Hi All,
Good day!
Just want to ask if we have properly set up the following.
This involves the usage of Dynamic RLS, Entra ID Security Groups and Power BI App Audiences. Thank you very much for the help!
The Problem:
(1) To filter reports by Department by leveraging the Entra ID Security Groups (via Dynamic RLS) and;
(2) To manage these Entra ID Security Groups via Power BI App Audience.
The Proposal:
(1) This is the proposed data model for Problem (1). Each security group will be assigned to a different section and thorugh Dynamic RLS, the report will only display data based on the users' security group.
(2) For the RLS piece this is the script we used.
(3) Once the report has been published, we add the security groups in the Security Section of the Report
(4) In the Power BI Apps, we add the security groups in each Audience page then select Update App
In Need of Help:
(1) Have we set it up enough or correctly? If not, could you provide some insights where we could improve the solution.
(2) For the Power BI App - Audience, suppose that a user is a member of 2 security groups, namely SecGrp-A and SecGrp-B. SecGrp-A and SecGrp-B are to be placed separately in 2 Audience Pages. The current result of this is that the user is able to view the data for both Audience Pages.
(2.1) Is there a way in which the user can only view the data for SecGrp-A without removing the SecGrp-B in the other Audience Page?
(2.2) If there are adjustments to be done on RLS, could you help provide the script to be used?
Best regards,
-OP
Hi @Anonymous
(1) Have we set it up enough or correctly? If not, could you provide some insights where we could improve the solution. From the looks of it the relationships look correct.
(2) For the Power BI App - Audience, suppose that a user is a member of 2 security groups, namely SecGrp-A and SecGrp-B. SecGrp-A and SecGrp-B are to be placed separately in 2 Audience Pages. The current result of this is that the user is able to view the data for both Audience Pages.
True the user will see both Audiences, but when they log into the app, they will see tabs "All", "SecGrp-A" & "SecGrp-B". They will see the reports, but the data that they see will be defined by the Row Level Security,
(2.1) Is there a way in which the user can only view the data for SecGrp-A without removing the SecGrp-B in the other Audience Page?
Don't think so. In my expierence, nobody complained
(2.2) If there are adjustments to be done on RLS, could you help provide the script to be used? In what way? How the data is filtered or who is part of the Security Groups. If it about how data and teh relationships are adapted, then this will need to be done in the PBIX file. Regarding groups, this I presume it done in Azure and then the changes will be reflected in the report when it refreshes.
Additionally you can test roles within Desktop and the Service
Desktop: Got to the Modelling Tab and choose test by role, tick the role and the other user fields and enter an email address of a user and press ok. Here you will see what the user will see.
Service: On the dataset go to Security and click on test as Role by clicking on the 3 dots bedie the role name. Then it will take you to the report and just change it to test as user and enter the users name.
Please note that if a user is a Admin, Contributer or Member of a Workspace, the RLS will not work. Best practice is that only developers have access to Workspaces.
Hope this helps
Joe
Proud to be a Super User! |  |
Date tables help! Learn more
Hi @Anonymous
(1) Have we set it up enough or correctly? If not, could you provide some insights where we could improve the solution. From the looks of it the relationships look correct.
(2) For the Power BI App - Audience, suppose that a user is a member of 2 security groups, namely SecGrp-A and SecGrp-B. SecGrp-A and SecGrp-B are to be placed separately in 2 Audience Pages. The current result of this is that the user is able to view the data for both Audience Pages.
True the user will see both Audiences, but when they log into the app, they will see tabs "All", "SecGrp-A" & "SecGrp-B". They will see the reports, but the data that they see will be defined by the Row Level Security,
(2.1) Is there a way in which the user can only view the data for SecGrp-A without removing the SecGrp-B in the other Audience Page?
Don't think so. In my expierence, nobody complained
(2.2) If there are adjustments to be done on RLS, could you help provide the script to be used? In what way? How the data is filtered or who is part of the Security Groups. If it about how data and teh relationships are adapted, then this will need to be done in the PBIX file. Regarding groups, this I presume it done in Azure and then the changes will be reflected in the report when it refreshes.
Additionally you can test roles within Desktop and the Service
Desktop: Got to the Modelling Tab and choose test by role, tick the role and the other user fields and enter an email address of a user and press ok. Here you will see what the user will see.
Service: On the dataset go to Security and click on test as Role by clicking on the 3 dots bedie the role name. Then it will take you to the report and just change it to test as user and enter the users name.
Please note that if a user is a Admin, Contributer or Member of a Workspace, the RLS will not work. Best practice is that only developers have access to Workspaces.
Hope this helps
Joe
Proud to be a Super User! | |
Date tables help! Learn more
Helpful resources
Join our Fabric User Panel
Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.
Power BI Monthly Update - February 2026
Check out the February 2026 Power BI update to learn about new features.
FabCon Atlanta 2026
Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.
