Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Score big with last-minute savings on the final tickets to FabCon Vienna. Secure your discount

Reply
archuleta28
Resolver I
Resolver I

Implement Dynamic RLS with Azure Security Group

‎08-04-2025 10:46 PM

Hi,

 

Please help me with your valuable knowledge on the issue I am working on: 


Background: 

I have a report for which i have applied page level security -RLS as this report was required to be distributed across different locations and user must only see the pages he/she has provided access to. So this requires page-level RLS implementation. Now, user may also be changed from one location to another. 

 

Current Setup:

To implement page level security, a workaround is implemented where resepective pages are duplicated as per location and set to hide. All the pages are hidden except the one (landing page) where a page navigation will be provided. User will select a page and hit a button to navigate to the desired page. Now, to implement this RLS, a CSV is being manually manitained where individual enteries for users are added as per the access request (hectic part as there are many entires). lets say, user A requires page 1, page 2 then there will be 2 entires in this CSV and likewise we are maintaining this table. This table contains columns: report name, pagename, user, location. We have loaded this CSV in report to set and manage roles. Navigation is also provided on top of this RLS table using pagename column. In manage role, i have added user = userprincipalname(). And in Power BI service, I add users to the role.


Issue:

Now, I want to manage RLS using Azure Security groups to avoid/reduce manual work. For which, I have already created required security groups and added users to the respective groups. In my RLS table, I have Dashboard Name, Pages Name, Group Name, Location. In Power BI serivce, I would be adding group name to the role.So please help me how can I use these Securoty groups in RLS to make this working?
I am aware that - 

  • user = userprincipalname() will not work in this approach - (need to find user in group which i dont know how)
  • Binding users with group (can work by maintaining separate table and providing relationship but i dont want to add another manual work here 

So please help me how can I make this work with least manual efforts -  by using expression in "manage role" that can directly find user from the group provided. or any other apporach if you have successfully implemented.

 

I thank you in advance if you can help me as I have spent days make this work but nothing worked for me so far.

 

Labels:
Message 1 of 6
282 Views
0
1 ACCEPTED SOLUTION
v-karpurapud
Community Support
Community Support

‎08-05-2025 10:57 PM

Hi @archuleta28 

Thank you for reaching out to the Microsoft Fabric Community Forum.
 

Power BI Row-Level Security (RLS) requires a defined relationship in your data model to filter data using Azure Active Directory (AAD) group memberships. Power BI cannot dynamically check group memberships within DAX at runtime.

As @rohit1991  mentioned, you can automate the extraction of user-to-group membership data from Azure AD with Microsoft Graph API or PowerShell scripts. Store this mapping in a refreshable source like a SharePoint List, Azure SQL Database, or a Dataflow in Microsoft Fabric to keep it updated as your organization changes.

The user-group mapping table should include at least UserPrincipalName and GroupName columns. You can join this table with your RLS permissions table on GroupName to build the necessary relationship. In Power BI Desktop, set up RLS by creating a DAX filter in Manage Roles, such as [UserPrincipalName] = USERPRINCIPALNAME(), on the mapping table.

With this setup, when a user accesses the report, RLS will filter the data to show only what is relevant to the security groups the user belongs to, based on the pre-loaded mapping.


I hope this information is helpful.  If this does not helps please share more details so we can assist you further.

Regards,
Karpurapu D,
Microsoft Fabric Community Support Team.

View solution in original post

Message 3 of 6
218 Views
0
5 REPLIES 5
v-karpurapud
Community Support
Community Support

‎08-18-2025 03:51 AM

Hi @archuleta28 

We have not yet heard back from you about whether our response addressed your query. If it did not, please share more details so we can assist you more effectively.

 

Thank You.

 

Message 6 of 6
79 Views
0
v-karpurapud
Community Support
Community Support

‎08-15-2025 03:47 AM

Hi @archuleta28 

We haven't received a response to our last message and wanted to follow up to see if you have found a solution. If you still need help, please share more details so we can assist you further.

Thank you.

Message 5 of 6
115 Views
0
v-karpurapud
Community Support
Community Support

‎08-10-2025 09:42 PM

Hi @archuleta28 

I wanted to check if you’ve had a chance to review the information provided. If you have any further questions, please let us know. Has your issue been resolved? If not, please share more details so we can assist you further.

 
Thank You.

Message 4 of 6
155 Views
0
v-karpurapud
Community Support
Community Support

‎08-05-2025 10:57 PM

Hi @archuleta28 

Thank you for reaching out to the Microsoft Fabric Community Forum.
 

Power BI Row-Level Security (RLS) requires a defined relationship in your data model to filter data using Azure Active Directory (AAD) group memberships. Power BI cannot dynamically check group memberships within DAX at runtime.

As @rohit1991  mentioned, you can automate the extraction of user-to-group membership data from Azure AD with Microsoft Graph API or PowerShell scripts. Store this mapping in a refreshable source like a SharePoint List, Azure SQL Database, or a Dataflow in Microsoft Fabric to keep it updated as your organization changes.

The user-group mapping table should include at least UserPrincipalName and GroupName columns. You can join this table with your RLS permissions table on GroupName to build the necessary relationship. In Power BI Desktop, set up RLS by creating a DAX filter in Manage Roles, such as [UserPrincipalName] = USERPRINCIPALNAME(), on the mapping table.

With this setup, when a user accesses the report, RLS will filter the data to show only what is relevant to the security groups the user belongs to, based on the pre-loaded mapping.


I hope this information is helpful.  If this does not helps please share more details so we can assist you further.

Regards,
Karpurapu D,
Microsoft Fabric Community Support Team.

Message 3 of 6
219 Views
0
rohit1991
Super User
Super User

‎08-04-2025 11:42 PM

Hi @archuleta28 

 

To apply dynamic RLS with Azure Security Groups using minimal manual effort, create a table mapping each user email to their security group name. You can extract this from Azure AD using PowerShell or Graph API. Load the table into your model and connect it to your RLS table using group name. In the Manage Roles section, use USERPRINCIPALNAME without brackets to match the current user email with the mapping table. Since Power BI does not directly detect group membership, this method helps simulate it without hardcoding users or maintaining large CSVs.


Did it work? ✔ Give a Kudo • Mark as Solution – help others too!
Message 2 of 6
256 Views
0

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All