I have created an Organizational App in Microsoft Fabric and need to grant access to specific users or Active Directory security groups at the app level. However, the system shows a message indicating that this is not possible, and the only option available is to grant read access at the workspace level.

This is not a viable solution for us because it means users will see all content in the workspace, not just the Organizational App we want them to access.

Expected Behavior

Ability to assign permissions at the Organizational App level (by user or AD security group), so that users only see the Org App and its content, without visibility into other apps or items in the same workspace.

Current Behavior

• When trying to set permissions for the Org App, the system only allows granting Viewer role at the workspace level.
• No option to restrict access to a single Org App.

Impact

• Risk of overexposing sensitive content.
• Lack of segmentation and governance.
• Compliance concerns.

What I’ve Tried

• Checked workspace roles and permissions.
• Reviewed tenant settings.
• Verified that the Org App is published correctly.

Questions

• Is this limitation by design for Organizational Apps?
• Are there any workarounds to achieve granular access control for Org Apps?
• Is there a roadmap to support audience-based or user/group-level permissions for Organizational Apps (similar to standard Apps)?