Power BI: Security and Row-Level Security (RLS)

Introduction to Power BI Security

Power BI is one of the core components of Microsoft Power Platform and plays a crucial role in data visualization and analytics. However, like any analytics platform, security is a critical aspect. Data protection, identity management, and access control are essential to ensure that information is displayed only to authorized users.

Power BI security is built across multiple layers: authentication (via Azure Active Directory), authorization (roles and permissions), and fine-grained data control using Row-Level Security (RLS). In enterprise environments, Power BI can also be integrated with Dataverse and Active Directory to achieve a consistent and centralized security model.

Authentication and Access

The authentication process in Power BI uses the OAuth 2.0 protocol and relies on Azure Active Directory (AAD). Every user or application accessing datasets or Power BI APIs must be registered in AAD and authorized for service usage. The typical authentication endpoint for Power BI is https://analysis.windows.net/powerbi/api.

For external applications, you can register an application in Azure AD and obtain an access token. This approach also enables X.509 certificate-based authentication instead of client secrets, increasing the overall security level.

Internal and External Authentication

• Internal users: authenticated via Azure AD with MFA and Conditional Access.
• External users: authenticated through Azure AD B2B or B2C, with restrictions defined by the tenant.
• Service accounts: used for non-interactive access, with dedicated security policies and no MFA.

Learn more on Microsoft Learn - Azure Active Directory.

Authorization and Security Models

Power BI uses a role-based authorization system to control who can view, edit, or publish content. Permissions are managed at the workspace, dataset, report, and dashboard levels.

Types of Authorization

• No authorization: all users see the same data, suitable for public reports.
• Static authorization: datasets configured with credentials that restrict data in a pre-defined manner.
• Row-Level Security (RLS): DAX-based roles and filters that limit data visibility per user.
• Dataverse authorization: available with DirectQuery datasets, inheriting permissions from the Dataverse environment.

The Dataverse authorization model is particularly powerful because it allows Power BI to display only the data a user can already access in Dataverse, maintaining consistent permissions between Power Apps and Power BI.

Row-Level Security (RLS)

Row-Level Security (RLS) is an advanced Power BI feature that allows you to restrict visible data per user based on filters defined using DAX expressions. It is particularly useful for organizations managing multi-region or multi-division data, where each role must see only its relevant records.

RLS Configuration Steps

1. Open the dataset in Power BI Desktop.
2. Go to Modeling → Manage Roles.
3. Create a new role and define the DAX logic, for example:

   [City] = USERPRINCIPALNAME()

4. Publish the dataset to the Power BI Service and assign users to the defined roles.

A practical example: the “Seattle” role filters all Account and Contact entities where the city field equals "Seattle".

Refer to the official documentation on Power BI Security for more information.