Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Power BI is turning 10! Let’s celebrate together with dataviz contests, interactive sessions, and giveaways. Register now.

Reply
Etsu0612
New Member

RLS for external B2C users

‎02-13-2025 06:22 AM

I have Power pages portal in which the power bi report is to be embedded which has RLS applied dynamically using USERPRINCIPALNAME(). Now, this portal will be accessed by 1000s of external users who are setup as B2C in our organisation AD. My current org is ITSolutions.com and the external users are setup in ITSolutions.onmicrosoft.com. Now, how do I apply RLS to those external users?

Labels:
Message 1 of 7
450 Views
0
1 ACCEPTED SOLUTION
v-ssriganesh
Community Support
Community Support

‎02-13-2025 10:36 PM

Hi @Etsu0612,
Thanks for posting your query in Microsoft fabric community forum.

Firstly, I would like to acknowledge @pallavi_r for the helpful response regarding guest users (Azure AD B2B) that is indeed a common approach for external user access in Power BI.

However, as you’ve clarified that your external users will remain in Azure AD B2C and won’t be added as guest users in your organization's directory, your setup requires a slightly different approach to ensure RLS (Row-Level Security) works effectively when embedding Power BI content in your Power Pages portal. Below are some considerations:

  • Since Azure AD B2C users authenticate through a separate identity provider, the behaviour of USERPRINCIPALNAME() may not align with standard Azure AD users.
  • Instead, for Power BI Embedded scenarios, it is common to use an embedding approach with an "App Owns Data" model.
  • You can generate an embed token for each external B2C user and pass their unique identifier (e.g., email, username, or a custom claim) using the Effective Identity property.
  • Your RLS filter logic should then match this identifier against your data model, often using USERNAME() or a custom claim instead of USERPRINCIPALNAME().

For detailed guidance, you can refer to these articles:


If this helps, then please Accept it as a solution and dropping a "Kudos" so other members can find it more easily. 
Thank you.

View solution in original post

Message 4 of 7
395 Views
6 REPLIES 6
v-ssriganesh
Community Support
Community Support

‎02-20-2025 10:02 AM

Hi @Etsu0612,
I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.
Thank you.

Message 7 of 7
313 Views
0
v-ssriganesh
Community Support
Community Support

‎02-16-2025 09:30 PM

Hi @Etsu0612,

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

Message 6 of 7
365 Views
0
v-ssriganesh
Community Support
Community Support

‎02-13-2025 10:36 PM

Hi @Etsu0612,
Thanks for posting your query in Microsoft fabric community forum.

Firstly, I would like to acknowledge @pallavi_r for the helpful response regarding guest users (Azure AD B2B) that is indeed a common approach for external user access in Power BI.

However, as you’ve clarified that your external users will remain in Azure AD B2C and won’t be added as guest users in your organization's directory, your setup requires a slightly different approach to ensure RLS (Row-Level Security) works effectively when embedding Power BI content in your Power Pages portal. Below are some considerations:

  • Since Azure AD B2C users authenticate through a separate identity provider, the behaviour of USERPRINCIPALNAME() may not align with standard Azure AD users.
  • Instead, for Power BI Embedded scenarios, it is common to use an embedding approach with an "App Owns Data" model.
  • You can generate an embed token for each external B2C user and pass their unique identifier (e.g., email, username, or a custom claim) using the Effective Identity property.
  • Your RLS filter logic should then match this identifier against your data model, often using USERNAME() or a custom claim instead of USERPRINCIPALNAME().

For detailed guidance, you can refer to these articles:


If this helps, then please Accept it as a solution and dropping a "Kudos" so other members can find it more easily. 
Thank you.

Message 4 of 7
396 Views
v-ssriganesh
Community Support
Community Support
In response to v-ssriganesh

‎02-23-2025 05:45 AM

Hi @Etsu0612,
I hope this information is helpful. Please let me know if you have any further questions or if you'd like to discuss this further. If this answers your question, please Accept it as a solution and give it a 'Kudos' so others can find it easily.
Thank you.

Message 5 of 7
283 Views
0
pallavi_r
Super User
Super User

‎02-13-2025 10:40 AM

Hi @Etsu0612 

 

Yes, it can be done by adding guest user to azure active directory (MS Entra) and then send them an invite.

Detailed steps are provided in the link below:

https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-azure-ad-b2b

 

Thanks,

Pallavi

Message 2 of 7
425 Views
0
Etsu0612
New Member
In response to pallavi_r

‎02-13-2025 10:57 AM

Hi Pallavi, But the customer doesn't accept to add the external users as guest users in organisation's AD. Instead, they'll continue to be in B2C tenant.

Message 3 of 7
422 Views
0

Helpful resources

Announcements
June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All