Feature Request: Support Non-Mail-Enabled Azure AD Groups in TOMWrapper.add_role_member

[Joebcsl]

I'm attempting to use the TOMWrapper class in semPy to programmatically add Microsoft Entra ID cloud security groups as members to RLS roles in a semantic model. However, when the group is not mail-enabled, the operation fails consistently with the following error:

OperationException: Failed to save modifications to the server. Error returned:

'There are invalid rolememberships in roles, please remove invalid rolememberships from roles and try again.'
at Microsoft.AnalysisServices.Tabular.Model.SaveChangesImpl(SaveContext context)

🔍 What I've Found
The member parameter in add_role_member appears to only accept email addresses. I've tested using:

• The group's Object ID
• The group's display name

Both fail, even though I can successfully add the same group manually via the Power BI / Fabric service UI.
From the method's docstring:

member : str | List[str]
The email address(es) of the member(s) to add.Show more lines
This implies:

The method expects email addresses that Azure AD can resolve.
Even for role_member_type='Group', the group must be mail-enabled, since only mail-enabled groups have resolvable email addresses.

⚠️ Why Object IDs or Display Names Fail
The underlying ExternalModelRoleMember.MemberName field is likely validated against Azure AD identities using an email format. If the group isn’t mail-enabled, it lacks an email address, and TOM cannot resolve it — resulting in the SaveChanges() failure.

✅ Suggested Enhancement
Please consider extending add_role_member to support:

• Azure AD Object IDs
• Group display names

This would allow programmatic role assignment for non-mail-enabled security groups, aligning with what’s already possible in the Power BI service UI and enabling full automation of RLS role management.

[m-kovalsky]

See #707 as it shows how to do this.

[Joebcsl]

Thank you! This worked.