Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

View all the Fabric Data Days sessions on demand. View schedule

Reply
softbrendan
New Member

CustomGPT Fabric integration with RLS

‎07-10-2025 02:24 PM

Hey  has anyone successfully connected a Custom GPT to Microsoft Fabric data using the REST API or any other supported query endpoint?

 

We're using OAuth 2.0 with delegated scopes like Dataset.ReadWrite.All and SemanticModel.Read.All, and our Custom GPT is successfully accessing Fabric data through GraphQL — but GraphQL does not enforce Row-Level Security (RLS).

Our goal is to enforce RLS in the data being accessed by the GPT.

We've tested the executeQueries REST API against Fabric datasets, but hit EntityNotFound errors, likely because the Fabric model is bound to a Direct Lake connection using SSO, and the GPT isn't running with a user identity that SSO can impersonate.

 

  1. Has anyone managed to access Fabric data with enforced RLS from a Custom GPT?

  2. Are there specific endpoint types (DAX, SQL Analytics, GraphQL, etc.) that do support RLS with OAuth app flows or service principals?

  3. Is there a recommended way to configure Fabric so a Custom GPT can query data with RLS enforced, even if it's not via semantic models?

We’re open to any Fabric-supported pattern that allows GPTs to retrieve RLS-secured data.

Labels:
Message 1 of 6
563 Views
0
1 ACCEPTED SOLUTION
softbrendan
New Member
In response to v-nmadadi-msft

‎07-26-2025 08:18 AM

yes we got it working for semantic endpoints.

View solution in original post

Message 5 of 6
374 Views
0
5 REPLIES 5
v-nmadadi-msft
Community Support
Community Support

‎07-25-2025 09:40 PM

Hi @softbrendan 

I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions.


Thank you.

Message 4 of 6
385 Views
0
softbrendan
New Member
In response to v-nmadadi-msft

‎07-26-2025 08:18 AM

yes we got it working for semantic endpoints.

Message 5 of 6
375 Views
0
v-nmadadi-msft
Community Support
Community Support
In response to softbrendan

‎07-27-2025 09:02 PM

Hi @softbrendan ,

We really appreciate your efforts and for letting us know the update on the issue.
It would be greatly appreciated if you could share your insights on how exactly you got it working with the community. This would be helpful for other members who may encounter similar issues.

Please continue using fabric community forum for your further assistance.
Thank you

 

Message 6 of 6
335 Views
0
v-nmadadi-msft
Community Support
Community Support

‎07-13-2025 10:40 PM

Hi @softbrendan 
Thanks for reaching out to the Microsoft fabric community forum.


As your objective is to use RLS with your Fabric data, you can try to use XMLA endpoint with third party tools with which you will be able to use RLS roles
Semantic model connectivity and management with the XMLA endpoint in Power BI - Power BI | Microsoft...
The following limitations apply when working with roles through the XMLA endpoint:

  • The only permission for a role that can be set for semantic models is Read permission. Other permissions are granted using the Power BI security model.
  • Service Principals do not work with RLS and OLS, and cannot be added as model role members.
  • Build permission for a semantic model is required for read access through the XMLA endpoint, regardless of the existence of semantic model roles.

 

I hope this information helps. Please do let us know if you have any further queries.
Thank you

Message 3 of 6
476 Views
0
rohit1991
Super User
Super User

‎07-11-2025 02:21 AM

Hi @softbrendan 

To enforce Row-Level Security (RLS) when connecting a Custom GPT to Microsoft Fabric data, you must authenticate with a user-delegated OAuth token—not as a service principal or app-only app. RLS is only enforced when queries are made with the actual user’s identity (using OAuth 2.0 Authorization Code flow), typically through DAX or SQL endpoints such as the XMLA endpoint or SQL Analytics endpoint.

 

GraphQL endpoints do not enforce RLS, and app-only or service principal tokens will bypass RLS rules by design. The recommended approach is to have your Custom GPT authenticate as the user and query Fabric using their token; this allows Fabric to apply RLS as intended. For more details, see Enforce RLS for Direct Lake and XMLA endpoint and RLS in Microsoft’s documentation.


Did it work? ✔ Give a Kudo • Mark as Solution – help others too!
Message 2 of 6
527 Views
0

Helpful resources

Announcements
November Fabric Update Carousel

Fabric Monthly Update - November 2025

Check out the November 2025 Fabric update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All