Dynamic RLS with Azure AD security groups

aspiewak · ‎09-02-2021

Hi all,

our company recently decided to implement row-level security and after a bit of research we wanted to implement dynamic RLS. We have created some Azure AD security groups and assigned users to them, I've manually configured "users" table (it is table with emails and membership of AAD groups) in Desktop, setup the RLS based on userprincipalname and set RLS permission on server based on created groups - and it works. I do however have question/problem with automatic "users" table - how can I get list of users and Azure AD groups that they are members of? I've managed to get AD users and groups, but they are not the same. Can i set it up by group, not by user? Most of the tutorials just have them ready...

And second question - can this action be performed for the whole workspace, not individually for each report?

Thanks for the help!
Anna

aspiewak · ‎09-06-2021

Hi, @v-angzheng-msft

Thank you for your answer and confirmation, that RLS must be setup report by report on server level as well. However, my problem was with obtaining Azure AD security groups membership - not AD groups which I managed to get and not groups/workspaces from Power BI - after thorough research our admins agreeded to simply set us up with this table in our database. I do appreciate the list of links - they would certainly come in handy in monitoring access!

v-angzheng-msft · ‎09-05-2021

Hi, @aspiewak

You can get users and groups through the Power BI Rest API.

For the second question, I'm afraid not as far as I know. You can set row-level security for each dataset individually.

Edit: RLS set for one shared dataset will take effect for all the related reports

The following are the REST APIs related to users and groups:

Admin - Reports GetReportUsersAsAdmin

Admin - Groups GetGroupsAsAdmin

Admin - Groups GetGroupUsersAsAdmin

Groups - Get Groups Groups - Get Group Users

Video:

Connecting to the Power BI Admin REST API to bring in data regarding workspaces, reports, datasets, dataflows, and users. Building a Power BI Admin View [Part 1]: Connecting to Data from the REST API

See the links below for more information:

PowerBI to Query AD Group Memberships

Power BI REST API to get list of users

PowerBI REST API - Get Users who had been shared a Report

Get all groups and users in tenant

USING GET GROUPS AS ADMIN API

Hope this helps.

Best Regards,
Community Support Team _ Zeon Zheng
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

How to get your questions answered quickly -- How to provide sample data

aspiewak · ‎09-03-2021

Hi,

thanks for the reply. My main problem is that I do not have a) users table and b) mapping of users to groups/roles. I can insert that data manually, but maintenance would be a nightmare. Hence my question: can I retrieve such data from Azure AD, similar to users and groups retrieval from AD?

amitchandak · ‎09-02-2021

@aspiewak , As of now you have set up RLS for each report. So doubt you can do it at the workspace level.

The input you get from RLS is userprincipalname , which is an email, and based on that you need to take decision.

So if your table has a role(with email) and you want to use that for some filtering you can, need to create a logic in Role.

!! Integrated Course on Microsoft Fabric, Power BI, and SQL for Free!! !! Master Microsoft Fabric- 31 Videos !!
Microsoft Power BI Learning Resources, 2023 !!
Learn Power BI - Full Course with Dec-2022, with Window, Index, Offset, 100+ Topics !!
Did I answer your question? Mark my post as a solution! Appreciate your Kudos !! Proud to be a Super User! !!

Dynamic RLS with Azure AD security groups

Helpful resources

Power BI September 2023 Update

Learn Live: Event Series

Exclusive opportunity for Women!

Power Platform Conference-Power BI and Fabric Sessions

How to Get Your Question Answered Quickly