SSRS Custom Authentication: “The permissions granted to user are insufficient” when using Azure AD token authorization

[satishrabari]

We are implementing custom authentication and authorization extensions in SQL Server Reporting Services (SSRS).
Authentication is handled using Azure AD tokens, which works successfully — users are able to log in with valid Microsoft Entra (Azure AD) credentials.

However, when users attempt to access reports (via SSRS Web Portal or REST API), we receive the following error:

Reporting Services Error
The permissions granted to user 'abc.xyz@domain.com' are insufficient for performing this operation. (rsAccessDenied)
SQL Server Reporting Services

Environment Details

SSRS Version: SQL Server Reporting Services 2019 (or specify your version)

Authentication Extension: Custom (IAuthenticationExtension2)

Authorization Extension: Custom (IAuthorizationExtension2)

Login Flow: Azure AD token validation (Microsoft.Identity.Client + JWT validation)

Database Mode: Native

OS: Windows Server 2019 (or specify)

Deployment Type: On-prem SSRS, not Power BI Report Server

What Works

✅ Azure AD authentication (token validation and login) works correctly.
✅ The custom authentication extension successfully identifies the user principal.
✅ The user record exists in ReportServer.dbo.Users.

What Fails

❌ Authorization check fails with rsAccessDenied.
❌ CheckAccess and GetPermissions methods in IAuthorizationExtension2 are not being triggered when using Azure AD token.
❌ Even after adding correct PolicyUserRole entries for the user and report, SSRS returns the same error.