I have a Power BI report that pulls data from an Azure Analysis Services tabular cube. In a C# console app, I am trying to export this report to a PDF, while passing in an effective identity of the user requesting the export. Here is my code:

PowerBIReportExportConfiguration powerBIReportExportConfiguration = new PowerBIReportExportConfiguration
{
    Settings = new ExportReportSettings
    {
        Locale = "en-us",
        IncludeHiddenPages = false
    }
};

EffectiveIdentity effectiveIdentity = new EffectiveIdentity(
        username: myEmail,
        datasets: new List<string> { myDataSetID },
        roles: new List<string> { myRoleName }
        );
powerBIReportExportConfiguration.Identities = new List<EffectiveIdentity> { effectiveIdentity };

ExportReportRequest exportRequest = new ExportReportRequest
{
    Format = FileFormat.PDF,
    PowerBIReportConfiguration = powerBIReportExportConfiguration
};

var client = new PowerBIClient(new Uri(ApiUrl), tokenCredentials);

var export = await client.Reports.ExportToFileAsync(myGroupID, myReportID, exportRequest);

When I pass my email into the effective identity, my code fails on ExportToFileAsync() with error:

Operation returned an invalid status code 'Forbidden'

However, when I use my Power BI Admin account's email in the effective identity, it works successfully.

Both me and the Admin account are set as Admin's in the workspace of the report.

My workspace has a Fabric capacity license, which should support this:

All of my export settings are enabled (notably the PDF document one)

Both my account and the admin account have Power BI Pro licenses:

Here are my developer settings:

My Entra account can access the report and cube just fine, so it shouldn't be an issue with Azure permissions. Any ideas what else could be causing this error?

I have a Power BI report that pulls data from an Azure Analysis Services tabular cube. In a C# console app, I am trying to export this report to a PDF, while passing in an effective identity of the user requesting the export. Here is my code:

PowerBIReportExportConfiguration powerBIReportExportConfiguration = new PowerBIReportExportConfiguration
{
    Settings = new ExportReportSettings
    {
        Locale = "en-us",
        IncludeHiddenPages = false
    }
};

EffectiveIdentity effectiveIdentity = new EffectiveIdentity(
        username: myEmail,
        datasets: new List<string> { myDataSetID },
        roles: new List<string> { myRoleName }
        );
powerBIReportExportConfiguration.Identities = new List<EffectiveIdentity> { effectiveIdentity };

ExportReportRequest exportRequest = new ExportReportRequest
{
    Format = FileFormat.PDF,
    PowerBIReportConfiguration = powerBIReportExportConfiguration
};

var client = new PowerBIClient(new Uri(ApiUrl), tokenCredentials);

var export = await client.Reports.ExportToFileAsync(myGroupID, myReportID, exportRequest);

When I pass my email into the effective identity, my code fails on ExportToFileAsync() with error:

Operation returned an invalid status code 'Forbidden'

However, when I use my Power BI Admin account's email in the effective identity, it works successfully.

Both me and the Admin account are set as Admin's in the workspace of the report.

My workspace has a Fabric capacity license, which should support this:

All of my export settings are enabled (notably the PDF document one)

Both my account and the admin account have Power BI Pro licenses:

Here are my developer settings:

My Entra account can access the report and cube just fine, so it shouldn't be an issue with Azure permissions. Any ideas what else could be causing this error?

• c#
• azure
• powerbi
• azure-active-directory
• azure-analysis-services

• If you're saving locally, try an appropriate (C#) "Environment.SpecialFolder". – Gerry Schmitz Commented Mar 19 at 23:22

2 Answers 2

Please check the principal (user principal or service principal) have the following configured:

1. Can use Fabric API --- (app.powerbi -> admin portal -- tenant settings)
2. Be member of the workspace --- (app.powerbi -> managed access -> add people or groups)

I found the issue. When acquiring the authentication token, I was using a UserPasswordCredential with my admin account, and then passing a different account into the effective identity, which caused the API call to deny the request. I changed this to use the service principals credentials:

string tenantSpecificURL = AuthorityUrl.Replace("common", myPowerBITenantID);
AuthenticationContext authenticationContext = new AuthenticationContext(tenantSpecificURL);

ClientCredential credential = new ClientCredential(myPowerBIApplicationId, myPowerBIApplicationSecret);
authenticationResult = await authenticationContext.AcquireTokenAsync(myPowerBIResourceUrl, credential);

tokenCredentials = new TokenCredentials(authenticationResult.AccessToken, "Bearer");

And updated my effective identity to use the service principal, along with setting the "CustomData" property to my user principle to maintain row level security:

EffectiveIdentity effectiveIdentity = new EffectiveIdentity(
    username: myPowerBIServicePrincipalObjectID,
    datasets: new List<string> { myDataSetID },
    roles: new List<string> { myRoleName }
    );

effectiveIdentity.CustomData = myEmail;

powerBIReportExportConfiguration.Identities = new List<EffectiveIdentity> { effectiveIdentity };