Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
aspiewak
Frequent Visitor

Dynamic RLS with Azure AD security groups

Hi all,


our company recently decided to implement row-level security and after a bit of research we wanted to implement dynamic RLS. We have created some Azure AD security groups and assigned users to them, I've manually configured "users" table (it is table with emails and membership of AAD groups) in Desktop, setup the RLS based on userprincipalname and set RLS permission on server based on created groups - and it works. I do however have question/problem with automatic "users" table - how can I get list of users and Azure AD groups that they are members of? I've managed to get AD users and groups, but they are not the same. Can i set it up by group, not by user? Most of the tutorials just have them ready...

And second question - can this action be performed for the whole workspace, not individually for each report?

Thanks for the help!
Anna

4 REPLIES 4
aspiewak
Frequent Visitor

Hi, @v-angzheng-msft 

Thank you for your answer and confirmation, that RLS must be setup report by report on server level as well. However, my problem was with obtaining Azure AD security groups membership - not AD groups which I managed to get and not groups/workspaces from Power BI - after thorough research our admins agreeded to simply set us up with this table in our database. I do appreciate the list of links - they would certainly come in handy in monitoring access!

v-angzheng-msft
Community Support
Community Support

Hi, @aspiewak 

 

You can get users and groups through the Power BI Rest API.

For the second question, I'm afraid not as far as I know. You can set row-level security for each dataset individually.

Edit:  RLS set for one shared dataset will take effect for all the related reports

 

The following are the REST APIs related to users and groups:

Admin - Reports GetReportUsersAsAdmin

Admin - Groups GetGroupsAsAdmin    

Admin - Groups GetGroupUsersAsAdmin

Groups - Get Groups     Groups - Get Group Users

 

Video:

Connecting to the Power BI Admin REST API to bring in data regarding workspaces, reports, datasets, dataflows, and users.   Building a Power BI Admin View [Part 1]: Connecting to Data from the REST API

 

See the links below for more information:

PowerBI to Query AD Group Memberships

Power BI REST API to get list of users

PowerBI REST API - Get Users who had been shared a Report

Get all groups and users in tenant

USING GET GROUPS AS ADMIN API

 

Hope this helps.

 

Best Regards,
Community Support Team _ Zeon Zheng
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

aspiewak
Frequent Visitor

Hi,

thanks for the reply. My main problem is that I do not have a) users table and b) mapping of users to groups/roles. I can insert that data manually, but maintenance would be a nightmare. Hence my question: can I retrieve such data from Azure AD, similar to users and groups retrieval from AD?

amitchandak
Super User
Super User

@aspiewak , As of now you have set up RLS for each report. So doubt you can do it at the workspace level.

 

The input you get from RLS is userprincipalname , which is an email, and based on that you need to take decision.

So if your table has a role(with email) and you want to use that for some filtering you can, need to create a logic in Role.

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.