Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Next up in the FabCon + SQLCon recap series: The roadmap for Microsoft SQL and Maximizing Developer experiences in Fabric. All sessions are available on-demand after the live show. Register now

Reply
aiims
New Member

Dynamic Row level Security for AD groups

‎03-25-2022 07:57 AM

Hello All,

I need some help in Dynamic Row Level Security.
We have 1000+ members with aligned to different AD groups and we need to set our PBI reports based on their AD Group allocation. We are able to run D-RLS when we use the Email ID of employee but maintain 1000+ email id with their access level is not a correct solution and there will be lot of bulk addition / removals of users.
Can anyone please suggest me how we can get DRLS working where we have users split by Zone Security Group , Area Security Group and Admin Security group.
Thank you
Regards
Satish
Sample File 

Labels:
Message 1 of 6
3,670 Views
5 REPLIES 5
lbendlin
Super User
Super User

‎03-26-2022 07:26 AM

"maintain 1000+ email id with their access level is not a correct solution "

 

Please explain why you think that way.  Larger companies have User Access Management tools that can maintain profiles and AD groups (including bulk load, periodic auditing and auto cleanup) .  Usually these tools provide datasets or dataflows that can then be consumed by Power BI developers for their dynamic RLS needs.

Message 2 of 6
3,622 Views
0
aiims
New Member
In response to lbendlin

‎03-28-2022 12:23 AM

Hi lbendlin

We already have AD groups in place for each team which has employee email id. This way we have almost 100+Ad groups which has 1000+ emails.

Any update in the records happens on AD group and all the tools updates the security accordingly.

We want to use the same AD group for our report RLS but PBI is not recognizing it.

Maintainig / Delete/Update of these email id will not be easy task as same email id can be in multiple groups/team.

We have the below kind of table to be load on PBI where access will the key to connect with PBI Base table

AD_Group

Access

UKI_Leads

UKI

IND_Leads

IND

Appreciate your help and support.

Message 3 of 6
3,600 Views
0
lbendlin
Super User
Super User
In response to aiims

‎03-28-2022 04:26 AM

I forgot to mention that all your AD groups must be mail enabled. Use their email address in Power BI

Message 4 of 6
3,593 Views
0
aiims
New Member
In response to lbendlin

‎03-28-2022 06:01 AM

Thank you lbendlin,

Yes all the AD groups are email enabled , Like UKI_Leads@xyz.com and when passed in PBI as a table and validated on Manage roles using USERPRINCIPALNAME() but PBI is not able to recoganize it as email id.
Takes UKI_Leads@xyz.com as a user but does not expandes to actual users in the group.

Thank you

Message 5 of 6
3,588 Views
0
lbendlin
Super User
Super User
In response to aiims

‎03-29-2022 02:14 PM

That's not what I meant, sorry to have been unclear. Your DLs have to be specified in the access control list for the Power BI app.   For the RLS itself you need a feed from your AD or PDL management tool of choice with the full list of all PDL members.

Message 6 of 6
3,578 Views
0

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

March Power BI Update Carousel

Power BI Community Update - March 2026

Check out the March 2026 Power BI update to learn about new features.

View All