API user RefreshPermissions call with no effect.

Thanks!

Message 5 of 12
1,326 Views
0
v-tsaipranay
Community Support
Community Support
In response to devJC

‎02-14-2025 03:02 AM

Hello @devJC ,

 

It seems you're facing issues with user access to embedded Power BI reports, specifically regarding Azure AD group permissions and token management.

Power BI caches user permissions, and when a user logs in, their credentials and permissions are validated against the Azure AD group memberships. If new users are added to an AD group, there may be a delay before those changes take effect in Power BI due to caching. The RefreshUserPermissions API call is meant to update the user's permissions, but if it's not working as expected, it could be due to a few reasons:

  • As tokens expire every 30 minutes, ensure users have a fresh token after their permissions are updated.
  • If your reports use RLS, confirm that roles are correctly configured, and users have the necessary permissions to view the data.
  • Verify that the AD group is properly set as an audience in the app settings and that there are no additional restrictions at the report or dataset level.

I am including a similar thread that might help you. Please have a look into it:

Solved: Powerbi Embed - user owns data - react application... - Microsoft Fabric Community

Additionally, please refer to the following documentation for a better understanding:

Permission tokens needed to embed a Power BI app - Power BI | Microsoft Learn

Troubleshoot Power BI embedded analytics application - Power BI | Microsoft Learn

 

If this post helps, then please give us Kudos and consider Accept it as a solution to help the other members find it more quickly.

 

Thank you. 

Message 6 of 12
1,273 Views
v-tsaipranay
Community Support
Community Support
In response to v-tsaipranay

‎02-16-2025 08:22 PM

Hi @devJC  ,

I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.


Thank you.

Message 7 of 12
1,242 Views
0
devJC
Frequent Visitor
In response to v-tsaipranay

‎02-18-2025 06:50 AM

@v-tsaipranay,

I have reviewed both of your responses and I have verified each of the points. Our problem does not seem to be a token issue. Here is our token acquisition process:

  1. User is onboarded to AD group in advance
  2. After waiting several days, the user logs into the application
  3. Using the MSAL library for React, we request a new token with the method acquireTokenSilent and set the scope to https://analysis.windows.net/powerbi/api/.default
  4. Permissions present in the token are App.Read.All, Dashboard.Read.All, Dataset.Read.All, Report.Read.All, UserState.ReadWrite.All, and Workspace.Read.All
  5. Synchronization does not seem to be an issue since new users are able to directly log in to apps.powerbi.com and access authorized content available for their group

Still, access to embedded report is restricted:

  • Reports do not use RLS, only different audiences at the App level
  • Acquiring a new token days (or weeks) after being added to the AD group or after calling RefreshUserPermissions endpoint has no effect
  • Users can access embedded reports normally after directly logging into apps.powerbi.com
  • Users can access embedded reports weeks after being removed from the AD group and up until they directly log into apps.powerbi.com
  • Users added/removed individually to the App (not AD group) do not experience the embed issue

The most likely culprit is your comment:

Power BI caches user permissions, and when a user logs in, their credentials and permissions are validated against the Azure AD group memberships.

 

I will be testing removing/readding the user group audience to the app in powerBI to test if that forces a refresh.
If PowerBI caches AD group members/permissions and does not automatically refresh those permissions until a user manually logs in, then this effectively breaks embedded reports that use AD groups to manage access. In response, we will require some configuration to manage an automatic refresh AD group members/permissions within PowerBI on a schedule until this problem is resolved. Are there any examples of how to accomplish this?

Thank you.

Message 8 of 12
1,229 Views
0
v-tsaipranay
Community Support
Community Support
In response to devJC

‎02-20-2025 11:35 PM

Hello @devJC 

Thank you for your patience and for the detailed analysis you’ve provided. Based on your findings and our investigation, we can confirm that Power BI caches AD group memberships for embedded users, and this cache is only refreshed when users manually log in to the Power BI service.

 

Since Power BI does not provide an automatic refresh mechanism for AD group permissions in embedded scenarios, we recommend the following approaches:

 

Manually Remove and Re-Add the AD Group to the App Audience. This is a workaround that can be tested manually first. Removing and re-adding the AD group forces Power BI to re-evaluate group membership. If successful, proceed with automating the process using the Power BI REST API or Power Automation.

 

If you need any further assistance, feel free to reach out.

 

Thank you.

 

 

Message 9 of 12
1,183 Views
ivanochkah
New Member
In response to v-tsaipranay

‎11-14-2025 09:49 AM

Hi @v-tsaipranay 


May I ask for your help?

I have a very similar setup and problem: an embedded Power BI report (not using the Power BI app) and users in a group; the group is given permissions to the entire Power BI workspace.

 

The difference is that users have been added to the group weeks ago, but they never logged into the Power BI workspace or never tried to access this embedded report.

Now they are trying to do so and get an Unauthorised error.

I tried to manually remove and re-add the group to the workspace, but this changed nothing.

However, when the user logs into the Power BI workspace, they become able to see the embedded report.
If I give direct permission to a specific user from my group to the whole Power BI workspace, and immediately remove it, the user also becomes able to see the embedded report, and they still can see it after local cache cleanup and after a few hours.

 

Would you be able to suggest any idea on how to make all my current users in the group able to see the report? And also all future group members.

 

Thank you!

Message 12 of 12
371 Views
0
v-tsaipranay
Community Support
Community Support
In response to v-tsaipranay

‎02-26-2025 10:54 AM

Hi @devJC ,

I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.


Thank you.

Message 10 of 12
1,139 Views
0
v-tsaipranay
Community Support
Community Support
In response to v-tsaipranay

‎03-02-2025 08:55 PM

Hello @devJC ,

 

I wanted to follow up on our previous suggestions regarding the issue. We would love to hear back from you to ensure we can assist you further.

If my response has addressed your query, please accept it as a solution and give a ‘Kudos’ so other members can easily find it. Please let us know if there’s anything else we can do to help.

 

Thank you.

Message 11 of 12
1,116 Views
0
GilbertQ
Super User
Super User

‎02-11-2025 02:04 PM

Hi @devJC 

 

Could I please ask for more clarification in terms of how you are embedding the reports? Are you embedding the reports in sharepoint, or are you using power bi embedded?





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 2 of 12
1,355 Views
0
devJC
Frequent Visitor
In response to GilbertQ

‎02-12-2025 06:02 AM

We are embedding using the powerbi-client-react library in React (typescript).
The embedding works as expected except for new/removed users.

Message 3 of 12
1,329 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All