Unable to get RLS security to work with an “app owns data” embedded PBI using Azure Analysis Service

Hello,

I am looking for some help getting RLS to work with embedded Power BI and AAS. Here is the scenario:

1. Deploying as App-owns-data
2. RLS setup with roles in AAS (RLS not configured in PBI)
3. Power BI using a live connection to AAS
4. Using Javascript to embed a Power BI report into a webpage

I verified that the roles are restricting data as expected by connecting to AAS using the Power BI client and Excel.

Able to successfully retrieve an access token from: https://login.microsoftonline.com/common/oauth2/token

Able to generate an embed token by hitting: https://api.powerbi.com/v1.0/myorg/groups/<groupId>/reports/<reportId>/GenerateToken

With the embed token I am able to successfully embed a report with no RLS applied.

However, when attempting to use identities to apply roles or customData to trigger RLS, the data doesn’t seem to pass through to AAS and the RLS is not applied.

I'm creating the embed token by hitting:

https://api.powerbi.com/v1.0/myorg/groups/<groupId>/reports/<reportId>/GenerateToken

With this data:

formData = {

  "accessLevel": "View",

  "identities": [

    {

     "username": userName,

     "roles": [ role ],

     "customData":customData,

     "datasets": [ datasetId ]

    }

  ]

}

Using the generated token doesn’t cause RLS to be applied when the report is embedded.

By adding the username and customData fields to a PBI report I can see that the username that AAS sees is the master account that is used for getting the access token, not the effective username passed in the identities payload. The customData value doesn’t show up in the report either.

I also tried the PowerBIEmbedded_AppOwnsData sample project from here: https://github.com/Microsoft/PowerBI-Developer-Samples/tree/master/App%20Owns%20Data/PowerBIEmbedded_AppOwnsData

This sample project successfully embeds the report but when I select the “View as a different user” and add a user and role I get the following error:

{"error":{"code":"InvalidRequest","message":"Creating embed token for accessing dataset <id> requries effective identity username to be identical to the caller's principal name"}}

For additional reference, the dataset has the these properties set:

isRefreshable: false,

isEffectiveIdentityRequired: true,

isEffectiveIdentityRolesRequired: false,

isOnPremGatewayRequired: false

Any suggestions on what I am doing wrong? Thanks for any help!