Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
Srisakthi
Super User
Super User

RLS using EntraId groups on Warehouse

‎07-07-2025 05:49 AM

Hi Everyone,

 

Could you please share your insights on how we can apply RLS using ADgroups(EntraId groups) on warehouse tables.

for ex., i have a table of sales data in my fabric warehouse and i want to restrict access to the for certain group(AD groups) of people.

 

I had come across article to restrict for specific users but want to restrict by using ADgroups. Below is the article similar to my question , however the problem with that approach is have to maintain groups in my warehouse table.

https://medium.com/@gcp.azure.aws/implementing-row-level-security-in-microsoft-fabric-sql-endpoint-w...

I dont want maintain ADgroups in my warehouse table, any leads would be much appreciated!

 

 

 

 

Regards,

Srisakthi

Labels:
Message 1 of 10
796 Views
9 REPLIES 9
v-sdhruv
Community Support
Community Support

‎07-16-2025 05:24 AM

HIi @Srisakthi ,

Just wanted to check if the response has addressed your query?
If any of the responses has addressed your query, kindly accept it as a solution so that other members can also benefit from it.

Thank You!

Message 10 of 10
584 Views
0
v-sdhruv
Community Support
Community Support

‎07-10-2025 12:33 AM

Hi @Srisakthi , @Shreya_Barhate ,

Sure I would like to help you help on this!
Here is a working example on how to implement RLS using Entra ID groups in Warehouse and  SQL Endpoint-

Microsoft Fabric Row-Level Security (RLS) & Column-Level security(CLS) in Warehouse and SQL Endpoint


Hope this helps!
If the response has addressed your query, please accept it as a solution  so that other members can easily find it.
Thank You!

Message 5 of 10
693 Views
Shreya_Barhate
Advocate I
Advocate I
In response to v-sdhruv

‎07-17-2025 06:39 AM

hi @v-sdhruv 

Thanks for sharing the link! I went through the example, and it looks like it demonstrates Column-Level Security (CLS) using Active Directory (AD) groups, not Row-Level Security (RLS). I'm specifically looking for a sample script that applies RLS using AD groups (via Entra ID) on Microsoft Fabric Warehouse.

If you have any examples or resources that show how to implement RLS with AD groups, I’d really appreciate it!



Thanks & Regards,
Shreya

Message 6 of 10
562 Views
0
v-sdhruv
Community Support
Community Support
In response to Shreya_Barhate

‎07-23-2025 05:15 AM

Hi @Shreya_Barhate ,

I looked across some resources and found a working example for RLS using AD groups which might help you with your query.

https://www.fourmoo.com/2018/02/20/dynamic-row-level-security-is-easy-with-active-directory-security...

Hope this helps!

Message 7 of 10
445 Views
0
Shreya_Barhate
Advocate I
Advocate I
In response to v-sdhruv

‎07-25-2025 03:46 AM

Hi @v-sdhruv ,

Thanks for sharing the resource! This approach using AD groups for RLS looks great and should work well in Power BI.

However, for our current use case involving Fabric Warehouse, this method won’t be applicable.


Thanks and regards,
Shreya 

Message 8 of 10
385 Views
0
v-sdhruv
Community Support
Community Support
In response to Shreya_Barhate

‎07-30-2025 03:15 AM

Hi @Shreya_Barhate ,

I am sorry if that didnt help.
I would request you raise a Support ticket-
Link - How to create a Support Ticket 

Hope this helps!

Message 9 of 10
274 Views
0
v-sdhruv
Community Support
Community Support

‎07-09-2025 03:24 AM

Hi @Srisakthi  ,

You can -
1.Use Entra ID Group Membership in SQL Endpoint RLS Policies

Define RLS policies at the SQL endpoint level using IS_Member('groupname') or similar functions.

This allows you to check if the current user belongs to a specific Entra ID group without needing that group listed in the table.

or use


2.Centralized Role Management via OneLake RBAC

OneLake RBAC (Role-Based Access Control) supports fine-grained access control at folder and file levels.

You can assign read/write permissions to Entra ID groups directly at the workspace or folder level, which cascades to the warehouse.

More about - One Lake Security

Additinally, you might want to check out-
Dynamic RLS with AD Security Groups 

Hope this helps!
If the response has addressed your query, please accept it as a solution  so that other members can easily find it.
Thank You!

Message 2 of 10
732 Views
0
Shreya_Barhate
Advocate I
Advocate I
In response to v-sdhruv

‎07-09-2025 05:56 AM

Hi  @v-sdhruv 

I've been trying to implement RLS using Entra ID groups on my Lakehouse table in SQL endpoint, but I'm running into issues.

Here's what I tried:

 

CREATE FUNCTION Security.fnRLSGroupFilter(@UserPrincipalName AS VARCHAR(100))

RETURNS TABLE

WITH SCHEMABINDING

AS

RETURN

    SELECT 1 AS AccessGranted

    WHERE IS_MEMBER('ReaderFabricDemoGroup') = 1;

GO

 

I have also tried using @UserName

 

However, the policy doesn't seem to work as expected. 

 

Can you share some sample scripts or working examples of RLS using Entra ID groups in Fabric lakehouse SQL Endpoint or Warehouse tables? It would be super helpful to see how others have approached this.

Thanks!

 

Message 3 of 10
718 Views
Srisakthi
Super User
Super User
In response to Shreya_Barhate

‎07-09-2025 11:54 PM

Hi @Shreya_Barhate ,

 

Thanks for your detailed exploration.

@v-sdhruv   I have even tried earlier it was not working. Shreya also shared her observation. Could you please share some samples on it.

 

Regards,

Srisakthi

Message 4 of 10
701 Views

Helpful resources

Announcements
Fabric July 2025 Monthly Update Carousel

Fabric Monthly Update - July 2025

Check out the July 2025 Fabric update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All