RLS using EntraId groups on Warehouse

Srisakthi · ‎07-07-2025

Hi Everyone,

Could you please share your insights on how we can apply RLS using ADgroups(EntraId groups) on warehouse tables.

for ex., i have a table of sales data in my fabric warehouse and i want to restrict access to the for certain group(AD groups) of people.

I had come across article to restrict for specific users but want to restrict by using ADgroups. Below is the article similar to my question , however the problem with that approach is have to maintain groups in my warehouse table.

https://medium.com/@gcp.azure.aws/implementing-row-level-security-in-microsoft-fabric-sql-endpoint-w...

I dont want maintain ADgroups in my warehouse table, any leads would be much appreciated!

Regards,

Srisakthi

v-sdhruv · ‎07-16-2025

HIi @Srisakthi ,

Just wanted to check if the response has addressed your query?
If any of the responses has addressed your query, kindly accept it as a solution so that other members can also benefit from it.

Thank You!

v-sdhruv · ‎07-10-2025

Hi @Srisakthi , @Shreya_Barhate ,

Sure I would like to help you help on this!
Here is a working example on how to implement RLS using Entra ID groups in Warehouse and SQL Endpoint-

Microsoft Fabric Row-Level Security (RLS) & Column-Level security(CLS) in Warehouse and SQL Endpoint

Hope this helps!
If the response has addressed your query, please accept it as a solution so that other members can easily find it.
Thank You!

Shreya_Barhate · ‎07-17-2025

hi @v-sdhruv

Thanks for sharing the link! I went through the example, and it looks like it demonstrates Column-Level Security (CLS) using Active Directory (AD) groups, not Row-Level Security (RLS). I'm specifically looking for a sample script that applies RLS using AD groups (via Entra ID) on Microsoft Fabric Warehouse.

If you have any examples or resources that show how to implement RLS with AD groups, I’d really appreciate it!

Thanks & Regards,
Shreya

v-sdhruv · ‎07-23-2025

Hi @Shreya_Barhate ,

I looked across some resources and found a working example for RLS using AD groups which might help you with your query.

https://www.fourmoo.com/2018/02/20/dynamic-row-level-security-is-easy-with-active-directory-security...

Hope this helps!

Shreya_Barhate · ‎07-25-2025

Hi @v-sdhruv ,

Thanks for sharing the resource! This approach using AD groups for RLS looks great and should work well in Power BI.

However, for our current use case involving Fabric Warehouse, this method won’t be applicable.

Thanks and regards,
Shreya

v-sdhruv · ‎07-30-2025

Hi @Shreya_Barhate ,

I am sorry if that didnt help.
I would request you raise a Support ticket-
Link - How to create a Support Ticket

Hope this helps!

v-sdhruv · ‎07-09-2025

Hi @Srisakthi ,

You can -
1.Use Entra ID Group Membership in SQL Endpoint RLS Policies

Define RLS policies at the SQL endpoint level using IS_Member('groupname') or similar functions.

This allows you to check if the current user belongs to a specific Entra ID group without needing that group listed in the table.

or use

2.Centralized Role Management via OneLake RBAC

OneLake RBAC (Role-Based Access Control) supports fine-grained access control at folder and file levels.

You can assign read/write permissions to Entra ID groups directly at the workspace or folder level, which cascades to the warehouse.

More about - One Lake Security

Additinally, you might want to check out-
Dynamic RLS with AD Security Groups

Hope this helps!
If the response has addressed your query, please accept it as a solution so that other members can easily find it.
Thank You!

Shreya_Barhate · ‎07-09-2025

Hi @v-sdhruv

I've been trying to implement RLS using Entra ID groups on my Lakehouse table in SQL endpoint, but I'm running into issues.

Here's what I tried:

CREATE FUNCTION Security.fnRLSGroupFilter(@UserPrincipalName AS VARCHAR(100))

RETURNS TABLE

WITH SCHEMABINDING

AS

RETURN

SELECT 1 AS AccessGranted

WHERE IS_MEMBER('ReaderFabricDemoGroup') = 1;

GO

I have also tried using @UserName

However, the policy doesn't seem to work as expected.

Can you share some sample scripts or working examples of RLS using Entra ID groups in Fabric lakehouse SQL Endpoint or Warehouse tables? It would be super helpful to see how others have approached this.

Thanks!