Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
amien
Helper V
Helper V

Cross-tenant sharing semantic model doesn't work - what i'm a missing : AAD Auth failed

‎06-25-2025 10:30 AM

We want to make cross-tenant sharing possible.

 

On the provider side we checked everything:

 

* enabled access for external guest users

* Allow guest users to access PowerBI

* allow guest users to work with shared semantic models in their own tenants

* allow specific users to turn on external data sharing

* share semantic model with both read and build

 

The receiver side is allowed to consume externe semantic models

 

But its still not working. app.powerbi.com and then home and then "from external orgs" we get an error:

AAD Authentication failture .. Unable to authenticate your credentials.

 

PowerBI desktop also doesn't work. i get the 'find data beyond your org" message

 

What i'm a missing? any tips?

Labels:
Message 1 of 12
1,171 Views
0
1 ACCEPTED SOLUTION
v-sshirivolu
Community Support
Community Support
In response to amien

‎06-30-2025 01:07 AM

Hi @amien ,
Thanks for the follow-up !

To ensure Power BI Desktop signs you in with the correct guest context (the provider tenant), start by opening Power BI Desktop and navigating to File - Options and Settings - Options - Global - Security. Under Authentication Browser Settings, enable “Use my default web browser.” Once this is set, restart Power BI Desktop. When you sign in, you'll be redirected to your default browser, where you can confidently select the correct tenant profile look for an option like user@domain.com (Guest). This guarantees you're signing in as a guest under the provider’s tenant.

Also once the “Trust MFA from Entra tenants” setting is enabled in the provider tenant, your guest authentication will be accepted even if MFA was done in your home tenant. That resolves the "AAD Authentication Failure" error.

 

View solution in original post

Message 12 of 12
939 Views
11 REPLIES 11
amien
Helper V
Helper V

‎06-26-2025 04:36 AM

"signed into the app with their guest profile (the one from your tenant)" .. this is basicly the same right? there is only one account, only question into which tenant you try to login. If its the provider side, it will be the guest account on the provider tenant Otherwise its a member on the consumer tenant

Message 11 of 12
1,003 Views
0
v-sshirivolu
Community Support
Community Support
In response to amien

‎06-30-2025 01:07 AM

Hi @amien ,
Thanks for the follow-up !

To ensure Power BI Desktop signs you in with the correct guest context (the provider tenant), start by opening Power BI Desktop and navigating to File - Options and Settings - Options - Global - Security. Under Authentication Browser Settings, enable “Use my default web browser.” Once this is set, restart Power BI Desktop. When you sign in, you'll be redirected to your default browser, where you can confidently select the correct tenant profile look for an option like user@domain.com (Guest). This guarantees you're signing in as a guest under the provider’s tenant.

Also once the “Trust MFA from Entra tenants” setting is enabled in the provider tenant, your guest authentication will be accepted even if MFA was done in your home tenant. That resolves the "AAD Authentication Failure" error.

 

Message 12 of 12
940 Views
amien
Helper V
Helper V

‎06-26-2025 04:19 AM

Hi .. thanks for the answer .. it becomes much clearer now.

 

Question about the heads-up .. how do i make sure that i don't fall back to my home tenant? How can i make this switch?

 

And another question; when i fix the "trust in multi-factor authentication from external tenants" .. it is possible to open a semantic model logged in from another tenant right? and open a semantic model that has been shared with me as a guest user from the provider tenant

Message 10 of 12
1,008 Views
0
v-sshirivolu
Community Support
Community Support

‎06-26-2025 04:00 AM

Hi @amien ,
Thanks for reaching out to the Microsoft fabric community forum.

I’ve run into this exact issue before, and from everything you’ve described, it sounds like you’ve already done most of the heavy lifting. The guest user exists in Entra ID, the semantic model is shared properly, and all the Power BI sharing settings look good. The license setup also sounds correct, as long as the guest user has a Pro license in their own tenant, they don’t need one in yours.

The real catch here is usually a setting in Microsoft Entra that controls trust between tenants. Specifically, in the provider (your) tenant, you need to allow trust in multi-factor authentication from external tenants. Without that, Power BI won’t recognize the guest user's MFA as valid, and you’ll hit the “AAD authentication failure” error, even if everything else is configured perfectly.

 

To fix it, head to the Microsoft Entra admin center, go to External Identities → Cross-tenant access settings → Default settings, and under Inbound trust settings, make sure the option “Trust multi-factor authentication from Microsoft Entra tenants” is turned on. That’s the key piece that’s often missed.

 

Also, just a heads-up for Power BI Desktop, if the user sees a message like “find data beyond your org,” make sure they’re signed into the app with their guest profile (the one from your tenant). Sometimes Power BI Desktop defaults back to the user’s home tenant, which can block access to the shared model.

Hope this helps, that MFA trust setting has been the missing piece in almost every case I’ve seen like this. Let me know how it goes.

If the response has addressed your query, please Accept it as a solution and give a 'Kudos' so other members can easily find it

Best Regards,
Sreeteja
Community Support Team.

Message 9 of 12
1,016 Views
0
amien
Helper V
Helper V

‎06-26-2025 01:59 AM

getting this enabled is not very easy in a larger organisation 🙂 .. this is quite a big ask to get this PowerBI capacility, but i will try 😉

Message 8 of 12
1,046 Views
0
amien
Helper V
Helper V

‎06-25-2025 12:13 PM

can this be the problem? 

 

"Additionally, the provider tenant needs to turn on the Trust multi-factor authentication from Microsoft Entra tenants option"

 

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-dataset-external-org-share-abou...

Message 6 of 12
1,104 Views
0
collinq
Super User
Super User
In response to amien

‎06-25-2025 12:39 PM

Hey @amien ,

The multi-tenant MFA option might be teh trick.... please test it out!

The other answer I had about licenses is that I do not believe that they have to have license on BOTH sides.  If you are using the same userid and the license




Did I answer your question? Mark my post as a solution!

Proud to be a Datanaut!
Private message me for consulting or training needs.




Message 7 of 12
1,094 Views
0
amien
Helper V
Helper V

‎06-25-2025 11:22 AM

Hej .. Thanks for your reply 

What do you mean? license .. pro license right? Both the provider has a pro license on the provider side and the receiver has a pro license on the receiver side. the receiver (guest account) doesn't have a pro license on the privider side.

 

the receiver account has a guest account on the provider side .. and the other way around. When i loggin with my guest account on the provider side, i can even see the semantic model and open it. So 'm sure the guest account does exists and works

Message 3 of 12
1,150 Views
0
collinq
Super User
Super User
In response to amien

‎06-25-2025 11:30 AM

Hi @amien ,

To help clarify, the userid that is logging into your system has a license AND that is the userid that is being used in your AD?  The license assigned to the user and the user that is signing in have to be the same.  Is that the case?

 




Did I answer your question? Mark my post as a solution!

Proud to be a Datanaut!
Private message me for consulting or training needs.




Message 4 of 12
1,149 Views
0
amien
Helper V
Helper V
In response to collinq

‎06-25-2025 12:00 PM

the userid (guest user) that is logging into my system does NOT have a pro license on my system, but does have a pro license on his own system. And that is indeed the userid (guest user) that is being used in my AD. The userid on both sides are the same (on my system a guest users), on his own system a member. 

 

Do i need to give the guess user a pro license on my system to make this work?

Message 5 of 12
1,115 Views
0
collinq
Super User
Super User

‎06-25-2025 11:04 AM

Hi @amien ,

I am assuming that you also have a license assigned to the user?  If so, the next thing I would confirm is that the userid that the user is using to sign into your tenant is in your Entra as well.  They must be in your tenant with the userid that they are trying to sign in with.  And, based on the message, that is not the case since it states that there is an error authenticating.




Did I answer your question? Mark my post as a solution!

Proud to be a Datanaut!
Private message me for consulting or training needs.




Message 2 of 12
1,154 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All