Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
amien
Helper V
Helper V

possible to restrict "direct access" for cross-tenant sharing semantic model

Monday

I know there is an option where you have a possiblty to make sure only tenant admins can enable sharing of a semantic model with another tenant : "Allow specific users to turn on external data sharing" .

 

But ones "External sharing" is enabled by the tenant admin on the semantic model, all admins and members of the workspace are able to add people to the "direct access" part, including external users. Is it possible that admins and members can only add internal users. And only tenant admins can add external users to "direct access"? any work-arounds?

 

Thanks in advanced.

Labels:
Message 1 of 7
148 Views
0
1 ACCEPTED SOLUTION
v-sshirivolu
Community Support
Community Support
In response to amien

yesterday

Hi  @amien ,
Thanks for reaching out to the Microsoft fabric community forum.
You're right , if your Entra ID setup allows all internal users to invite guests, then the Azure AD/Entra controls won't be effective unless tightened. In that case, auditing becomes essential.

Definitely look into Purview or Defender for Cloud Apps. With those, you can at least track who shared what with whom, and set up alerts or reports when external access is granted, even if you can't block it upfront. It won’t stop the sharing by itself, but it gives you the visibility and oversight needed to act quickly and tighten governance as needed. Let me know if you'd like help setting up those audit rules or alerts.

If the response has addressed your query, please Accept it as a solution and give a 'Kudos' so other members can easily find it

Best Regards,
Sreeteja.
Community Support Team

View solution in original post

Message 7 of 7
38 Views
0
6 REPLIES 6
v-sshirivolu
Community Support
Community Support

Monday

Hi @amien ,

Thanks for reaching out to the Microsoft fabric community forum.

Power BI doesn’t currently offer a way to limit Direct Access sharing with external users to only tenant admins. However, you can work around this using Azure AD and governance tools. In Azure AD, set “Who can invite guests” to “Only admins and guest inviters” under External Collaboration Settings. This helps prevent unauthorized external users from being added. You can also use Microsoft Purview or Defender for Cloud Apps to monitor and alert on external sharing, eg - flag if someone other than a tenant admin shares a semantic model externally. To protect data, use Row-Level Security (RLS) with internal AAD groups so external users can't see data even if added. Finally, use naming conventions and Power BI Admin APIs for workspace governance and visibility. These combined steps offer a practical way to control and audit cross-tenant sharing.

If the response has addressed your query, please Accept it as a solution and give a 'Kudos' so other members can easily find it

Best Regards,
Sreeteja.
Community Support Team 

 

Message 5 of 7
99 Views
0
amien
Helper V
Helper V
In response to v-sshirivolu

Monday

Thanks for your answer. Problem is that every internal user can invite anybody on our EntraID.

I will look into Purview indeed. Regardless the approach, you need to have something to audit

Message 6 of 7
62 Views
0
v-sshirivolu
Community Support
Community Support
In response to amien

yesterday

Hi  @amien ,
Thanks for reaching out to the Microsoft fabric community forum.
You're right , if your Entra ID setup allows all internal users to invite guests, then the Azure AD/Entra controls won't be effective unless tightened. In that case, auditing becomes essential.

Definitely look into Purview or Defender for Cloud Apps. With those, you can at least track who shared what with whom, and set up alerts or reports when external access is granted, even if you can't block it upfront. It won’t stop the sharing by itself, but it gives you the visibility and oversight needed to act quickly and tighten governance as needed. Let me know if you'd like help setting up those audit rules or alerts.

If the response has addressed your query, please Accept it as a solution and give a 'Kudos' so other members can easily find it

Best Regards,
Sreeteja.
Community Support Team

Message 7 of 7
39 Views
0
Akash_Varuna
Community Champion
Community Champion

Monday

Hi @amien Power BI does not allow restricting Direct Access to internal users while tenant admins manage external access. You can apply sensitivity labels to restrict sharing, enforce organizational policies, or monitor access with audits and scripts. Temporarily enable external sharing for admins to add users, then disable it to prevent further changes.

Message 2 of 7
99 Views
0
amien
Helper V
Helper V
In response to Akash_Varuna

Monday

is that possible?

 

1. temp enable external sharing on the semantic model (done by the tenant admin)

2. add an EntraID group (which contains extern users) OR external user individualy to Direct Access

3. disabled external sharing on the semantic model again. and after disabling it, external people that have already direct access, are still able to use it

 

That would be create .. gonna test this right now 🙂

Message 3 of 7
62 Views
0
amien
Helper V
Helper V
In response to amien

Monday

Tested .. that doesn't work. As soon as i disable external sharing, while direct access of the external account is still Read and Build. I don't see the semantic model in PowerBI Desktop/External data.

When i enable the External sharing again in the semantic model, it works again

Message 4 of 7
50 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All