Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

0
Seanan

Inconsistency between RLS 'Test Role' and logged in guest user's UPN

Submitted by Solution Supplier on ‎09-19-2024 06:03 AM

I have a Power BI report that uses Dynamic RLS to filter down the data based on a users UPN. This works perfectly fine for most users, however I noticed that when using the 'Test Role' functionality in the Power BI service under the security tab for the semantic model I was not able to see any data for guest users in the tenant.

After adding a card visual to the report with a measure containing USERPRINICPALNAME(), I noticed that when using the Test Role functionality it was displaying the guest users entire UPN (including the #EXT#OrgName.onmicrosoft.com but when I logged in as a guest user it was trimming the #EXT#OrgName.onmicrosoft.com from the UPN.

 

Could the Test Role functionality for guest users be updated to be consistent with what happens when you login as a guest user and view a report?

 

UPN when viewing with the Test Role functionality for a guest user

zXQCdQwT0w.png

 

 

 

 

 

 

 

 

 

UPN when viewing the report logged in as a guest user:

ALUrbCIvRC.png

Status: Delivered
See more ideas labeled with:
2 Comments (2 New)
Comments
Anonymous
Not applicable
‎09-20-2024 12:14 AM

Hi @Seanan 

You should notice that when you add a user to the RLS, if the added user does not belong to an organization, you need to add the account to the organization's AAD before you can add the account to the RLS. and when you add it, it's in the format of the email XX#EXT#OrgName.onmicrosoft. Then when you use the view as function , it shows XX#EXT#OrgName.onmicrosoft.
And when you use an external account to access the report, you will find that there is no way to open the report using the XX#EXT#OrgName.onmicrosoft account. You can only log in to PBI Service with an external account, not with your XX#EXT#OrgName.onmicrosoft to directly log in to PBI Service to access your report . Within the Power BI service, userprincipalname() will return the user's User Principal Name (UPN). 

So that's why using userprincipalname() shows different results in different places .

 

Best Regards,
Community Support Team _ Ailsa Tao

Seanan
Solution Supplier
Solution Supplier
‎09-20-2024 02:37 AM

Hi @Anonymous,

 

Thanks for the explanation, however what you mentioned is what I discovered when testing. Apologies if I'm maybe misunderstanding your response, but is there no way to make the view as functionality act the same as when you login with the external account?

 

My problem was that I am using a SQL table that has a list of IDs, Emails and User Roles to then filter down my main set of data with the RLS being [Email] = USERPRINCIPALNAME(). When testing the RLS with the 'Test Role' functionality in the Power BI Service it would return the guest user UPN as #EXT#OrgName.onmicrosoft.com which obviously would fail my RLS check because the Database email does not contain the #EXT#OrgName.onmicrosoft.com. Then when I login to my external user account and view the report it works fine because it does not contain #EXT#OrgName.onmicrosoft.com.

 

I hope this helps make clear the issue I was having.

This widget could not be displayed.
Idea Statuses