Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

A new Data Days event is coming soon! This time we’re going bigger than ever. Fabric, Power BI, SQL, AI and more. Don't miss out.

Reply
psadav
New Member

Dynamic AD Group-Based Row-Level Security (USERMEMBEROF()) in Power BI/Fabric

Thursday

Hello Microsoft Power BI/Fabric Team and Community,

 

I am working on a large-scale Power BI solution in a Fabric F64 capacity workspace. My scenario requires dynamic row-level security (RLS) based on Azure AD group membership, as our user base is large and changes frequently. The ideal solution is to use the USERMEMBEROF() DAX function, which would allow us to maintain a simple mapping table of AD groups to data access, without having to manage individual user emails.

 

Current Situation:

  • Our workspace is on Fabric F64 (Premium) capacity.
  • The USERMEMBEROF() DAX function is not available in our tenant, and there is no Enhanced Row-Level Security (RLS) toggle in the Admin Portal.
  • The only available workaround is to use a user-to-site mapping table with [UserPrincipalName] = USERPRINCIPALNAME(), which is not scalable for our scenario.
  • Assigning AD groups to roles in the Service does not enable dynamic filtering, as USERNAME() and USERPRINCIPALNAME() return the user’s email, not group membership.
  •  

Request:

  • Is there an ETA for general availability of USERMEMBEROF() or Enhanced RLS for all Premium/Fabric tenants?
  • Are there any preview programs or tenant settings we can request to enable this feature?
  • Is there any recommended scalable workaround for dynamic AD group-based RLS until this feature is available?

This feature is critical for organizations with dynamic, group-based access requirements. Any update or guidance would be greatly appreciated!

Thank you,

Message 1 of 5
168 Views
0
4 REPLIES 4
tayloramy
Super User
Super User

yesterday

Hi @psadav

 

Power BI cannot determine AD membership. 

 

You will need to have a table in your model that can map to the user's email. 

 

I believe there is an active directory connector so you can pull in your groups as tables, and then from there you should be able to calculate a security table that can map a user's email to the rows they are supposed to see.  





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!
Join the Fabric Discord!

Proud to be a Super User!



Message 5 of 5
66 Views
0
v-nmadadi-msft
Community Support
Community Support

yesterday

Hi @psadav   ,
Thanks for reaching out to the Microsoft Fabric Community forum. 

As a workaround, you can implement dynamic RLS by maintaining a separate security mapping table in Power BI that contains the Azure AD groups along with the relevant users assigned to those groups. You can then use the USERPRINCIPALNAME() DAX function to dynamically filter data based on the currently logged-in user. In this approach, the user’s email (returned by USERPRINCIPALNAME()) is matched against the mapping table to determine which group they belong to, and the corresponding access rules are applied. While this still requires maintaining user membership information, it provides a practical and scalable alternative until USERMEMBEROF() or Enhanced RLS becomes generally available.

Dynamic Row-Level Security (RLS) Implementation in... - Microsoft Fabric Community

I hope this information helps. Please do let us know if you have any further queries.
Thank you

Message 3 of 5
83 Views
0
psadav
New Member
In response to v-nmadadi-msft

yesterday

Thank you for your response and suggestion.

 

Unfortunately, maintaining a user-to-email mapping table is not feasible for our scenario. Our organization manages report access exclusively through Azure AD groups, and the user base is large and dynamic—users are frequently added or removed from groups by our IT team, and we do not have visibility or control over individual memberships.

 

Because of this, adding each user’s email to a mapping table is not practical or scalable for us. We require a solution where row-level security can be enforced dynamically based on AD group membership, without manual user maintenance.

 

We look forward to the general availability of USERMEMBEROF() or Enhanced Row-Level Security in Power BI/Fabric, as this would fully address our needs. In the meantime, please let us know if there are any preview programs or alternative solutions for dynamic, group-based RLS.

 

Thank you for your support and understanding.

 

Best regards,

Prasen.

Message 4 of 5
73 Views
0
lbendlin
Super User
Super User

Thursday

That is not a DAX function. Are you thinking of Powershell?

Message 2 of 5
129 Views
0

Helpful resources

Announcements
May Power BI Update Carousel

Power BI Monthly Update - May 2026

Check out the May 2026 Power BI update to learn about new features.

Fabric SQL PBI Data Days

Data Days 2026 coming soon!

Sign up to receive a private message when registration opens and key events begin.

New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

View All
Top Solution Authors
View All