Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Score big with last-minute savings on the final tickets to FabCon Vienna. Secure your discount

Reply
djskro
Frequent Visitor

SSO Not Working for Dataverse Datasource

‎08-21-2024 06:14 AM

Hello, I have a sample-report that has two datasources:

  1. Dataverse (new CDS connector, DirectQuery)
  2. SQL Server (via a gateway, DirectQuery)

I have enabled the SSO setting in the Dataverse credential:

djskro_0-1724245904352.png

 

 

However, when users access the report, they are able to see Dataverse data for which they've had their permissions revoked--implying that the SSO isn't working and that my Dataverse credential is being used.

 

Any suggestions? Thanks.

 

Labels:
Message 1 of 8
811 Views
0
1 ACCEPTED SOLUTION
mscottsewell
Microsoft Employee
Microsoft Employee
In response to djskro

‎08-23-2024 01:55 PM

@djskro Adding/removing from the Power Apps interface doesn't have an impact on the security of the table at the dataverse layer. - Dataverse Security Roles (and in some cases, shares or inheritance) are the determining factor as to whether a user can view a row of data in a table.

Look at the security role(s) that the user has been granted - and within those roles, ensure the user has no 'read' permissions for the table. - (The dataverse security roles are additive, so if they have 20 roles and only one gives them organizational 'read' permissions - then they'll have read permission for the data in the table, it doesn't matter what the other roles have.)

Also, be sure to check to see if the user is a member of a team where a security role has granted them permission to read the table.

A really helpful tool for troubleshooting/understanding the security of a specific user on a specific record in Dataverse is the XrmToolBox "Access Checker" -  Also, the "Privileges Discovery" tool in XrmToolBox will be useful.

(I don't think the lack of 'read' pemission on a table will block them from seeing that a table  exists, but it should block the table from returning any data. )

View solution in original post

Message 7 of 8
698 Views
0
7 REPLIES 7
mscottsewell
Microsoft Employee
Microsoft Employee

‎08-23-2024 12:06 PM

For troubleshooting - open a VSCode or SSMS query window while logged in as that user - then query the table. - if the results are filtered as expected, you can move on to the next steps in troubleshooting. - 
The settings in your original screenshot look correct. - be sure each table in the model that you want to filter is set to Direct Query (and not import or dual.)
You can also try using the SQL connector in power query and write your query as a native SQL statement Power Query Dataverse connector - Power Query | Microsoft Learn (The Dataverse connector is effectively a wrapper around the SQL connector - so I wouldn't assume it works any differently.)

Here's an example native query -
[Replaced - see follow up post]

 

 

Message 4 of 8
733 Views
0
mscottsewell
Microsoft Employee
Microsoft Employee
In response to mscottsewell

‎08-23-2024 12:32 PM

@djskro I realized the script I posted above is not my 'default' pattern -
This is what I use as the basis of every query:

 

let
    Dataverse = CommonDataService.Database(TDSEndPoint,[CreateNavigationProperties=false]),
    Source = Value.NativeQuery(Dataverse,"
	
	SELECT [Base].accountid,
		[Base].name [Customer Name]
	FROM [dbo].[account] AS Base

	" ,null ,[EnableFolding=true])
in
    Source

 

 

(BTW, I have a parameter named "TDSEndPoint" with a value of "myEnvironment.crm.dynamics.com" in the report and I reference it for all queries - it just makes it easier to move from one destination to another.)

Message 5 of 8
726 Views
djskro
Frequent Visitor
In response to mscottsewell

‎08-23-2024 01:05 PM

Thank you for this, Scott.

 

Going through these, what should we do if, in SSMS, logged in as a new test-account, we can, indeed, see and query the tables we do not want the test-account to be able to access (perhaps explaining our results in the Power BI report)?

 

How do we reconcile the screenshots below of the Power Apps interface with what is clearly visible to the user in SSMS?

Message 6 of 8
713 Views
0
mscottsewell
Microsoft Employee
Microsoft Employee
In response to djskro

‎08-23-2024 01:55 PM

@djskro Adding/removing from the Power Apps interface doesn't have an impact on the security of the table at the dataverse layer. - Dataverse Security Roles (and in some cases, shares or inheritance) are the determining factor as to whether a user can view a row of data in a table.

Look at the security role(s) that the user has been granted - and within those roles, ensure the user has no 'read' permissions for the table. - (The dataverse security roles are additive, so if they have 20 roles and only one gives them organizational 'read' permissions - then they'll have read permission for the data in the table, it doesn't matter what the other roles have.)

Also, be sure to check to see if the user is a member of a team where a security role has granted them permission to read the table.

A really helpful tool for troubleshooting/understanding the security of a specific user on a specific record in Dataverse is the XrmToolBox "Access Checker" -  Also, the "Privileges Discovery" tool in XrmToolBox will be useful.

(I don't think the lack of 'read' pemission on a table will block them from seeing that a table  exists, but it should block the table from returning any data. )

Message 7 of 8
699 Views
0
djskro
Frequent Visitor
In response to mscottsewell

‎08-23-2024 04:15 PM

Thank you, Scott. This is helpful info.

Message 8 of 8
676 Views
0
Anonymous
Not applicable

‎08-22-2024 02:05 AM

Hi,@djskro I am glad to help you.

Unfortunately due to circumstances I am unable to test SSO and try to reproduce your issue.
Based on your description, you could try clearing your browser's cache and then reconfigure and test the SSO functionality to ensure that the relevant buttons are set correctly and that the user's permissions are set correctly in the Dataverse to ensure that they can only access the data that they are authorized to access.
This is because browser caching can potentially cause SSO (Single Sign-On) issues. The cache may store old authentication information or session data which can affect the proper functioning of SSO, you can try clearing the browser cache or using privacy mode to access power bi reports.

Here is some documentation to help you out.
URL:
Test single sign-on (SSO) configuration - Power BI | Microsoft Learn
Use OAuth authentication with Microsoft Dataverse (Dataverse) - Power Apps | Microsoft Learn

I hope my suggestions give you good ideas, if you have any more questions, please clarify in a follow-up reply.
Best Regards,
Carson Jian,
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 8
773 Views
0
djskro
Frequent Visitor
In response to Anonymous

‎08-23-2024 11:13 AM

Hello, thank you for your reply. Unfortunately, this is not helpful.

 

We have tested this with a completely new account and are experiencing the same result. Users (test-accounts) with no permissions at all to the Dataverse data are able to see the visuals load fully in DirectQuery mode. This suggests, again, that it is my own (the model owner's) credential that's being used, not the credential of the end-user--i.e., SSO is not working.

 

I think that the ability to test SSO yourself is crucial here. The documentation did not help in this case, unfortunately. I'm concerned about the functionality of this parameter in the connection, as this has obvious data-security ramifications.

 

Here is what our test-users see when trying to view the tables in Power Apps, yet the DirectQuery (SSO switch enabled) report to these tables in Power BI returns data:

djskro_0-1724436440616.png

 

djskro_1-1724436458823.png

 

 

We have further tested this by disabling and then reenabling the SSO switch in the personal connection. I've also tried creating a sharable cloud connection and doing it that way. I get the same incorrect result.

 

Is there some kind of special setting to disable all access to Dataverse tables (for specified users) via the various endpoints, not just the front-end?

 

Is there a way we can verify that this SSO functionality between Dataverse and Power BI (DirectQuery), using the modern Dataverse connector, is operating properly (paging @mscottsewell).

 

 

Thank you.

Message 3 of 8
742 Views
0

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Kudoed Authors
View All