Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
Lauger
Regular Visitor

Custom USERPRINCIPALNAME() when consumming API through Service Principal

Hi,

 

I have to embed some Power BI reports in several applications. I use an Azure Service Principal (client id, client secret) to generate an access token and call the Power BI API. All is working fine.

 

However, some reports implement custom rights management through RLS using the user's email (provided by USERPRINCIPALNAME() DAX function) and Datamart tables (wich do relations betweens the email and the data the user can access).

As I'm authenticating to the PowerBI API with an Azure app, the DAX function will not return the email of the user that browses the report.

 

To give more context:

 - our applications are working on IIS server; all of them require Windows authentication; the user is authenticated in SSO mode when accessing the web app.

- I get the access token and the report's embed token in Javascript (front-end approach).

 

I would like to know what is the best solution to face this issue? How can I pass the service principal off as the real authenticated user?

 

Thanks a lot for your help.

Regards,

1 ACCEPTED SOLUTION
Lauger
Regular Visitor

It took me a long time before being able to figure out the best solution.

Using service principal was not the best approach in order to take the user's rights in account.

So I had to focus on the other way (more complicated for novice as I am) to embed reports, based on user's scope delegation located in the Azure application.

View solution in original post

7 REPLIES 7
AndrzejRusin
Regular Visitor

Hi @Lauger 

If you are embedding reports that contain RLS in the dataset then you need to generate the embedToken along with EffectiveIdentity element in the request. There you specify the username and roles to be passed for a dataset containing RLS, which in turn can be retrieved in Power BI report either by USERNAME() or USERPRINCIPALNAME() functions. These can be used in the roles setup to construct the proper filtering condition in DAX.

Please refer to the below Power BI REST API documentation to get the details on how to construct the body of token request:

https://learn.microsoft.com/en-us/rest/api/power-bi/embed-token/generate-token

and specifically this part related to EffectiveIdentity should be what you need:

https://learn.microsoft.com/en-us/rest/api/power-bi/embed-token/generate-token#effectiveidentity

 

Hope that helps!

Best regards,

Andrzej

Lauger
Regular Visitor

It took me a long time before being able to figure out the best solution.

Using service principal was not the best approach in order to take the user's rights in account.

So I had to focus on the other way (more complicated for novice as I am) to embed reports, based on user's scope delegation located in the Azure application.

Gengar
Resolver I
Resolver I

Hi @Lauger ,


This is how it is described in the official documentation.

E6C56FF5-B35C-458B-B45C-FAB65968394C.jpeg

https://learn.microsoft.com/en-us/dax/username-function-dax 

I'm not particularly sure about how it works exactly.

I sincerely hope these can help you!

 

Gengar

Gengar
Resolver I
Resolver I

Hi @Lauger ,

 

Maybe you can use username() or userobject() instead of userprinciplename ()

 

Username() returns the domain name and username from the credentials given to the system at connection time.

Userobject() returns the current user's Object ID or SID.

 

refer to:

https://learn.microsoft.com/en-us/dax/information-functions-dax 

 

Kind Regards 

Gengar 

Hi @Gengar,

Thanks for your reply.

 

To make sure I understand well, USERNAME() DAX function will return the name of the authenticated user. However, as a generate an access token using Azure App client ID and secret, will it not simply return the username of the Azure app? The report's embed token is generated using the Access Token generated for the Azure app.

 

How can PowerBI retrieve the currently-authenticated user's information if I never send his own credentials anywhere? And what will return USERNAME() function if I embed a report into an application which uses Anonymous authentication mode?

 

Thanks a lot.

Regards,

Hi @Lauger ,

 

I mean, normally you use username to return the domain name and username in the credentials, and you could probably use it or some other like: userobject , instead of userprinciplename, which returns the email.

 

Best Regards

Gengar

 

Hi @Gengar,

Thanks for your reply.

 

I will check what does the DAX function USERNAME() as soon as possible (I'm waiting feedback from other teams of my company), thanks a lot.

If it works, I will mark your answer as the solution.

 

To well understand, how can Power BI retrieve the name of the user authenticated on the application? As I authenticate to API using a Bearer token authentication mode refering the Service Principal access token, I'm wondering how it's possible to retrieve the user's name?

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.