Data Education & Training, PL-300, Power BI

Practice Questions: Configure Row-Level Security Group Membership (PL-300 Exam Prep)

 
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections: 
Manage and secure Power BI (15–20%) 
    --> Secure and govern Power BI items 
        --> Configure row-level security group membership

Below are 10 practice questions (with answers and explanations) for this topic of the exam. 
There are also 2 practice tests for the PL-300 exam with 60 questions each (with answers) available on the hub.

Practice Questions

Question 1

Where are security groups assigned to RLS roles?

A. Power BI Desktop
B. Power BI Service
C. Microsoft Entra ID only
D. Power BI App settings

Correct Answer: B

Explanation:
RLS roles and filters are created in Power BI Desktop, but users and security groups are assigned to roles in the Power BI Service after the model is published.

Question 2

Which approach is considered a best practice for managing RLS membership at scale?

A. Assign individual users to each role
B. Create one role per user
C. Assign Microsoft Entra ID security groups to roles
D. Use workspace Admin access

Correct Answer: C

Explanation:
Using Entra ID security groups simplifies administration, supports scalability, and aligns with enterprise security standards.

Question 3

What happens when a user is added to an Entra ID security group that is already assigned to an RLS role?

A. The semantic model must be republished
B. The role must be recreated
C. The user automatically inherits the RLS permissions
D. The user must be manually added in Power BI

Correct Answer: C

Explanation:
Group-based RLS automatically applies to all members of the group without changes to the model or Power BI configuration.

Question 4

Which type of group is recommended for RLS role membership?

A. Distribution list
B. Microsoft 365 group
C. Entra ID security group
D. Power BI workspace group

Correct Answer: C

Explanation:
Entra ID security groups are designed for access control and are the preferred option for RLS scenarios.

Question 5

A user belongs to two security groups, each assigned to a different RLS role. How is access determined?

A. The most restrictive role applies
B. The first role applied alphabetically applies
C. Access is denied
D. The union of both roles applies

Correct Answer: D

Explanation:
Power BI applies the union of all RLS roles a user belongs to, allowing access to any data permitted by either role.

Question 6

Which action requires updating Microsoft Entra ID, not Power BI?

A. Modifying a DAX RLS filter
B. Creating a new RLS role
C. Adding a user to an RLS role via group membership
D. Testing RLS with View as

Correct Answer: C

Explanation:
User membership in security groups is managed in Entra ID, not in Power BI.

Question 7

Which statement about testing group-based RLS is correct?

A. Group membership can be fully tested in Power BI Desktop
B. Group membership is evaluated only in the Power BI Service
C. RLS does not apply to groups
D. Groups bypass dynamic RLS

Correct Answer: B

Explanation:
Power BI Desktop can test role logic, but actual group membership is evaluated only in the Power BI Service.

Question 8

Why is group-based RLS preferred over assigning individual users?

A. It improves report performance
B. It hides tables and columns
C. It reduces the need to update Power BI when users change roles
D. It removes the need for DAX filters

Correct Answer: C

Explanation:
Group-based RLS allows access changes to be managed centrally without modifying Power BI roles or republishing models.

Question 9

Which security concept is often confused with RLS group membership but serves a different purpose?

A. Build permission
B. Workspace roles
C. Object-Level Security
D. All of the above

Correct Answer: D

Explanation:
All listed options are different security mechanisms that control content access or structure, not row-level data visibility.

Question 10

What is the primary role of Power BI in a group-based RLS solution?

A. Managing group membership
B. Authenticating users
C. Enforcing data filters defined in RLS roles
D. Creating security groups

Correct Answer: C

Explanation:
Power BI enforces RLS filters at query time, while identity and group membership are managed externally in Entra ID.

Final PL-300 Exam Reminders

  • Use Entra ID security groups for RLS membership
  • Assign groups in the Power BI Service
  • RLS role logic lives in Power BI Desktop
  • Users see the union of all assigned roles
  • Group membership changes do not require republishing

Go back to the PL-300 Exam Prep Hub main page

Leave a comment