Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Power BI is turning 10! Let’s celebrate together with dataviz contests, interactive sessions, and giveaways. Register now.

Reply
BozPLR
Frequent Visitor

Configure RLS for multiple external customers?

Thursday

I am requesting some help with a Row Level Security (RLS) situation for Power BI. I briefly searched the forums, but I did not find a question that completely addressed my situation.

 

My company (HomeInc) wants to make a dashboard accessible to each of our external customers (Cust1 and Cust 2). I want to maintain a single Power BI Dashboard and use RLS to filter the data for Cust1 and Cust 2 such that Cust1 cannot see any Cust2 data and vice-versa. I do not currently know if we will share the dashboard link to the specific people for Cust1 or if we are expecting anyone within Cust1's organization to be able to access the dashboard.

 

The solution that makes sense to me is creating a role for Cust1 and adding people to it as I know the email addresses of Cust1 organization. Then, I would repeat this process for Cust2. This is what I have set up currently, but I have not tested it with actual people yet.

 

My concern is that this may not scale well. I do not know how many people will need access for each customer, and I anticipate having hundreds of customers in the future.

 

My question: is the best way to accomplish my goal setting up a role for each customer as I have? If not, could you point me to resources that would instruct me on how to configure the dashboard, semantic model, and workspace to accommodate all of the users for the external customers? 

Message 1 of 8
259 Views
7 REPLIES 7
v-saisrao-msft
Community Support
Community Support

Friday

Hi @BozPLR ,
I wanted to check if you had the opportunity to review the information provided by @ribisht17 @Poojara_D12 . Please feel free to contact us if you have any further questions. If the response has addressed your query, please accept it as a solution so other members can easily find it.
Thank you.

 

Message 6 of 8
177 Views
BozPLR
Frequent Visitor
In response to v-saisrao-msft

Friday

I have had trouble finding the tenant/viewer permissions, so I have not had a chance to fully test it out. Once I figure out how to get them to appear and test, I will accept a response as a solution. In the meantime, I have given both users kudos for their responses. 

Message 7 of 8
144 Views
0
v-saisrao-msft
Community Support
Community Support
In response to BozPLR

Monday

Hi @BozPLR,

Please check the below document for the permission:

Add B2B collaboration users - Microsoft Entra External ID | Microsoft Learn

If this post helps, then please consider Accept it as a solution to help the other members find it more quickly.

 

Thank you.

Message 8 of 8
67 Views
Poojara_D12
Super User
Super User

Thursday

Hi @BozPLR 

Your current approach—creating a separate RLS role for each customer and manually assigning users by email—may work for a small number of customers, but it becomes unsustainable and difficult to manage at scale as the number of customers and users grows. Instead, the best practice for this kind of multi-tenant scenario is to use dynamic RLS with a mapping table that ties each user’s email (User Principal Name) to their respective customer ID or group. This approach allows you to maintain a single role in your Power BI semantic model and apply RLS based on the logged-in user's identity, greatly simplifying management.

 

Here’s how to implement it:

 

Create a security table that includes two columns: one for user email (UPN) and one for the customer ID they belong to. For example, SecurityTable = { UserEmail: "user1@cust1.com", CustomerID: "Cust1" }.

 

Relate this table to your main data table (which should also have a CustomerID field) either directly or via a dimension table.

 

In the Power BI Model > Manage Roles, create a single role (e.g., CustomerAccess) and apply the DAX filter on the SecurityTable:

SecurityTable[UserEmail] = USERPRINCIPALNAME()

This ensures each user only sees data linked to their customer.

 

When you publish to the Power BI Service, you do not need to assign users to roles manually—Power BI automatically evaluates RLS based on who is logged in and what their UPN maps to in the table.

 

To share with external customers, you need to invite guest users into your tenant using Azure AD B2B (Business-to-Business), and assign them viewer permissions in the workspace or via Power BI Apps. Free users cannot view shared content unless the workspace is in Premium capacity.

 

This dynamic RLS setup is scalable, secure, and far easier to maintain than hardcoding roles per customer. It also accommodates future customers simply by updating the mapping table with new user-customer entries, without modifying the model itself.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS
Message 4 of 8
195 Views
BozPLR
Frequent Visitor
In response to Poojara_D12

Friday

Thank you for your response! I have had trouble finding the tenant/viewer permissions, so I have not had a chance to fully test it out. Once I figure out how to get them to appear and test, I will accept this as a solution. 

Message 5 of 8
144 Views
0
ribisht17
Community Champion
Community Champion

Thursday

hi @BozPLR 

 

Your current approach—creating individual roles for each customer—works but may become difficult to scale as your customer base grows. Instead, a dynamic Row-Level Security (RLS) approach would be more efficient.

Recommended Approach: Dynamic RLS

Instead of manually assigning roles, you can use user-based filtering by leveraging DAX functions like USERPRINCIPALNAME(). Here’s how:

1. Create a Customer Mapping Table

  • This table should contain User Email IDs and their corresponding Customer ID.
  • Example:
    | User Email | Customer ID |
    |------------|------------|
    | user1@cust1.com | Cust1 |
    | user2@cust2.com | Cust2 |

2. Define a DAX Filter for RLS

  • In Power BI Desktop, go to Manage Roles and apply a filter like:
    [Customer ID] = LOOKUPVALUE(CustomerMapping[Customer ID], CustomerMapping[User Email], USERPRINCIPALNAME())
  • This ensures that users only see data relevant to their Customer ID.

3. Publish & Assign Roles in Power BI Service

  • After publishing, assign all external users to a single role.
  • The DAX filter will dynamically restrict access based on their email.

Why This Works Better?

Scalability – No need to manually create roles for each customer.
Flexibility – Works even if new users join a customer’s organization.
Security – Ensures each user sees only their relevant data.

For more details, check out Microsoft’s official RLS guidance here and a practical implementation guide here

 

Regards,

Ritesh

Community Champion

Please mark the answer if helpful so that it can help others

Dance-Sing with Data Projects - YouTube

Message 2 of 8
210 Views
BozPLR
Frequent Visitor
In response to ribisht17

Friday

Thank you for your response! I have not had a chance to test yet, but I have given a kudos in the interim. 

Message 3 of 8
143 Views
0

Helpful resources

Announcements
June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All