Solved: Dynamic AD Group-Based Row-Level Security (USERMEM...

psadav · ‎05-21-2026

Hello Microsoft Power BI/Fabric Team and Community,

I am working on a large-scale Power BI solution in a Fabric F64 capacity workspace. My scenario requires dynamic row-level security (RLS) based on Azure AD group membership, as our user base is large and changes frequently. The ideal solution is to use the USERMEMBEROF() DAX function, which would allow us to maintain a simple mapping table of AD groups to data access, without having to manage individual user emails.

Current Situation:

Our workspace is on Fabric F64 (Premium) capacity.
The USERMEMBEROF() DAX function is not available in our tenant, and there is no Enhanced Row-Level Security (RLS) toggle in the Admin Portal.
The only available workaround is to use a user-to-site mapping table with [UserPrincipalName] = USERPRINCIPALNAME(), which is not scalable for our scenario.
Assigning AD groups to roles in the Service does not enable dynamic filtering, as USERNAME() and USERPRINCIPALNAME() return the user’s email, not group membership.

Request:

Is there an ETA for general availability of USERMEMBEROF() or Enhanced RLS for all Premium/Fabric tenants?
Are there any preview programs or tenant settings we can request to enable this feature?
Is there any recommended scalable workaround for dynamic AD group-based RLS until this feature is available?

This feature is critical for organizations with dynamic, group-based access requirements. Any update or guidance would be greatly appreciated!

Thank you,

v-nmadadi-msft · ‎05-25-2026

Hi @psadav ,
If the requested feature is important for your functionality Please consider sharing your suggestion in the Power BI Ideas forum.
Fabric Ideas - Microsoft Fabric Community
where the product team actively monitors user feedback. Ideas with strong community support are more likely to be considered for future implementation. Posting there helps ensure your request reaches the right audience and contributes to shaping the product roadmap.
Regards

View solution in original post

william1234

This is a valid enterprise use case, but currently Power BI RLS evaluates the user identity, not Entra ID group membership directly.

A common scalable workaround is to automate an access mapping table from Entra ID groups (using Graph API, Data Factory, Fabric pipelines, etc.) and keep RLS based on USERPRINCIPALNAME(). This avoids manually maintaining users while still allowing group-driven access changes.

For USERMEMBEROF() / Enhanced RLS availability, Microsoft has not published a general ETA. Your best options are to check with your Microsoft account team for preview availability and submit feedback through the Fabric Ideas portal.

v-nmadadi-msft · ‎05-28-2026

Hi @psadav ,

Could you please confirm if you've submitted this as an idea in the Ideas Forum? If so, sharing the link here would be helpful for other community members who may have similar feedback.

Regards

tayloramy · ‎05-22-2026

Hi @psadav,

Power BI cannot determine AD membership.

You will need to have a table in your model that can map to the user's email.

I believe there is an active directory connector so you can pull in your groups as tables, and then from there you should be able to calculate a security table that can map a user's email to the rows they are supposed to see.

If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!
Join the Fabric Discord!

Proud to be a Super User!

v-nmadadi-msft · ‎05-22-2026

Hi @psadav ,
Thanks for reaching out to the Microsoft Fabric Community forum.

As a workaround, you can implement dynamic RLS by maintaining a separate security mapping table in Power BI that contains the Azure AD groups along with the relevant users assigned to those groups. You can then use the USERPRINCIPALNAME() DAX function to dynamically filter data based on the currently logged-in user. In this approach, the user’s email (returned by USERPRINCIPALNAME()) is matched against the mapping table to determine which group they belong to, and the corresponding access rules are applied. While this still requires maintaining user membership information, it provides a practical and scalable alternative until USERMEMBEROF() or Enhanced RLS becomes generally available.

Dynamic Row-Level Security (RLS) Implementation in... - Microsoft Fabric Community

I hope this information helps. Please do let us know if you have any further queries.
Thank you

psadav · ‎05-22-2026

Thank you for your response and suggestion.

Unfortunately, maintaining a user-to-email mapping table is not feasible for our scenario. Our organization manages report access exclusively through Azure AD groups, and the user base is large and dynamic—users are frequently added or removed from groups by our IT team, and we do not have visibility or control over individual memberships.

Because of this, adding each user’s email to a mapping table is not practical or scalable for us. We require a solution where row-level security can be enforced dynamically based on AD group membership, without manual user maintenance.

We look forward to the general availability of USERMEMBEROF() or Enhanced Row-Level Security in Power BI/Fabric, as this would fully address our needs. In the meantime, please let us know if there are any preview programs or alternative solutions for dynamic, group-based RLS.

Thank you for your support and understanding.

Best regards,

Prasen.

v-nmadadi-msft · ‎05-25-2026

Hi @psadav ,
If the requested feature is important for your functionality Please consider sharing your suggestion in the Power BI Ideas forum.
Fabric Ideas - Microsoft Fabric Community
where the product team actively monitors user feedback. Ideas with strong community support are more likely to be considered for future implementation. Posting there helps ensure your request reaches the right audience and contributes to shaping the product roadmap.
Regards