When we programtically run dax queries on datasets, where the executing user is not defined directly in the access area of the workspace and/or the dataset itself, the dax query will fail due to permissions eventhough a AD group was added with build permissions on the dataset and/or workspace (and the user is part of this AD group).
There are two workarounds:
* The user visits first the workspace on powerbi.com service. That somehow authenticates the user sucessfully and so after which the dax query will run. (Don't even have to visit the dataset, just going to the workspace seems to clear the issue).
* The user account gets added directly to the workspace. Then also the dax query will run without an issue.
To replicate: know that this only fails once. So any user who visits the workspace or who gets authenticated once correctly, it no longer occurs. Of course, in terms of scalability, this is a huge issue. You cannot ask to have all users visit the workspace first or to manually add all the user seperately.
For now, we will start executing the queries using a service principal, but hope someday this bug gets resolved so they can be ran as inidividual user queries as it should in our case.
"any user who visits the workspace or who gets authenticated once correctly," It seems by desgin.
If you would like to suggest feature improvements, you may vote the idea and comment here to improve this feature. It is a place for customers provide feedback about Microsoft Office products . What’s more, if a feedback is high voted there by other customers, it will be promising that Microsoft Product Team will take it into consideration when designing the next version in the future.