Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Score big with last-minute savings on the final tickets to FabCon Vienna. Secure your discount

Reply
PoPQ
Frequent Visitor

Conditional Access Policy results in B2B guest user access denial

‎12-03-2024 07:12 AM

We have a GCC Power BI Service tenant with premium capacity (P1) and we are trying and failing to enable B2B guest user access to a Power BI report. We've added the guest user in Entra ID and correctly licenced and permissioned them to access the report Power BI. But when they tried to access the report they received a 53003 error message that said "your sign-in was successful but you don't have permission to access this resource." We tried just about everything and then gave up and exempted the guest user from the standard Conditional Access Policy (CAP), and voila: they were able to access the report. This is not a stable solution because the CAP needs to remain enabled, so we tried allow-listing Power BI Service in the policy and we're back to square one with the same access denial error message. Since we've isolated the problem to the CAP, what other apps or services do we need to allow-list in order for the guest user to be successfully authenticated to access the report?

Labels:
Message 1 of 4
698 Views
1 ACCEPTED SOLUTION
PoPQ
Frequent Visitor

‎12-27-2024 11:58 AM

Turns out the issue is that the Power BI Service app is called something else in Entra ID for GCC. While we were excluding "Power BI Service" in the CAP, that was referring to the commercial cloud version of Power BI. What we needed to exclude was "Microsoft Power BI Government Cloud" instead. The search functionality in the CAP exlusion menu is so bad that when we entered "Power BI", the app we needed to exclude didn't show up in the list of results because it began with "Microsoft". Very frustrating! 

View solution in original post

Message 4 of 4
572 Views
3 REPLIES 3
PoPQ
Frequent Visitor

‎12-27-2024 11:58 AM

Turns out the issue is that the Power BI Service app is called something else in Entra ID for GCC. While we were excluding "Power BI Service" in the CAP, that was referring to the commercial cloud version of Power BI. What we needed to exclude was "Microsoft Power BI Government Cloud" instead. The search functionality in the CAP exlusion menu is so bad that when we entered "Power BI", the app we needed to exclude didn't show up in the list of results because it began with "Microsoft". Very frustrating! 

Message 4 of 4
573 Views
Anonymous
Not applicable

‎12-03-2024 06:49 PM

Hi @PoPQ ,

 

You can try to include the following services and applications in the allowed list: Power BI service, Office 365, SharePoint, Microsoft Teams, Azure Active Directory, and other identity-related services.

In addition, make sure that external users are assigned the correct workspace roles in the Power BI admin portal to allow external guest users to access and share content. Also, review the Conditional Access Policy to ensure there are no other restrictions preventing external users from accessing the Power BI report.

 

Best Regards,
Zhu
Community Support Team

 

If there is any post helps, then please consider Accept it as the solution  to help the other members find it more quickly.

Message 2 of 4
639 Views
0
PoPQ
Frequent Visitor
In response to Anonymous

‎12-09-2024 10:59 AM

Thanks for these suggestions. We tried all of these options to no avail.

Message 3 of 4
606 Views
0

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Kudoed Authors
View All