Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

View all the Fabric Data Days sessions on demand. View schedule

Reply
kristofferrye
Regular Visitor

Embed For Customer - DirectQuery

‎02-20-2025 03:55 AM

I have a React Web App that embeds multiple Power BI reports using the "Embed for your customers" scenario (App owns data).

  • The web app communicates with a backend API (ASP.NET Core Web API), which in turn calls the Power BI API (via GetReportInGroupAsync from the Microsoft.PowerBI.Api NuGet package) to generate embed tokens.
  • Users authenticate with OAuth 2.0 Authorization Code Flow with PKCE using MSAL, obtaining an access token, which is passed as a bearer token to the Web API.
  • The Web API is responsible for generating Power BI embed tokens.

 

What Works:

Import Mode Reports (with RLS applied in Power BI workspace)

I use an Effective Identity object in the embed token request, specifying Username, Roles, and Dataset, and everything works as expected.

 

What Doesn't Work:

DirectQuery Reports (data from an Azure SQL Database where RLS is applied)

  • According to the Power BI Embed API documentation I should use an IdentityBlob when embedding a DirectQuery report that connects to an Azure SQL database.
  • The IdentityBlob must contain an OAuth 2.0 access token for Azure SQL, which I generate in my Web API using the On-Behalf-Of (OBO) flow.

The Problem:

  • The Azure SQL access token (generated via OBO) includes a "groups" claim listing all of the user's Azure AD group memberships, making the token very large.
  • When I pass this token as the identityBlob value, I receive this error from the Power BI API endpoint (POST https://api.powerbi.com/v1.0/myorg/groups/<WORKSPACE_ID>/reports/<REPORT_ID>/GenerateToken😞

BadRequest{"error":{"code":"InvalidRequest","message":"Identity blob value size exceeds size limit of 10240 bytes"}

 

Questions: 

  1. Is there a way to exclude the "groups" claim when requesting an Azure SQL access token? Or is this required in the embedded report in order to give the user the right access to the data in the report?
  2. Is there a way to increase the identityBlob size limit (10,240 bytes)?
  3. When generating an embed token for a Power BI report that uses DirectQuery with Azure SQL, is specifying identityBlob and datasets in the identities object sufficient, or do I also need to explicitly provide the server and database details? If so, how should they be included in the request body?
  4. What is the recommended approach for embedding DirectQuery reports with Azure SQL RLS using the App Owns Data model?

 

Any guidance or best practices would be greatly appreciated. Thanks!

Labels:
Message 1 of 6
799 Views
1 ACCEPTED SOLUTION
kristofferrye
Regular Visitor
In response to v-nmadadi-msft

‎03-05-2025 06:59 AM

Hi @v-nmadadi-msft ,

 

I can't configure group claims or app roles in the token for Azure SQL. Only Microsoft can do that, since they own the resource "https://database.windows.net" and determine which claims are included when a token is requested.

 

The only way this currently works is if the user has fewer than 160 AD groups or more than 200 AD groups. In the latter case, Azure AD replaces the group IDs in the "groups" claim with a Graph API URL, significantly reducing the token size.

 

I’ve received confirmation from Microsoft that there’s no workaround for this. I’ve submitted a Design Change Request to increase the identityBlob size limit from 10,240 bytes to at least 12,500 bytes, ensuring that tokens for users with around 160-200 AD groups can be accepted by the Power BI API /GenerateToken endpoint. Now, we’ll just have to wait for Microsoft to implement this fix.

View solution in original post

Message 5 of 6
583 Views
0
5 REPLIES 5
v-nmadadi-msft
Community Support
Community Support

‎02-21-2025 02:10 AM

Hi  @kristofferrye  ,
Thanks for reaching out to the Microsoft fabric community forum.
Please make sure all the parameter values like workspace ID, Report ID etc are correct while passing the token.
Since you are encountering the issue while using DirectQuery Reports from Azure SQL Database where RLS is applied, if possible temporarily disable the RLS and check if embedding is working or not so as to pin point where exactly the problem is arising from.
->  You cannot exclude the "groups" claim when requesting an Azure SQL access token.
-> No, the identityBlob size limit (10,240 bytes) is a hard limit imposed by the Power BI API, and there is currently no way to increase it.
-> It is sufficient to specify identityblob and datasets when generating embed token for Power Bi report that uses DirectQuery with Azure SQL
-> Please check out this reference document: Embed Power BI report in a Power BI embedded analytics application for your customers - Power BI | M...

If you find this post helpful, please mark it as an "Accept as Solution" and consider giving a KUDOS.
Thanks and Regards

Message 2 of 6
730 Views
0
kristofferrye
Regular Visitor
In response to v-nmadadi-msft

‎02-21-2025 10:32 AM

Thanks for your response @v-nmadadi-msft !

I checked out the link you sent (Embed Power BI report in a Power BI embedded analytics application for your customers - Power BI | M...) but it doesn't mention any best practice when it comes to DirectQuery reports with this identityBlob. 

 

The issue is occurring with the Power BI API endpoint "GenerateToken" and can be replicated for example in Postman for example by making a POST request to:

 

https://api.powerbi.com/v1.0/myorg/groups/<WORKSPACE_ID>/reports/<REPORT_ID>/GenerateToken

 

 (replace <WORKSPACE_ID>, <REPORT_ID>, and <DATASET_ID> with real values), and with this body:

 

{
  "accessLevel": "View",
  "identities": [
    {
      "datasets": [
        "<DATASET_ID>"
      ],
      "identityBlob": {
        "value": "eyJ0eX....AAA="
      }
    }
  ]
}

 

(just with a real value for the identityBlob ). If the identityBlob value exceeds 10,240 bytes, the API returns the following error: "Identity blob value size exceeds size limit of 10240 bytes". This error occurs regardless of whether the report uses a DirectQuery dataset.

 

Observations

I tested this issue with a colleague who has fewer Azure AD group memberships than me. When using his access token in the identityBlob, the API successfully returned an embed token, since that token was smaller.
(In fact, any string under 10,240 bytes can be passed into identityBlob to get an embed token—but authentication inside the embedded report to the database would fail if it's just a ranom value). So it seems that this functionality only works for users with very few AD group memberships. Since my Azure SQL token contains a few extra AD groups in the "groups" claim, it becomes too large to use in the identityBlob.

 

Trying to solve this, I tested different OAuth authentication flows to obtain an Azure SQL access token using scope: "https://database.windows.net//.default" to see if that made any difference regarding the claims in the token.

 

Results from the different autentication flows:

 

  • Authorization Code Flow with PKCE → Token includes full "groups" claim (too large).
  • On-Behalf-Of (OBO) Flow → Token includes full "groups" claim (too large).
  • Implicit Flow → Token does NOT include full "groups", but instead has "hasgroups": "true".

 

 

When I hardcoded an Azure SQL token obtained via Implicit Flow into my app and used it as value in the identityBlo, I was finally able to access the Power BI report data using DirectQuery 😀

 

Problem: Avoiding Double Authentication

  • Users already authenticate using Authorization Code Flow with PKCE, scoped to my backend API’s App Registration.
  • I don’t want to prompt users again to obtain an Azure SQL token using Implicit Flow.
  • Using OBO Flow to obtain an Azure SQL token results in a token that’s too large in most cases.

 

Questions

  1. Is there a way to obtain an Azure SQL access token for this identityBlob with "hasgroups": "true" instead of the full "groups" claim—without requiring users to authenticate twice using Implicit flow
  2.  Are there any other projects with similar usecase that has solved this issue?  
Message 3 of 6
718 Views
0
v-nmadadi-msft
Community Support
Community Support
In response to kristofferrye

‎03-05-2025 06:29 AM

Hi @kristofferrye,
Thanks for reaching out to the Microsoft fabric community forum.

Glad that you were able to pin point where the issue specifically occurs.
To try to solve issue related to full groups claim please refer to this reference document:
Configure group claims and app roles in tokens | Microsoft Learn

Also as per this document
Microsoft identity platform and OAuth 2.0 implicit grant flow - Microsoft identity platform | Micros...

vnmadadimsft_0-1741184938452.png
Implicit grant flow should be avoided.
I hope these documents help guide you in the right direction toward resolving the issue.



If you find this post helpful, please mark it as an "Accept as Solution" and consider giving a KUDOS.
Thanks and Regards

Message 4 of 6
587 Views
0
kristofferrye
Regular Visitor
In response to v-nmadadi-msft

‎03-05-2025 06:59 AM

Hi @v-nmadadi-msft ,

 

I can't configure group claims or app roles in the token for Azure SQL. Only Microsoft can do that, since they own the resource "https://database.windows.net" and determine which claims are included when a token is requested.

 

The only way this currently works is if the user has fewer than 160 AD groups or more than 200 AD groups. In the latter case, Azure AD replaces the group IDs in the "groups" claim with a Graph API URL, significantly reducing the token size.

 

I’ve received confirmation from Microsoft that there’s no workaround for this. I’ve submitted a Design Change Request to increase the identityBlob size limit from 10,240 bytes to at least 12,500 bytes, ensuring that tokens for users with around 160-200 AD groups can be accepted by the Power BI API /GenerateToken endpoint. Now, we’ll just have to wait for Microsoft to implement this fix.

Message 5 of 6
584 Views
0
v-nmadadi-msft
Community Support
Community Support
In response to kristofferrye

‎03-05-2025 10:54 PM

Hi @kristofferrye,

We really appreciate your efforts and for letting us know the update on the issue.
Happy to know that you got the confirmation on how to work around your error, Please consider accepting your reply as the solution so that it will be helpful to other community members who may face similar issue in the future and come across this Post. 

Please continue using fabric community forum for your further assistance.
Thanks and Regards

Message 6 of 6
572 Views
0

Helpful resources

Announcements
November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All