Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

A new Data Days event is coming soon! This time we’re going bigger than ever. Fabric, Power BI, SQL, AI and more. Don't miss out.

Reply
GiudiDavi
New Member

RLS with nested AAD groups

‎04-02-2026 03:06 AM

Hi all!
my situation it that i have this kind of structure:

father AAD group --> (person A, personB, sonAADgroup1, sonAADgroup2)

the two son AAD group had people in it

i have some rule on my semantic model:
ALL
group 1 --> with sonAADgroup1 in it
group 2 --> with sonAADgroup2 in it

where i should add my father grupo to let people A and B to see everythin?

my doubt is that if i do a thing like that: 
ALL --> with fatherAAD in it
group 1 --> with sonAADgroup1 in it
group 2 --> with sonAADgroup2 in it
then sonAADgroup1 and sonAADgroup2 will see everything because they are in the father, and father can see all

Labels:
Message 1 of 4
409 Views
0
1 ACCEPTED SOLUTION
Zanqueta
Super User
Super User

‎04-02-2026 03:26 AM

Hi @GiudiDavi,

 

Power BI does not expand nested Azure AD group membership for RLS evaluation.
Only direct membership is considered.
This means:

Adding the parent AAD group to the ALL role will give full access only to the direct members (Person A and Person B).
Members of the child groups will not inherit access to the ALL role, even though their groups are nested inside the parent group in Azure AD.

Nested group expansion is not supported in Power BI’s RLS resolution process.

 

Recommended RLS Configuration

Role: ALL = Assign the parent AAD group.
Role: Group 1 = Assign sonAADgroup1.
Role: Group 2 =  Assign sonAADgroup2.

 

With this configuration:
  • Person A and Person B (direct members of the parent group) will see all data.
  • Members of sonAADgroup1 will only see Group 1 data.
  • Members of sonAADgroup2 will only see Group 2 data.
  • Child group members will not receive full access through inheritance.
This configuration is correct and safe for your requirement.

 

If this response was helpful in any way, I’d gladly accept a kudo.
Please mark it as the correct solution. It helps other community members find their way faster.
Connect with me on LinkedIn

View solution in original post

Message 2 of 4
377 Views
3 REPLIES 3
Kedar_Pande
Super User
Super User

‎04-02-2026 09:22 AM

@GiudiDavi 

 

Correct structure:

ALL role → father AAD group (A, B, son1, son2)
Group1 role → sonAADgroup1 only 
Group2 role → sonAADgroup2 only

AAD nesting expands members transitively. Sons get ALL + their specific role = unrestricted access. Use separate non-nested groups for A/B if needed.

Message 4 of 4
319 Views
0
Zanqueta
Super User
Super User

‎04-02-2026 03:26 AM

Hi @GiudiDavi,

 

Power BI does not expand nested Azure AD group membership for RLS evaluation.
Only direct membership is considered.
This means:

Adding the parent AAD group to the ALL role will give full access only to the direct members (Person A and Person B).
Members of the child groups will not inherit access to the ALL role, even though their groups are nested inside the parent group in Azure AD.

Nested group expansion is not supported in Power BI’s RLS resolution process.

 

Recommended RLS Configuration

Role: ALL = Assign the parent AAD group.
Role: Group 1 = Assign sonAADgroup1.
Role: Group 2 =  Assign sonAADgroup2.

 

With this configuration:
  • Person A and Person B (direct members of the parent group) will see all data.
  • Members of sonAADgroup1 will only see Group 1 data.
  • Members of sonAADgroup2 will only see Group 2 data.
  • Child group members will not receive full access through inheritance.
This configuration is correct and safe for your requirement.

 

If this response was helpful in any way, I’d gladly accept a kudo.
Please mark it as the correct solution. It helps other community members find their way faster.
Connect with me on LinkedIn

Message 2 of 4
378 Views
GiudiDavi
New Member
In response to Zanqueta

‎04-02-2026 03:30 AM

can you please confirm taht the visibility of objects inside the workspace is inherited?
if i gave my fathergroup viewer role on the workspace then someone inside the songroupA access power bi they will see the workspace

Message 3 of 4
370 Views
0

Helpful resources

Announcements
May Power BI Update Carousel

Power BI Monthly Update - May 2026

Check out the May 2026 Power BI update to learn about new features.

Fabric SQL PBI Data Days

Data Days 2026 coming soon!

Sign up to receive a private message when registration opens and key events begin.

New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

View All