Power BI User Security

Visit Website View Our Posts

Power BI continues to evolve with new features! As previously mentioned, Power BI can easily be integrated into your Dynamics CRM/365 org with the use of tiles. Recently, they have introduced a feature which allows you to display an entire Power BI Dashboard in your Dynamics 365 org. With these features, you may have concerns about user security. For instance, will my Dynamics 365 security roles limit what data users can see? To put it simply, the answer is “No”. But keep reading to find out how you can apply security!


Power BI User Security overview

Power BI is a tool that allows companies to display visuals of their data from multiple applications. For this reason, it would be difficult for the service to attempt to understand the underlying security structure behind each source. So how do you apply end user security? Like other applications, Power BI offers its own security features which you can easily apply to the entire dashboard and datasets. As previously mentioned, you can select which users to share your Dashboards to. Most noteworthy, it offers a feature called Row Level Security, or “RLS”, which can be applied to each dataset.


Row Level Security

At a high level, RLS involves a two-step process:

1. Your power user or admin can manage roles within the Power BI Desktop app to apply to your tables. Not seeing this feature? Make sure you have downloaded the latest version of the Power BI Desktop.


power bi



In this example, I’ve created two roles and applied a DAX expression to each. The DAX expression is used to filter data for each role. Your power user or admin can then apply each role to your Tables.



The SalesRep role simply filters data based on Record Owner of the source data = the logged in Power BI user:


power bi user security



The SalesManager role filters data based on Record Owner’s Manager = the logged in Power BI user:


power bi user security



2. Once the report is published to the Power BI Service, your power user or admin can apply the roles for each dataset.



Select the dataset -> Security:


power bi user security


Add users to each role:


power bi user security



When sharing a Dashboard that utilizes RLS behind it’s datasets, the end users will see only what their Power BI role allows. This works whether the Power BI user is viewing the Dashboard from within Power BI or within an external application, such as Dynamics 365.


For more information on RLS, check out this blog on Power BI’s site.


Beringer Technology Group, a leading Microsoft Gold Certified Partner specializing in Microsoft Dynamics 365 and CRM for Distribution. We also provide expert Managed IT Services, Backup and Disaster Recovery, Cloud Based Computing and Unified Communication Systems.

4 thoughts on “Power BI User Security”

  1. Hello,
    Thanks for a detailed article. However have query related to this working inside Dynamics 365.
    Ideally Both application sits under same tenant and same O365 boundary hence the RLS should work.
    But, When I do this in a POC, It fails inside CRM
    1. I have a very basic Report which lists all leads and Their Owners
    2. I have a Role Defined with formula as: [internalemailaddress] = USERPRINCIPALNAME() on SystemUsers Table.
    3. Testing this on Desktop works
    4. Publish and Add Users to the Role
    5. Use PowerBI Dashboard Option inside Dynamics 365 to show this dashboard inside Dynamics CRM
    6. Login via One of the Users which has this PowerBI Role
    7. All The Rows are shown and No Filtering Occurs.

    Please Suggest If I am doing something Wrong.

  2. Hi,

    Thank you for this useful post.
    I have 2 questions about it:
    1/ Why don't you just apply it on the "SystemUser" table? (or why you apply it on each table "Lead" , "Opportunities", "SYstemUsers")?
    2/ In the Power BI Service, you add a group of member for each role, is it an AD Group ? (is it the same group of user in Dynamics 365?)


    1. You’re welcome, glad it has helped. To answer your questions:
      1. This seems to be a requirement of the service as of today, where security needs to be applied at each table. However, you can accomplish dynamic security with relational tables by using the following Preview Feature: https://powerbi.microsoft.com/en-us/documentation/powerbi-desktop-bidirectional-filtering/ This preview feature is subject to change.
      2. Yes, the members are part of our AD and each member has a license to Power BI as well as a license to D365.

      1. Hi,

        Thanks for your reply.
        For the security part : I applied the role only on the SystemsUser table (the one that contains "user domaine name" & "parent system user domaine name"). And these 2 filters will propagate to all the tables in your model.

        I have one more question concern the security:
        In our CRM, we have different hierarchy of role ( manager business unit > manager territory > rep ). How can you handle that with the RLS ?

        Thanks again,
        Dung Anh

Comments are closed.

Show Buttons
Hide Buttons