Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
BalfourBen
Regular Visitor

Setting of Membership in Semantic Models using notebook

‎06-05-2025 08:49 AM

Hi All,

 

I am trying to script using a notebook to add memberships to roles in a semantic model, however when I use the objectID of the cloud security group from Entra it throws the below error, if I use named users email address all works fine.

 

OperationException: Failed to save modifications to the server. Error returned: 'There are invalid rolememberships in roles, please remove invalid rolememberships from roles and try again.

 

From what I have read Cloud Security groups should work fine so not sure if I am missing something.

 

%pip install semantic-link-labs
from sempy_labs.tom import connect_semantic_model

dataset = 'Model-Name' # Enter the name or ID of your semantic model
workspace = 'Workspace-Name' # Enter the name or ID of the workspace in which the semantic model resides
role_name = 'Testing' # Enter the name of the role to add to the model
security_group = 'ObjectID'

with connect_semantic_model(dataset=dataset, workspace=workspace, readonly=False) as tom:

    # Add the role
    tom.add_role(role_name=role_name, model_permission='Read')

   # Add members to the role
    tom.add_role_member(role_name=role_name, member=security_group)

   # Add row level security to the role
    tom.set_rls(role_name=role_name, table_name='Table_Name', filter_expression="")

 

**Update**

 

After some searching I have found that they are adding the ability to add security groups and define the princiapal type in the next release.

 

Labels:
Message 1 of 7
723 Views
1 ACCEPTED SOLUTION
Poojara_D12
Super User
Super User
In response to BalfourBen

‎06-06-2025 01:31 AM

@BalfourBen 

To pass an Azure AD security group correctly as a role member in your semantic model, you typically need to provide more structured information than just the group’s ObjectID. Many SDKs, including the one you're using (sem-py-labs), are designed to accept simple string inputs like user email addresses, which work fine for individual users but fail for security groups because the system cannot determine the principal type. To add a group, the expected format is often a structured object that explicitly defines both the member’s identity and type. For example, some APIs and tools require the group to be identified using a prefix like aad://<group-object-id> and specify the memberType as "Group". This helps the service recognize that the ObjectID belongs to a group and not a user. However, if your current SDK doesn’t support structured inputs, you may need to switch to a tool that supports the Tabular Object Model (TOM) or XMLA scripting, such as Tabular Editor, PowerShell, or direct XMLA requests. These methods allow more control and let you add role members with detailed metadata, ensuring that Azure AD groups are properly recognized and accepted.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS

View solution in original post

Message 6 of 7
653 Views
6 REPLIES 6
Poojara_D12
Super User
Super User

‎06-06-2025 12:15 AM

Hi @BalfourBen 

The error you’re encountering when trying to add an Azure AD security group by its ObjectID to a role in your semantic model typically happens because the API or library you’re using doesn’t recognize the group identifier in the way it expects. While adding individual users using their email or user principal name works smoothly, security groups often require a more specific format or additional metadata—such as specifying the principal type as “Group”—to be correctly processed. The tool or SDK you’re using might be interpreting the ObjectID as an invalid user identifier, resulting in the failure. Additionally, only certain types of groups, like Azure AD security groups (not Microsoft 365 groups or distribution lists), can be added as role members. To fix this, you usually need to pass the group information as a structured object that clearly indicates it is a group, or use the Power BI REST API, which supports specifying groups explicitly when assigning roles. Without this, the server rejects the membership as invalid, causing the error you see.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS
Message 4 of 7
667 Views
0
BalfourBen
Regular Visitor
In response to Poojara_D12

‎06-06-2025 12:38 AM

@Poojara_D12  thank you for your reply.

 

Please could you be a little more specific on how I pass the group information as a structured object as currently not seeing anything in the documentation to demonstrate this.

Message 5 of 7
662 Views
Poojara_D12
Super User
Super User
In response to BalfourBen

‎06-06-2025 01:31 AM

@BalfourBen 

To pass an Azure AD security group correctly as a role member in your semantic model, you typically need to provide more structured information than just the group’s ObjectID. Many SDKs, including the one you're using (sem-py-labs), are designed to accept simple string inputs like user email addresses, which work fine for individual users but fail for security groups because the system cannot determine the principal type. To add a group, the expected format is often a structured object that explicitly defines both the member’s identity and type. For example, some APIs and tools require the group to be identified using a prefix like aad://<group-object-id> and specify the memberType as "Group". This helps the service recognize that the ObjectID belongs to a group and not a user. However, if your current SDK doesn’t support structured inputs, you may need to switch to a tool that supports the Tabular Object Model (TOM) or XMLA scripting, such as Tabular Editor, PowerShell, or direct XMLA requests. These methods allow more control and let you add role members with detailed metadata, ensuring that Azure AD groups are properly recognized and accepted.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS
Message 6 of 7
654 Views
BalfourBen
Regular Visitor
In response to Poojara_D12

‎06-06-2025 01:35 AM

@Poojara_D12  Thanks for that.

 

After some searching I have found that they are adding the ability to add security groups and define the princiapal type in the next release.

 

Thank you for your help!

Message 7 of 7
648 Views
0
v-kpoloju-msft
Community Support
Community Support

‎06-05-2025 11:01 PM

Hi @BalfourBen.
Thank you for reaching out to the Microsoft fabric community forum.

While adding named users (email addresses) works, attempting to add a security group (via Object ID) throws the following error:

OperationException: 'There are invalid rolememberships in roles, please remove invalid rolememberships from roles and try again.'

This means the script is not recognizing the Object ID as a valid role member.

The error occurs because you are passing the Object ID of the Entra security group, but the semantic model requires either a user email or the display name of the group, not the Object ID. Kindly replace the Object ID with the group's actual display name (e.g., 'Finance Team'). You can locate this in Entra (Azure AD) under the "Groups" section. Once replaced, your script should function correctly.

Power BI Semantic Models only accept Entra group names or user email addresses (UPNs) as valid role members. Object IDs are not accepted directly. Although Object IDs represent users or groups in Entra, the Analysis Services engine (used by the semantic model) requires a resolvable user principal name or security group name, not its GUID (Object ID).

Supported: Distribution Groups, Microsoft 365 Groups, Security Groups as long as they are resolvable by name. Not Supported: Object IDs or Service Principals directly. Please ensure the group is mail-enabled or otherwise resolvable in Entra; otherwise, Power BI will fail to validate it.

If this post helps, then please give us ‘Kudos’ and consider Accept it as a solution to help the other members find it more quickly.

Thank you for using Microsoft Community Forum.

Message 2 of 7
679 Views
0
BalfourBen
Regular Visitor
In response to v-kpoloju-msft

‎06-06-2025 12:07 AM

Hi @v-kpoloju-msft ,

 

Thank you for your reply. I have tried replacing the the ObjectID with the group name and recieve the same error.

Message 3 of 7
671 Views

Helpful resources

Announcements
November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All