Power BI – Which Groups can be used to set Permissions in Power BI
There are quite a few areas where Power BI can assign permissions. Below is a list of which permissions can be assigned by which Groups that are available in Power BI.
Explanation of Groups
- Security Group
- This is also known as an Active Directory Security Group. This group lives within Active Directory and Azure Active Directory. It is where you can create a Security group. In the Security Group you can assign users and other Security Groups within a group.
- The Security Group is created in Active Directory or Azure Active Directory or Office 365 Admin Portal.
- Office 365 Group
- This group lives inside Office 365 and allows you to add users/people to this group. It is also used to create a shared workspace for people to collaborate.
- The Office 365 Group is created within the Office 365 Admin Portal or Azure Active Directory
- Distribution Group
- This group can also be called and Distribution List. The Distribution Group is a group which contains a list of email addresses of members, all of whom will be sent an email when an email is sent to the distribution groups email address.
- The Distribution Group can be created in the Azure Active Directory
- Mail-Enabled Security Group
- This group also contains a list of email addresses of members and can also be used to control access to OneDrive and SharePoint.
- The Mail-Enabled Security Group can be created in the Office 365 Admin Portal
Below is an example from my tenant where I had already got the following groups created as shown below. I then went through all the area’s where the permissions could be added and tested to see which groups could be used.
Groups
- Security (AD Security Group):
- BNE Office
- Office 365:
- PBI@fourmoo.com
- Distribution:
- pbidatarefreshfail@fourmoo.com
- Mail-enabled Security:
Settings Matrix
Below are which groups are applied to which area’s in Power BI
UPDATE (2020-04-03): Added Dataset Refresh Failure Notifications
UPDATE (2020-04-02): Additional App Workspace Permissions
UPDATE (2020-04-01): Gateway Administrators and Power BI Premium
As you can see there are only a few places where the Office 365 Group can be used.
The Security Group and the Mail-Enabled Security Group can be used everywhere.
Summary
As you can see from above it is good to know which groups can be used to assign permissions in the Power BI Service.
If there is anything I have missed, is wrong or needs updating please let me know via the comments section below.
Thanks for reading!
Addition Information (If you want to have a look)
In the section below is the actual screenshots where I did my testing to confirm which groups could be assigned the correct permissions.
Tenant Settings
From my understanding this can only use Security Groups and Mail-Enabled Security Groups
Security Group
Mail-enabled security groups
App Workspace Access
Security
Office 365
Distribution
Mail-Enabled Security
App Access
Security
Office 365
Distribution
Mail-Enabled Security
RLS – Security
Security
Distribution
Mail-Enabled Security
Dataset Access
Security
Distribution
Mail-Enabled Security
Report Sharing
Security
Distribution
Mail-Enabled Security
Dashboard Sharing
Security
Distribution
Mail-Enabled Security
Hi Gilbert,
great post. We use the Mail-Enabled Security Group everywhere in Power BI. At least in the new workspaces.
For the few people amongst us that use Premium, you could maybe add the Capacity Settings in the Admin Portal.
Hi Nicky, thanks for the comment
I have updated the blog post with the Premium settings.
Great collection of info. Appreciate you efforts in pulling this together.
Thanks for the comment and happy to share!
Great blog-post, highly appreciated!
Two more places that could help complement your list:
– Contact of Report
– User to be informed about refresh error
Thanks for the kind words!
And thanks I have added that to the blog post.
[…] Unless you’re in a really small organization, I highly recommend mapping roles to groups rather than individual users, in order to minimize administration overhead as people come and go in your organization. In this context “group” means Active Directory security groups and Active Directory distribution groups (aka distribution lists), not O365 groups (sorry, “Microsoft 365 groups“). The difference between AAD security groups and O/M365 groups is explained by Microsoft here, with more details relevant to Power BI conveniently summarized by Gilbert Quevauvilliers here. […]
[…] Security is always a thing: Gilbert wrote a great summary article about Power BI / Groups and where they can be used to set permissions: https://www.fourmoo.com/2020/04/01/power-bi-which-groups-can-be-used-to-set-permissions-in-power-bi/ […]
Hi!
That’s a great post, thanks!
Do you know if it is also possible to use Security Groups from Azure AD? I cannot find a way to connect to my AAD domain.
Thanks,
M
Thanks for the kind words.
You would need to chat to your network admin to sync your On-Prem AD Security Group with your AAD
Here are more details: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad
As far as I can tell – when sharing a Dataset, only Security Groups work (including mail-enabled Security Groups).
Your matrix shows that Distribution lists can be used to share Dataset access – but that doesn’t seem to work in my experience. I follwed the instructions here:
https://support.microsoft.com/en-us/office/distribution-groups-e8ba58a8-fab2-4aaf-8aa1-2a304052d2de#bkmk_create
But when I go to give that group Dataset access, it doesn’t come up as an option?
Hi there
I am not sure how you can share a dataset?
In my matrix the dataset was around the dataset permissions.
Sorry, what I meant was grant dataset permissions.
e.g. say – One is sharing a Report or App in a Workspace, that sources data from dataset(s) in a different workspace. In that scenario, one has to explicitly grant permission for the users to access the dataset.
To grant access to a dataset via groups, one can use Security Groups – or via the matrix, Distribution lists. That said, I’m not sure that the distribution lists created via Outlook, are the kind you were talking about?
I need a little help
e.g. say – One is sharing a Report or App in a Workspace, that sources data from dataset(s) in a different workspace. In that scenario, one has to explicitly grant permission for the users to access the dataset.
How can I give access to a Group (Azure AD security groups to that dataset in a different Workspace, for the reports in two different workspaces.
Help
Hi Byte,
Thanks for the questions.
If I understand currently you would need to put it into another app for this to work as expected.
Hi, you have nicely summarized what each group can be used for. However, note that the O365 distribution group (also known as list) cannot be added as Gateway adminnistrator or data source user. I have tested this – please can you check.
You are indeed correct.
And I will update the post, thanks!
Hi, I am unable to grant App access using AD distribution list, even though the same distribution list works to grant access to the workspace. Does App access can only be done using for Azure distribution list? Any help is appreciated. Thank you.
Hi Judy,
It is working for me when I try and add permissions on an App.
Great list. One more item is Gateway connection users.
Doesn’t accept DL or AD Groups that are not email enabled.
Thanks Aaron that is a great additional I will add to the list.
Hi Gilbert,
Could you consider updating to include “Teams” groups. It sometimes unclear if Teams is creating a Office 365 Group. This useful if the permission is linked to Team members.?
Hi Daryl,
That is a good idea, let me see if I can get those details.
Thanks for the suggestion!
I tried using a dynamic distribution list to no avail. I’m guessing that a dynamic security group is the same. Have you had any luck with these two types of groups?
Hi David,
I am not exactly sure what you mean by dynamic distribution list, is this where it changes each day?
As far as I am aware it would have to be standard AD Security group.
Great information, Gilbert, thank you. I am wondering which option you would recommend? My organisation’s security (we use Mimecast) blocks Power BI emails so the Distribution List has not worked for us. I am surprised that Power BI does not have a way of managing this within the Service for an admin.
Hi Josh, what happens if you try and use a Security Group with an email address would that work?
Hi Gilbert,
We came across another suggestion for your table. Could you add the Data Source Owner and Data Source User for Gateway Cloud Service? We are looking to use E-mail Enabled Security Groups vs standard Security groups instead of individual users. This allows us to manage access to the Data Source in an approval workflow (e.g. ServiceNow to Azure Active Directory).
Hi Daryl,
I have updated the post, thanks for letting me know.
Hi Gilbert,
I would expect Column-level security to need the same groups as Row-level security. Did you try it as well?
Hi Roman,
Yes you are correct, I guess when I say Row Level Security it is for both types of RLS.
Maybe you can add the subscriptions on a report or app, it’s another reason to use a mail-enabled securitygroup
I think it is worth adding who can manage the ownership of those groups.
Say, on-prem AD groups and Entra ID mail-enabled security groups can only be managed by the Network team so it would be extra work for them.
However, M365 groups can be managed by the assigned owners.
Hi Evan,
Yeah that is a good point, but in some organizations some users have different permissions so as often the answer is “It depends”.
What about sharing an paginated report which is a part of Regular PBI Report in App. I know I need to grant acces from paginated report level itslef but I can’t see the group I granted acces to the whole app. Any ideas? So via app I can grant access group called report@xyz but I can’t see this group when I want to grant acces directly for specific report. What type of groups shoould be created?
Hi Marcin,
What I typically do is to create a security group as this can be used everywhere and simplifies it to not try and have to figure out which group to use where.
According to our testing and Microsoft documentation here https://learn.microsoft.com/en-us/fabric/security/service-admin-row-level-security#add-members Office 365 groups are not supported as Members when assigning roles.
This is really useful. Do you know if you can share a Power BI report with a nested Entra ID group? My group does not appear in the list when I try to share it.
Hi Sarah,
I do not think it is possible.