Dynamic RLS using Entra ID Security Groups not wor...

Pravanjan

Hello Team,

We are trying to implement Dynamic Row-Level Security (RLS) in Power BI using Entra ID (Azure AD) Security Groups and are facing a limitation.

Scenario

- We have a semantic model in Power BI Service with Dynamic RLS.

- RLS logic is based on DAX using:

USERPRINCIPALNAME()

which correctly returns the signed-in user's email / UPN.

- Our security table contains only Entra ID (Azure AD) Security Groups

- Users are members of these Entra ID Security Groups.

- The intention is to restrict data visibility based on the security groups a user belongs to.

Expected Behavior

Dynamic RLS should work based on Entra ID Security Group membership so that users see only the data they are authorized to view via group-based access.

Actual Behavior

- Dynamic RLS works only when individual user email IDs (UPN) are stored in the security table.

- When the security table contains only Entra ID (Azure AD) Security Groups, RLS does not work.

- DAX using USERPRINCIPALNAME() cannot be mapped to Entra ID (Azure AD) Security Groups.

Observations

- USERPRINCIPALNAME() only returns the user's email, not group information.

- There is no way in DAX to resolve Entra ID Security Group membership

- This makes it impossible to implement fully dynamic, group-based RLS directly in Power BI.

Questions

1. Is this behavior expected and by design in Power BI?

2. Are Entra ID Security Groups officially supported for Dynamic RLS evaluation?

3. Is there any supported way to evaluate Entra ID Security Group membership inside Power BI RLS?

4. If this is a known limitation, what is the recommended enterprise approach for group-based Dynamic RLS?

5. Is there any roadmap or future enhancement planned to support Dynamic RLS using Entra ID Security Groups directly?

This limitation impacts enterprise scalability and governance, as managing RLS using individual user email IDs is not feasible in large organizations where access is managed via security groups.

Any official clarification or guidance would be greatly appreciated.

Thank you.

tayloramy

Hi @Pravanjan,

I agree with @rohit1991 here. The best way to do this is to create your roles in your model, and then assign specific security groups to those roles in the report security settings once published.

Trying to decode group membership inside the report is asking for trouble.

If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!

Proud to be a Super User!

Natarajan_M

Hi @Pravanjan , Yes, this is by design. Power BI's USERPRINCIPALNAME() function returns only the signed-in user's email/UPN — it has no built-in capability to resolve Entra ID (Azure AD) Security Group memberships at query time. DAX has no Graph API access, so group membership cannot be evaluated dynamically inside RLS filters.
Entra ID Security Groups cannot be used directly in RLS role definitions for dynamic filtering.

You can make use of the Azure Ad connector in PBI to hit your domain and extract the ad group details (This will work locally but to make it work in service you need to set up the gateway) you need to get the user -> group mapping data

UserGroupMapping

fact table :

Relationship :

UserGroupMapping mapping to Fact (Many to Many UserGroupMapping table filters fact )

Crate a role :
Dynamie RLS and add the dax to filter

[AccessGroup] IN
CALCULATETABLE(
VALUES(UserGroupMapping[GroupName]),
UserGroupMapping[UserEmail] = USERPRINCIPALNAME()
)

Thanks

Jamuna15

Hi Nataraj,

For me, I created dashboard and published in powerbi workspace. I need to embeded in java application with SSO. How it possible. Do I need to register for token. Kindly provide steps to follow. How to handle single sign on and RLS.

Jamuna15

New

tayloramy

Hi @Jamuna15,

If you have a new question, I'd recommend you create a new post for it so that answer's don't get confusing. Trying to answer two different questions in the same thread will lead to confusion and no one will get answers.

If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!

Proud to be a Super User!

Natarajan_M

Is this a new query or in reference with the same query raised by @Pravanjan ?

rohit1991

Hii @Pravanjan

Power BI Dynamic RLS works with user identity (USERPRINCIPALNAME) and does not natively resolve Entra ID Security Group membership in DAX, so group-only tables won’t work directly. Entra groups are supported only for assigning roles in the service, not for dynamic evaluation inside the model. The recommended approach is to expand groups into user-level mappings (via ETL/API) and use that table for RLS; fully dynamic group-based RLS without this step is not currently supported.

Did it work? ✔ Give a Kudo • Mark as Solution – help others too!