Microsoft Fabric Community Conference 2025, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount.
Register nowThe Power BI DataViz World Championships are on! With four chances to enter, you could win a spot in the LIVE Grand Finale in Las Vegas. Show off your skills.
Hi all,
Hope you are doing good!
I have a scenario which is a head scratcher for me. need your inputs 🙂
I am refreshing a Power BI dataset via a flow. UI is Power Apps platform which takes dates as an inputs and through flow it refreshes the Power BI dataset.
I am managing access to power bi app workspace via Security groups.
Now, If I am user in a particualr Security Group and that SG has 'Viewer' access to my app workspace, flow fails saying user doesn't have sufficient permissions (since it is not able to find dataset).
If I change the access level to one higher i.e. 'Contributor' access to that Security group then the cons is - I am providing users of that SG powers to delete content and acces more information than needed because they should only have read access.
What should be the ideal implementation scenrio for me ?
This is the dilemma! would love your inputs. Hope I made it clear to understand, if not just throw your doubts please.
Thanks in advance!
Solved! Go to Solution.
You should be able to solve this conundrum by using a service principal:
https://benediktbergmann.eu/2022/01/04/setup-a-service-principal-in-power-automate/
Hi. Like otravers says you might want to use a service account (like service pricipal). The main thing here is that the user or account used to refresh needs more permissions, so it can't be inside of a security group that can only "View" inside the workspace. The service principal is usually the best option because it doesn't depends on a user, it's an app registered for the organization.
I hope that make sense
Happy to help!
Thanks for your relpies @otravers @ibarrau
Well this is the ideal solution which should be implemented from the start. Thanks for letting me know.
Also, the other solution which worked in my specific case is just run the flow with the account which has higher level of permissions (like @ibarrau mentioned in his answer). The new task (PowerApps V2) inside flow allows to do this.
This way we can restrict user from Power BI workspace perspective but at the same time can allow them to just refresh the dataset.
Thanks for your help guys!!
Thanks for your relpies @otravers @ibarrau
Well this is the ideal solution which should be implemented from the start. Thanks for letting me know.
Also, the other solution which worked in my specific case is just run the flow with the account which has higher level of permissions (like @ibarrau mentioned in his answer). The new task (PowerApps V2) inside flow allows to do this.
This way we can restrict user from Power BI workspace perspective but at the same time can allow them to just refresh the dataset.
Thanks for your help guys!!
How can you use PowerApps V2 trigger to run the flow with a different account?
Hi. Like otravers says you might want to use a service account (like service pricipal). The main thing here is that the user or account used to refresh needs more permissions, so it can't be inside of a security group that can only "View" inside the workspace. The service principal is usually the best option because it doesn't depends on a user, it's an app registered for the organization.
I hope that make sense
Happy to help!
You should be able to solve this conundrum by using a service principal:
https://benediktbergmann.eu/2022/01/04/setup-a-service-principal-in-power-automate/
User | Count |
---|---|
45 | |
26 | |
21 | |
18 | |
18 |
User | Count |
---|---|
52 | |
45 | |
24 | |
24 | |
21 |