Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.

Reply
BipinLala26
Frequent Visitor

RLS for External guest users

We have a report with Dynamic RLS implemented, that is viewed by many people within the organization as well as outside. We have many AAD groups set up and the users have been added to the groups, and the report have been shared by giving access to the AAD groups.

 

We are getting the UPN for the users in the report using the MS Graph API. For External users, UPN is of the form Tim.Scott_domainName.com#EXT#@ourOrganization.onmicrosoft.com

 

Ques: What is the behavior of USERPRINCIPALNAME() in case of external users? Our investigation found that in case of internal users, it returns the UPN value, but in case of external users, it returns the mail address (without #EXT#@ourOrganization.onmicrosoft.com) Do we have this behavior clearly documented somewhere?

 

My Investigation: On checking, I found that in case of external users, USERPRINCIPALNAME() is returning the email address of the external user i.e. Tim.Scott@domainName.com   I want to confirm if this is the case since this case of external users is very poorly documented and I am unable to find a clear statement on this in Microsoft Docs.

 

Follow up ques: If my investigation is correct, can we use the Mail attribute of MS Graph API as UPN in case of external users? Has anybody done so?

1 ACCEPTED SOLUTION
v-cazheng-msft
Community Support
Community Support

Hi @BipinLala26 ,

 

According to the official documents, USERPRINCIPLENAME() name will return the UPN that looks similar to an email address at connection time. But they don’t have a clear statement about its format when accessing with external users.

Row-level security (RLS) with Power BI - Power BI | Microsoft Docs

USERPRINCIPALNAME function (DAX) - DAX | Microsoft Docs

 

However, with the following, you could notice that Power BI will return email address of the external users. Distribute Power BI content to external guest users using Azure Active Directory B2B - Power BI | Mi...

vcazhengmsft_0-1659422350695.png

 

For guest user Tim.Scott@domainName.com, only data that belongs to the rows fully matched with this value will be displayed for him. If there is a row whose value is Tim.Scott_domainName.com#EXT#@ourOrganization.onmicrosoft.com, it won’t be displayed for the user Tim.Scott@domainName.com, which is be proved by test.

 

Therefore, if your MS Graph API returns email address(Tim.Scott@domainName.com but not Tim.Scott_domainName.com#EXT#@ourOrganization.onmicrosoft.com) of the external user, then you could take it as UPN. Conversely, you couldn’t get your expected result.

 

If there is any post helps, then please consider Accept it as the solution to help the other members find it more quickly. If I misunderstand your needs or you still have problems on it, please let me know. Thanks a lot!

 

Best Regards,

Community Support Team _ Caiyun

View solution in original post

4 REPLIES 4
v-cazheng-msft
Community Support
Community Support

Hi @BipinLala26 ,

 

According to the official documents, USERPRINCIPLENAME() name will return the UPN that looks similar to an email address at connection time. But they don’t have a clear statement about its format when accessing with external users.

Row-level security (RLS) with Power BI - Power BI | Microsoft Docs

USERPRINCIPALNAME function (DAX) - DAX | Microsoft Docs

 

However, with the following, you could notice that Power BI will return email address of the external users. Distribute Power BI content to external guest users using Azure Active Directory B2B - Power BI | Mi...

vcazhengmsft_0-1659422350695.png

 

For guest user Tim.Scott@domainName.com, only data that belongs to the rows fully matched with this value will be displayed for him. If there is a row whose value is Tim.Scott_domainName.com#EXT#@ourOrganization.onmicrosoft.com, it won’t be displayed for the user Tim.Scott@domainName.com, which is be proved by test.

 

Therefore, if your MS Graph API returns email address(Tim.Scott@domainName.com but not Tim.Scott_domainName.com#EXT#@ourOrganization.onmicrosoft.com) of the external user, then you could take it as UPN. Conversely, you couldn’t get your expected result.

 

If there is any post helps, then please consider Accept it as the solution to help the other members find it more quickly. If I misunderstand your needs or you still have problems on it, please let me know. Thanks a lot!

 

Best Regards,

Community Support Team _ Caiyun

This was a good conversation but we learned it hard way:

 

Steps for External users to see Internal  Dashboard:

1. Azure Admin send the invitation to extenral users via Azure Active Directory (AAD).
2. USers accepted the invitation. So they are in the system.
3. This step helps that they can see the dashboard.
4. Now for RLS: Add them in the “Security” section RLS of Power BI Dataset in service as their EXT email. As that’s the only one is coming from Active Directory.
5. On the BW side, add their actual email address than the EXT email.
6. When User logs in to the service, they log in as their actual email hence the step 5 helps on the RLS side.

The step 5 was crucial in our scenerio.

Thanks.

on Step #5 what is BW?

GilbertQ
Super User
Super User

HI @BipinLala26 

 

You are correct that you need to use the email address Tim.Scott@domainName.com this is how it has always been.

 

And you can then use the email attribute for external users. The reason that you see the UPN stored differently in AAD is that is how it is stored for AAD, but under the hoods it still resolves back to the mail attribute for the user.

 

This is not fully documented but that is how it works.





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Helpful resources

Announcements
LearnSurvey

Fabric certifications survey

Certification feedback opportunity for the community.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors