We manage our Power BI roles via TMDL files. Until now, we have added DevOps groups to these roles directly in Power BI Service.

To improve overview and maintainability, we want to define all group assignments within the TMDL files. For mail enabled security groups, adding the email address as a member in TMDL seems to work fine. For example:

 

This works as expected.

However, we found that about 80% of our groups do not have an email address (these are Azure Security Groups rather than Mail enabled security groups).

We tried adding these groups as members by either DevOps group name or by DevOps object ID (a combination of the group GUID and the organization ID), for example:

 

Both methods result in deployment errors when deploying to Power BI Service.

Questions:

• Is it possible to add Azure Security Groups (without email) as a member in TMDL and successfully deploy to Power BI Service? If so, how should the syntax look like?
• Is there a workaround or best practice for this scenario? I am for example familiair with adding object ID's in Tabular Editor. But then again the logic would be spread across multiple places, which makes it difficult to keep an overview.
• Are there developments planned in Fabric/Power BI to support to add Azure Security Groups (without email) as TMDL role members?

Changing all our groups to Mail enabled Security Groups is a major operation—any alternatives would be appreciated.

Thanks in advance for your help and advice!

Kind regards, Chantal van Harten