cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
rbroida
Regular Visitor

PBE with Service Principal: Creating embed token for accessing dataset requires effective identity

We created a PBIX using a live connection to a SSAS database running in an Azure virtual machine. We published the PBIX to a workspace in Power BI Service, where the dataset connects to the SSAS database through an on-premise data gateway on the Azure VM. Reports from the PBIX display correctly in the Power BI Service portal, so we know the data gateway is working.

 

We now want to embed the reports in the "for customers" (app owns the data) sample in .NET Framework that we downloaded from Github. If we configure the web.config to supply MasterUser credentials, then the sample works. But if we use ServicePrincipal credentials, it fails.

 

We set up an AAD application and configured web.config following the instructions here: Embed Power BI content in an embedded analytics application with service principal and an applicatio... The web.config file contains the correct values for authenticationType, applicationId, workspaceId, reportId, applicationSecret, and tenant. But when we run the sample we get this error message:

 

Status: BadRequest (400)
Response: {"error":{"code":"InvalidRequest","message":"Creating embed token for accessing dataset xxx-xxx-xxx-xxx-xxx requires effective identity to be provided"}}
RequestId: xxx-xxx-xxx-xxx-xxx

 

Does Power BI Embedded even support this scenario? That is, when using a service principal, does Power BI embedded work with a dataset that has a live connection to a SSAS database via an on-premise data gateway? If so, why are we not providing an "effective identity"?

 

@Xiaoxin Sheng

1 ACCEPTED SOLUTION
V-lianl-msft
Community Support
Community Support

Power BI and SSAS both leverage AD so that means that any user you pass from Power BI to SSAS needs to be known in AD.You must grant the service principal ReadOverrideEffectiveIdentity permission. Otherwise, the service principal can’t delegate the user identity to the gateway.

Please refer to :

https://prologika.com/power-bi-embedded-service-principals-and-ssas/ 

View solution in original post

3 REPLIES 3
V-lianl-msft
Community Support
Community Support

Power BI and SSAS both leverage AD so that means that any user you pass from Power BI to SSAS needs to be known in AD.You must grant the service principal ReadOverrideEffectiveIdentity permission. Otherwise, the service principal can’t delegate the user identity to the gateway.

Please refer to :

https://prologika.com/power-bi-embedded-service-principals-and-ssas/ 

View solution in original post

Thank you V-liani. The blog post you linked explains what to do. Please put this information in the Microsoft documentation! We shouldn't need to chase down blogs to find this out.

rbroida
Regular Visitor

UPDATE: We were able to prove that our ServicePrincipal registration works with datasets that connect through the on-premise data gateway to a SQL Server database instead of to SSAS. 

 

So again our question for Microsoft is: does Power BI embedded support ServicePrincipal authentication for a report whose dataset uses a live connection to a SSAS database via an on-premise data gateway?

 

If so, what additional steps are needed to avoid the "effective identity" error?

 

If not, where is this limitation documented?

Helpful resources

Announcements
Power BI December 2021 Update_carousel 768x460.jpg

Check it Out!

Click here to read more about the December 2021 Updates!

User Group Leader Meeting January 768x460.png

Calling all User Group Leaders!

Don't miss the User Group Leader meetings on January, 24th & 25th, 2022.

Jan 2022 Dev Camp 768x460 copy.png

Power BI Dev Camp- January 27th, 2022

Mark your calendars and join us for our next Power BI Dev Camp!

Top Solution Authors
Top Kudoed Authors