Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during Fabric Data Days. Don't miss your chance! Learn more

Reply
NorahTran97
Frequent Visitor

set up RLS for a security group in Power BI

‎10-15-2025 06:02 PM

Hi all,

I have the following setup in Power BI: 

 

  1. I created an RLS role called external_access.

  2. Inside the role, I use a DAX filter to control access by email, for example:

    • email1 → can only see data for Region1

    • email2 → can only see data for Region2

  3. I then created a security group called external_group and added both email1 and email2 to it.

  4. In the Power BI Service, I assigned external_group to the external_access role.

My question:
Will RLS still work dynamically for each user (so email1 only sees Region1 and email2 only sees Region2), or does assigning a security group mean everyone in that group will have the same data access?

Thanks

Labels:
Message 1 of 5
657 Views
0
1 ACCEPTED SOLUTION
v-tejrama
Community Support
Community Support
In response to NorahTran97

‎10-17-2025 04:41 AM

Hi @NorahTran97 ,

Thank you for your follow-up question. It’s great to hear that RLS is working for internal users. Regarding your issue with external users, there are a few considerations to ensure RLS functions correctly when sharing with Azure AD B2B (guest) users. Firstly, confirm that the external users are properly added as guest users in your Azure AD tenant. They should have accepted the invitation and be assigned the appropriate roles within your organization. Additionally, ensure that the external users have the necessary Power BI licensing. If your organization is using Power BI Pro, external users also need a Pro license to access shared content. Alternatively, if your organization has Power BI Premium capacity, external users can access shared content without a Pro license, provided they are assigned to the appropriate workspace roles.

Another important aspect is the workspace settings. For RLS to function correctly, the workspace should be configured such that members have Viewer permissions rather than Member or higher roles. This setting ensures that RLS filters are applied to users accessing the content. You can adjust this by navigating to the workspace settings in the Power BI Service and modifying the permissions accordingly.

If the issue persists, consider testing the RLS configuration by sharing the report directly with an external user and verifying if the data visibility aligns with the RLS rules. This can help identify whether the problem lies with the RLS setup or the group-based sharing configuration.

 

Please refer these Microsoft Doc links :

Row-level security (RLS) with Power BI

Securely sharing Power BI reports with external users


Thank you.
 

View solution in original post

Message 4 of 5
537 Views
4 REPLIES 4
nandic
Super User
Super User

‎10-17-2025 02:25 AM

Hi @NorahTran97 ,

RLS will always be dynamic.
If you use userprincipalname() dax function in rls logic, it always checks currently logged in user.
So if there are 10 users in same Azure user group and by best practice, we grant dataset/app permissions to user group, each user will see only what is allowed by rls for each user.
By using groups, we just make it easier for us to give all users access.

Note: for external users, regular external users having company mail, in rls table keep their actual mail.
Because this is how Power BI Service will recognize them.
Example: user@company.com

However, if external users use private emails (gmail, yahoo..), then in rls table you need to have prefix which Power BI Service adds.
Example: live#user@company.com

In addtion, Azure user group should be "Security" type so that it can be used on Power BI Service.

Cheers,
Nemanja 

Message 5 of 5
550 Views
v-tejrama
Community Support
Community Support

‎10-16-2025 05:05 AM

Hello   @NorahTran97 ,

 

That’s a great question, and it’s one that often causes confusion when using security groups with Row-Level Security in Power BI. The short answer is yes RLS will still work dynamically for each individual user, even when the role is assigned to a security group, as long as your DAX filter uses a dynamic expression such as USERPRINCIPALNAME() or references a user-to-region mapping table. In that case, each person in the group is evaluated separately when they sign in, so email1 will only see Region1 and email2 will only see Region2, exactly as you’d expect.

 

However, if your RLS role uses a static filter that’s hardcoded to a specific email address, then assigning that role to a group will apply the same filter to everyone in that group. This usually means only one person matches the filter, and others will either see no data or the wrong results. To avoid that, make sure your model uses a dynamic filter, such as comparing the Email column in your user table to USERPRINCIPALNAME(), or using a lookup to match the current user’s region.

 

Once you publish your dataset, assign the Azure AD security group to that role in the Power BI Service. Power BI will still apply RLS individually based on the signed-in user, but you’ll be able to manage membership centrally through Azure AD instead of manually updating roles in Power BI.

 

If you’d like a bit more detail, Microsoft’s documentation explains this really well here:
Row-level security (RLS) with Power BI ,
Row-level security (RLS) with Power BI - Microsoft Fabric | Microsoft Learn and
the Dynamic RLS guidance article. walk through examples showing how USERPRINCIPALNAME() ensures per-user...

 

Thank you,

Tejaswi.

 

Message 2 of 5
607 Views
NorahTran97
Frequent Visitor
In response to v-tejrama

‎10-16-2025 06:12 PM

Thanks Tejaswi

Just another question, I’ve tested it, and it seems to work only groups with internal users. Is there a different configuration needed for external users? (Please note, the external users are already added to our Azure environment.) When I share with individual external users, it works fine, but it doesn’t seem to work when I share with the group. Do you have any idea why?

 

Thanks

Message 3 of 5
577 Views
0
v-tejrama
Community Support
Community Support
In response to NorahTran97

‎10-17-2025 04:41 AM

Hi @NorahTran97 ,

Thank you for your follow-up question. It’s great to hear that RLS is working for internal users. Regarding your issue with external users, there are a few considerations to ensure RLS functions correctly when sharing with Azure AD B2B (guest) users. Firstly, confirm that the external users are properly added as guest users in your Azure AD tenant. They should have accepted the invitation and be assigned the appropriate roles within your organization. Additionally, ensure that the external users have the necessary Power BI licensing. If your organization is using Power BI Pro, external users also need a Pro license to access shared content. Alternatively, if your organization has Power BI Premium capacity, external users can access shared content without a Pro license, provided they are assigned to the appropriate workspace roles.

Another important aspect is the workspace settings. For RLS to function correctly, the workspace should be configured such that members have Viewer permissions rather than Member or higher roles. This setting ensures that RLS filters are applied to users accessing the content. You can adjust this by navigating to the workspace settings in the Power BI Service and modifying the permissions accordingly.

If the issue persists, consider testing the RLS configuration by sharing the report directly with an external user and verifying if the data visibility aligns with the RLS rules. This can help identify whether the problem lies with the RLS setup or the group-based sharing configuration.

 

Please refer these Microsoft Doc links :

Row-level security (RLS) with Power BI

Securely sharing Power BI reports with external users


Thank you.
 
Message 4 of 5
538 Views

Helpful resources

Announcements
Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

October Power BI Update Carousel

Power BI Monthly Update - October 2025

Check out the October 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All