topic set up RLS for a security group in Power BI in Developer

set up RLS for a security group in Power BI

NorahTran97 — Thu, 16 Oct 2025 01:02:54 GMT

Hi all,

I have the following setup in Power BI:

I created an RLS role called external_access.
Inside the role, I use a DAX filter to control access by email, for example:
- email1 → can only see data for Region1
- email2 → can only see data for Region2
I then created a security group called external_group and added both email1 and email2 to it.
In the Power BI Service, I assigned external_group to the external_access role.

My question:
Will RLS still work dynamically for each user (so email1 only sees Region1 and email2 only sees Region2), or does assigning a security group mean everyone in that group will have the same data access?

Thanks

Re: set up RLS for a security group in Power BI

v-tejrama — Thu, 16 Oct 2025 12:08:19 GMT

Hello @NorahTran97 ,

That’s a great question, and it’s one that often causes confusion when using security groups with Row-Level Security in Power BI. The short answer is yes RLS will still work dynamically for each individual user, even when the role is assigned to a security group, as long as your DAX filter uses a dynamic expression such as USERPRINCIPALNAME() or references a user-to-region mapping table. In that case, each person in the group is evaluated separately when they sign in, so email1 will only see Region1 and email2 will only see Region2, exactly as you’d expect.

However, if your RLS role uses a static filter that’s hardcoded to a specific email address, then assigning that role to a group will apply the same filter to everyone in that group. This usually means only one person matches the filter, and others will either see no data or the wrong results. To avoid that, make sure your model uses a dynamic filter, such as comparing the Email column in your user table to USERPRINCIPALNAME(), or using a lookup to match the current user’s region.

Once you publish your dataset, assign the Azure AD security group to that role in the Power BI Service. Power BI will still apply RLS individually based on the signed-in user, but you’ll be able to manage membership centrally through Azure AD instead of manually updating roles in Power BI.

If you’d like a bit more detail, Microsoft’s documentation explains this really well here:
Row-level security (RLS) with Power BI ,
Row-level security (RLS) with Power BI - Microsoft Fabric | Microsoft Learn and
the Dynamic RLS guidance article. walk through examples showing how USERPRINCIPALNAME() ensures per-user filtering even when roles are assigned to groups.

Thank you,

Tejaswi.

Re: set up RLS for a security group in Power BI

NorahTran97 — Fri, 17 Oct 2025 01:12:53 GMT

Thanks Tejaswi

Just another question, I’ve tested it, and it seems to work only groups with internal users. Is there a different configuration needed for external users? (Please note, the external users are already added to our Azure environment.) When I share with individual external users, it works fine, but it doesn’t seem to work when I share with the group. Do you have any idea why?

Thanks

Re: set up RLS for a security group in Power BI

nandic — Fri, 17 Oct 2025 09:25:45 GMT

Hi @NorahTran97 ,

RLS will always be dynamic.
If you use userprincipalname() dax function in rls logic, it always checks currently logged in user.
So if there are 10 users in same Azure user group and by best practice, we grant dataset/app permissions to user group, each user will see only what is allowed by rls for each user.
By using groups, we just make it easier for us to give all users access.

Note: for external users, regular external users having company mail, in rls table keep their actual mail.
Because this is how Power BI Service will recognize them.
Example: user@company.com

However, if external users use private emails (gmail, yahoo..), then in rls table you need to have prefix which Power BI Service adds.
Example: live#user@company.com

In addtion, Azure user group should be "Security" type so that it can be used on Power BI Service.

Cheers,
Nemanja

Re: set up RLS for a security group in Power BI

v-tejrama — Fri, 17 Oct 2025 11:41:54 GMT

Hi @NorahTran97 ,

Thank you for your follow-up question. It’s great to hear that RLS is working for internal users. Regarding your issue with external users, there are a few considerations to ensure RLS functions correctly when sharing with Azure AD B2B (guest) users. Firstly, confirm that the external users are properly added as guest users in your Azure AD tenant. They should have accepted the invitation and be assigned the appropriate roles within your organization. Additionally, ensure that the external users have the necessary Power BI licensing. If your organization is using Power BI Pro, external users also need a Pro license to access shared content. Alternatively, if your organization has Power BI Premium capacity, external users can access shared content without a Pro license, provided they are assigned to the appropriate workspace roles.

Another important aspect is the workspace settings. For RLS to function correctly, the workspace should be configured such that members have Viewer permissions rather than Member or higher roles. This setting ensures that RLS filters are applied to users accessing the content. You can adjust this by navigating to the workspace settings in the Power BI Service and modifying the permissions accordingly.

If the issue persists, consider testing the RLS configuration by sharing the report directly with an external user and verifying if the data visibility aligns with the RLS rules. This can help identify whether the problem lies with the RLS setup or the group-based sharing configuration.

Please refer these Microsoft Doc links :

Row-level security (RLS) with Power BI

Securely sharing Power BI reports with external users

Thank you.