Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

skowronp123

Issue with REST API and impersonating an user by service principal

Submitted by on ‎08-23-2023 02:56 PM

Hi, 

 

I noted a potential bug with API rest call Datasets - Execute Queries In Group - REST API (Power BI Power BI REST APIs) | Microsoft Learn

 
When using service principal (authorised to use Rest API by tenant admin) to execute query against dataset with RLS by impersonating user beeing added to one of the RLS roles (that do not have access to Rest API) I get 401 - unathorised request. 
 
Same service principal in the same workspace can query successfully any other dataset withouth RLS. 
thx, 
Status: Investigating

Hi  @skowronp123 

Is the error occurring because of the following restriction?

vyetao1msft_0-1692956304850.png

 

Best Regards,
Community Support Team _ Ailsa Tao

 

See more ideas labeled with:
6 Comments (6 New)
Comments
v-yetao1-msft
Community Support
Community Support
‎08-25-2023 02:39 AM
Status changed to: Investigating

Hi  @skowronp123 

Is the error occurring because of the following restriction?

vyetao1msft_0-1692956304850.png

 

Best Regards,
Community Support Team _ Ailsa Tao

 

skowronp123
Frequent Visitor
‎08-25-2023 03:01 AM

Hi my understanding is that this api should work with SP since there is impersonation option I body of the request. 
my understanding is that SP should authenticate to workspace and then based on the impersonated user run query on any dataset with RLS. 

CharlesSaulnier
Regular Visitor
‎02-20-2024 05:45 AM

I may add: since the "impersonation" part of the request body does not work, why then have it as a key we can use? This is a serious limitation to any semantic model that has RLS enabled, which is a relatively common scenario in our organisation, especially with production-use models.

 

If impersonation is not possible, then is there any non-interactive way to authenticate as a selected user to run the API call? the Connect-PowerBIServiceAccount PowerShell cmdlet no longer supports user / password credentials, so we are stuck in a loop with the Service principal limitations on the Execute Query API.

samsonfrb
Frequent Visitor
‎03-20-2024 10:53 AM

I have the same issue & similar requirements.
We want to automate queries that use INFO.XXX DAX functions (ex. list of tables, columns) so the RLS roles are of no consequence. We would like to use something like "invalid.user@myorg.com" in impersonatedUserName while executing executeQueries REST API with a Service Principal. That user would not be part of any RLS role but we are not trying to access any data (only metadata on the model).

Frederick

Parrunis
Regular Visitor
‎04-22-2024 01:03 AM

Hi @samsonfrb@skowronp123  

I am facing the same issue.

I would like to execute INFO.XXX DAX queries to my datasets via executeQueries REST API with a Service Principal, but the ones with RLS are impossible to access.

The ImpersonatedUserName is useless since the Service Principal cannot authenticate to a dataset with RLS.

According to the documentation:

Parrunis_0-1713772959409.png

 

Any solutions? 

samsonfrb
Frequent Visitor
‎04-22-2024 04:46 AM

Unfortunately, for now, I exclude them from my scan.

Frederick

Idea Statuses