Power BI with Service Principal – Identity Requirements

Last updated on April 24th, 2025

Overview

When using our Power BI widget with Service Principal authentication, you may be asked to provide identity information depending on how your report or dataset is configured in Power BI.

This guide explains:

  • When identities are required
  • What information you need to provide
  • How to interpret the status messages shown in the widget
  • Where to find more information from Microsoft if needed

What Are Identities and Why Are They Needed?

Power BI supports Row-Level Security (RLS) and user impersonation to restrict or personalize data.
When using a service principal to access and display content, Power BI sometimes requires you to specify which “user” you’re acting on behalf of, especially when:

  • RLS is applied to a dataset
  • The report uses live data connections that impersonate users (e.g., DirectQuery, SSAS)
  • The application serves multiple end-users with different data access levels

This is done by passing what Power BI calls an EffectiveIdentity, which includes a username, roles (if any), and optionally dataset IDs.

Color Indicators in the Widget

After you provide a Power BI report or dashboard URL, the widget will display a status color:

Green – No Action Required

Your content is accessible with the service principal as-is.
You do not need to fill in any identity fields.

Yellow – Identity Required

The content is protected by security configurations that require user impersonation.
To display it correctly, you’ll need to fill in identity fields.

Red – Invalid or Inaccessible

The URL is incorrect or your service principal does not have access to the content.
Please verify that:

  • The URL points to a valid Power BI report or dashboard
  • The service principal has access to the workspace and dataset

When Are Identities Required?

Scenario Are Identities required?Required Fields
Dataset with Row-Level Security (RLS)Yesusername, roles, datasets
Report using DirectQuery or Live Connection with impersonationYesusername, roles (if RLS), datasets
Report connected to SQL Server Analysis Services (SSAS)Yesusername, roles (if RLS), datasets
Report for multi-tenant use (serving multiple users)Yesusername, roles (if RLS), datasets
Dataset is import-only, with no RLS or impersonationNo
Service principal has full access and no RLS is definedNo

What to Provide

When the system shows a yellow status, you’ll need to fill in the following fields:

  • Username
    The user you’re impersonating. This is typically an email address (UPN), e.g. user@example.com
  • Roles
    If your dataset uses RLS, provide the exact names of the roles defined in Power BI, e.g. ["Manager"]
  • Datasets
    Required only in certain configurations (e.g., when a dataset from another workspace is used). This is the dataset’s GUID and can often be found in the report URL.

Example

Let’s say your dataset has RLS and you want to show the report as user John Doe, who belongs to the “Manager” role.

You would fill in the form like this:

  • Username: john.doe@example.com
  • Roles: Manager
  • Datasets: 8874b05c-115c-44b4-8c08-bcc925f902a2

💡 If your dataset doesn’t use roles, you can leave the “Roles” field empty.

How to Check If RLS Is Used

To verify whether a dataset in Power BI uses Row-Level Security:

  1. Go to the Power BI Service
  2. Locate the relevant dataset
  3. Click on Security
  4. If you see roles listed there → RLS is active

You can ask the report owner or your Power BI administrator if you’re unsure.

Common Signs You Need Identities

  • You’ve received a yellow warning in the widget
  • You know the report is using RLS or pulling live data
  • You expect the content to show different data for different users
  • You see access-related errors when previewing the widget

Further Reading (Microsoft Docs)

For more technical details and reference, you can review the following official Microsoft documentation: