Service Principal with Power BI using Data Gateway
Currently the Service principal account cannot leverage the On-Premises Data Gateway since it is not a mail-enabled account. This prevents a Power BI Embedded solution to leverage an on-premises SSAS tabular model using the service principal. Instead we need a full-blown power BI pro license for a service account. Is it on the roadmap to add this capability?
I did get a suggestion to try adding the Service Principal to an Azure AD group, make this group a gateway admin, and add user mapping in the gateway connection. Has anyone had success with this approach?
Was anyone ever able to solve this? I have the same issue. I was able to add the service principal to the data source on the on-premise gateway using the API; but it still doesn't seem to work even though the service principal now shows in the access list.
@Jayendran Thanks for the info! Let us know if you hear anything from the Power BI team on this issue.
Also, I read a Microsoft documents that states: Customers that configure row-level security (RLS) using an SQL Server Analysis Services (SSAS) on-premises live connection data source can enjoy the new service principal capability to manage users and their access to data in SSAS when integrating with Power BI Embedded. (https://docs.microsoft.com/en-us/power-bi/developer/embedded-row-level-security#on-premises-data-gat...). This articles implies, that even though you have to use the API to add it, it should work? Based on what your saying is this documentation wrong (or am I misunderstanding it?)
We still have not been able to get this work. We got the gateway to show the Service Principal using the API call; however we think the issue stems inside of SQL Server and/or SQL Server Analysis Services. When using Azure hosted SQL Analysis Servvices there is an option to add an appid (of the Service Principal); on-premise SQL Analysis Services does not give this option. We think this is why it is not working (and makes sense); as the Service Principal doesn't have access to SQL. We are looking at alternatives on how to translate the authentication from the gateway into SQL Analysis Services. The documenation implies this should work but doesn't give any details on how to make it work.