Share via

Azure Analysis Services not allowing domain users to pass through Gateway connection

Kim Hughes 20 Reputation points
2026-02-18T14:45:34.2866667+00:00

We have several [REDACTED] models on our Azure Analysis Service. We create on-prem data gateway connection to the model using a service account that is an admin on the SSAS service.

We are running into a situation where users can't pass through the gateway to access the model. We have given them access to the on-prem data gateway.

I was under the impression if the gateway connection has permissions to access the model domain users should not be required to be added to a role on the Model itself.

Is that not true or am I missing something on the gateway connection?

Thanks

Kim Hughes

Azure Cloud Services
Azure Cloud Services

An Azure platform as a service offer that is used to deploy web and cloud applications.

0 comments
Answer accepted by question author
  1. Himanshu Shekhar 4,025 Reputation points Microsoft External Staff Moderator
    2026-02-18T17:28:45.5266667+00:00

    Hello @Kim Hughes

    This is expected behavior for Azure Analysis Services.

    Granting users access to the on‑premises data gateway only allows connectivity to on‑premises data sources it does not grant access to the Azure Analysis Services model itself. Authorization is always enforced at the model (database role) level in Azure Analysis Services.

    Even if the gateway connection is configured using a service account that is a Server Administrator on Azure Analysis Services, end users must still be explicitly added to a role (Read / Read & Process / Admin) on the SSAS model.

    When users connect (for example, via Excel or Power BI), their Microsoft Entra ID identity (EffectiveUserName) is evaluated against the model’s roles. If the user is not a member of a model role, access is denied.

    Recommended action is to add the required users (or Entra ID groups) to an appropriate database role on the Azure Analysis Services model using SSMS, TMSL, or PowerShell.

    Microsoft References :

    1. Manage database roles and users: https://learn.microsoft.com/en-us/analysis-services/azure-analysis-services/analysis-services-database-users?view=sql-analysis-services-2025
    2. Authentication and user permissions: https://learn.microsoft.com/en-us/analysis-services/azure-analysis-services/analysis-services-manage-users?view=sql-analysis-services-2025
    3. On‑premises data gateway behavior for Azure Analysis Services : https://learn.microsoft.com/en-us/analysis-services/azure-analysis-services/analysis-services-gateway?view=sql-analysis-services-2025

    Just checking if provided response was helpful! please let me know if you have any queries.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-18T14:45:44.03+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    In your scenario, it seems that users are having trouble accessing the Azure Analysis Services (SSAS) models through the on-premises data gateway, even though the service account used for the gateway connection has the necessary permissions. Here are a few points to consider:

    1. Effective User Name: When users connect through the gateway, the effective username that is passed to the SSAS model needs to be valid and have the necessary permissions on the model. If the effective username does not match a local user principal name (UPN) or lacks permissions, users may encounter access issues.
    2. Role Assignment: Even if the gateway connection has permissions, users still need to be assigned to a role within the SSAS model to access the data. The gateway does not automatically grant access to all users; they must be explicitly added to a role that has access to the model.
    3. Gateway Configuration: Ensure that the data source configuration in the gateway matches the SSAS model's server and database names. Any discrepancies can lead to access issues.
    4. Troubleshooting: You can check the effective username being passed to the SSAS server by reviewing the gateway logs. This can help you determine if the correct user is being authenticated and if they have the necessary permissions.
    5. User Permissions: Make sure that the users have been granted access to the on-premises data gateway and that they have the appropriate permissions on the SSAS model itself.

    If you verify these aspects and still face issues, it may be beneficial to consult with your Power BI admin or local Active Directory admin to ensure that all configurations and permissions are correctly set up.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.