top of page
Writer's pictureBrunner_BI

Getting all user and security group access permissions across a Fabric Tenant

In the times of Microsoft Fabric, access rights are getting more and more complex. Power BI itself already offers a wide range of item- and workspace-level access but in Fabric there are just a ton of items available.


In this blog post, we will show how you can get information on:

-See who has access to most Fabric items in your tenant

-Find out who has access to which workspaces (Fabric/Premium, Pro, PPU and Personal ones)

-Get a list of all access a user or security (Entra) group has


Which options do we have to get this?

For workspaces, in the admin portal, we can get this one workspace at a time. This is a very manual process though.


Finding the user and security group access to each workspace in the admin portal.
Finding the user and security group access to each workspace in the admin portal.
User and security group access list for one workspace.
User and security group access list for one workspace.

If we want to automate this, we can use the PostWorkspaceInfo API call to get it for one workspace (this does not include Personal workspaces though).

We can also include the getArtifactUsers URI Parameter to include item-level permissions. We still need to do some coding here and loop through all workspaces.


We can also take advantage of paid tools to get everything done without coding a single line. With Measure Killer, we can get all access rights quickly and in a nicely formatted way. Even reaching into Personal workspaces which are not possible with the solution mentioned above.


To start, open Measure Killer and select the "Tenant Analysis" mode:


Selecting "Tenant Analysis" mode in Measure Killer's starting window.
Selecting "Tenant Analysis" mode in Measure Killer's starting window.

After authentication, you can set some filters which are very useful in larger tenants. Select the ones that fit your needs and click on "next". The Access tab is the relevant one in our case, make sure to have it checked.

Filters selection for "Tenant Analysis".
Filters selection for "Tenant Analysis".

When MK finishes the analysis, click on "Access":


"Access" tab in the "Tenant Analysis" mode. To get the access information, select one of the views in the dropdown.
Access tab in Measure Killer "Tenant Analysis"

Now we can select different views, each one displaying access from a different perspective.


As a limitation, Measure Killer can't obtain the members of a security group, since this is part of Microsoft Entra and cannot be queried from within Power BI. You can get the full picture by joining the members of a security group with the Measure Killer output (see export options at the bottom of this post).


User/group level access


In the "User level" view, all the Fabric items supported by Measure Killer that a user or security group has access to are shown:

"Users level" view in the "Access" tab in "Tenant Analysis".
User/Group access in Measure Killer "Tenant Analysis"

Workspace-level access

"Workspaces" view in the "Access" tab in "Tenant Analysis".
Workspace-level access in Measure Killer "Tenant Analysis"

Item-level access


All other options are related to different Fabric items showing us who has direct or indirect (via the workspace) to an item including the type of access right.


    "Semantic models" view in the "Access" tab in "Tenant Analysis".
Semantic model access in Measure Killer "Tenant Analysis"

Now let us look at some advanced stuff, I want to see who has been given access to a report in someone's personal workspace.


The tool highlights all users that were granted access to a Power BI report in somebody else's personal workspace.

Sharing from personal workspaces, highlighted as a potential governance issue

This is very interesting information since this "Shadow BI" or however you want to call it can really get out of hand. Admins have very little knowledge about what is going on in personal workspaces.


We can also do other searches like who was granted "build" (ReadExplore is the technical definition) access to a semantic model.


Exports


Every view provides the option to do a custom search or to export to json or Excel. After exporting, the Excel file can be further explored to get more insights.


Power Query exploration of the exported data from the "Users level" tab.
Loading an export from the user-level tab back into Power Query in Excel
Power Query result sheet.
Power Query result table

We can also export all access via a large .json file to do some further analysis or to share it with a colleague.

83 views0 comments

Comments


bottom of page