Problem/ Our requirement -
-
Enable a Copilot Studio bot to execute dynamic DAX queries against a Power BI dataset.
-
The query must execute under the identity of the end-user interacting with the bot. This is essential to enforce permissions defined directly on the Dataset (Semantic Model), as users do not have access rights to the containing Workspace.
-
The bot's authentication configuration is locked to the "Authenticate with Microsoft" (integrated SSO) mode and cannot be changed.
Options
Using Power BI Connector in power automate:
We cannot use this approach because the Power BI connector's action requires the flow author to specify a Workspace in its parameters. When the action attempts to execute as the end-user, the very first step the Power BI service performs is to verify that the user has permissions to access that specified Workspace. We can only give dataset level permissions to user; this won't work for us.
Using Power BI APIs - we can have only dataset level permissions to execute DAX query; this flow works fine outside copilot studio.
But our blocker is with copilot studio, since we must use only "Authenticate with Microsoft" auth option in copilot studio, we cannot setup OBO auth and get user’s access token that can be used with app registration in power bi API’s http request.
Can anyone suggest, how can we setup obo auth or something similar so we can call Power BI api inside power automate flow using "Authenticate with Microsoft" auth option in copilot studio?
Or suggest any other approach where we can execute DAX query on powerbi datasets using user's permissions in copilot studio?
