You’re on the right track, your setup is correct. What you’re hitting is a current limitation with how Fabric handles identity in embedded scenarios.
When you use a Service Principal, the embed token includes an EffectiveIdentity, which works perfectly for report rendering and RLS. However, Fabric Data Agents do not use that embed token. They run using a Microsoft Entra ID identity, so they don’t see the EffectiveIdentity you passed.
Because of that, when RLS is enabled, the agent has no valid user context and returns a permission error.
What you can do
Create a separate dataset for the agent
Pre-filter the data (for example per tenant) so RLS is no longer needed
Use delegated user authentication (if possible)
This allows the real user identity to flow, but usually only works for internal users
Use alternative approaches
Such as Power BI alerts or Power Automate if you’re trying to trigger actions from data
Summary
This isn’t an issue with your implementation. It’s a platform limitation. Data Agents currently cannot use the identity provided through a Service Principal embed token, so RLS cannot be applied in this scenario.
✅ If one of the responses here solved your issue, please mark it as Accepted so others facing the same problem can benefit as well.
👍 If this or any other reply here helped you, feel free to give it a Like. It helps others and is always appreciated.
Share
Report
All responses (
Answers (
2,277
