Tag: PL-300 Exam Hub

Analytics, Business Intelligence, Data Education & Training, Microsoft Certification, PL-300, Power BI January 17, 2026January 17, 2026

Exam Prep Hub for PL-300: Microsoft Power BI Data Analyst

Welcome to the one-stop hub with information for preparing for the PL-300: Microsoft Power BI Data Analyst certification exam. Upon successful completion of the exam, you earn the Microsoft Certified: Power BI Data Analyst Associate certification.

This hub provides information directly here (topic-by-topic), links to a number of external resources, tips for preparing for the exam, practice tests, and section questions to help you prepare. Bookmark this page and use it as a guide to ensure that you are fully covering all relevant topics for the PL-300 exam and making use of as many of the resources available as possible.

Skills tested at a glance (as specified in the official study guide)

Prepare the data (25–30%)
Model the data (25–30%)
Visualize and analyze the data (25–30%)
Manage and secure Power BI (15–20%)

Click on each hyperlinked topic below to go to the preparation content and practice questions for that topic. And there are also 2 practice exams provided below.

Prepare the data (25–30%)

Get or connect to data

Profile and clean the data

Transform and load the data

Model the data (25–30%)

Design and implement a data model

Create model calculations by using DAX

Optimize model performance

Visualize and analyze the data (25–30%)

Create reports

Enhance reports for usability and storytelling

Identify patterns and trends

Manage and secure Power BI (15–20%)

Create and manage workspaces and assets

Secure and govern Power BI items

Practice Exams

We have provided 2 practice exams (with answer keys) to help you prepare:

Important PL-300 Resources

Link to the free, comprehensive, self-paced course on Microsoft Learn – Design and manage analytics solutions using Power BI
It contains 5 Learning Paths, each with multiple Modules, and each module has multiple Units. It will take some time to do it, but we recommend that you complete this entire course, including the exercises/labs.
Link to the certification page: Microsoft Certified: Power BI Data Analyst Associate certification page
Link to the study guide: Study guide for Exam PL-300: Microsoft Power BI Data Analyst

YouTube videos you will find useful:

Reddit Power BI Thread
Datacamp’s Data Analyst in Power BI track (this is a paid service)

To Do’s:

Schedule time to learn, study, perform labs, and do practice exams and questions
Schedule the exam based on when you think you will be ready; scheduling the exam gives you a target and drives you to keep working on it; but keep in mind that it can be rescheduled based on the rules of the provider.
Use the various resources above and below to learn
Take the free Microsoft Learn practice test, any other available practice tests, and do the practice questions in each section and the two practice tests available on this hub.

Good luck to you passing the PL-300: Microsoft Power BI Data Analyst certification exam and earning the Microsoft Certified: Power BI Data Analyst Associate certification!

Business Intelligence, Data Governance, Data Security, Microsoft Certification, PL-300, Power BI January 17, 2026

Practice Questions: Apply Sensitivity Labels (PL-300 Exam Prep)

This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections: 
Manage and secure Power BI (15–20%) 
    --> Secure and govern Power BI items 
        --> Apply sensitivity labels

Below are 10 practice questions (with answers and explanations) for this topic of the exam. 
There are also 2 practice tests for the PL-300 exam with 60 questions each (with answers) available on the hub.

Practice Questions

Question 1

What is the primary purpose of sensitivity labels in Power BI?

A. To restrict which rows of data users can see
B. To control workspace access
C. To classify and protect sensitive data
D. To improve report performance

Correct Answer: C

Explanation:
Sensitivity labels are used to classify data based on sensitivity and enable protection and governance—not to control access or filter data.

Question 2

Where are sensitivity labels created and managed?

A. Power BI Desktop
B. Power BI Service
C. Microsoft Purview (Microsoft 365 compliance portal)
D. Microsoft Entra ID

Correct Answer: C

Explanation:
Sensitivity labels are centrally defined and managed in Microsoft Purview. Power BI only consumes and applies them.

Question 3

Which Power BI items can have sensitivity labels applied? (Select all that apply)

A. Semantic models
B. Reports
C. Dashboards
D. Measures

Correct Answer: A, B, C

Explanation:
Labels can be applied to semantic models, reports, and dashboards, but not to individual measures or columns.

Question 4

What happens when a report is created using a labeled semantic model?

A. The report ignores the label
B. The report automatically inherits the label
C. The report applies Row-Level Security
D. The report requires Admin approval

Correct Answer: B

Explanation:
Sensitivity labels inherit and propagate to downstream content such as reports.

Question 5

Which statement about sensitivity labels is true?

A. Sensitivity labels filter data at query time
B. Sensitivity labels replace Row-Level Security
C. Sensitivity labels classify content but do not restrict row visibility
D. Sensitivity labels control workspace membership

Correct Answer: C

Explanation:
Sensitivity labels classify data and support protection but do not filter rows or control access.

Question 6

A user exports data from a labeled Power BI report to Excel. What is the expected behavior?

A. The label is removed
B. The label remains and is applied to the Excel file
C. Export is blocked automatically
D. RLS is disabled

Correct Answer: B

Explanation:
Sensitivity labels propagate to exported files, helping protect data outside Power BI.

Question 7

Which scenario best demonstrates the value of sensitivity labels?

A. Limiting data visibility by region
B. Preventing users from editing reports
C. Ensuring confidential data remains protected when shared or exported
D. Reducing dataset refresh times

Correct Answer: C

Explanation:
Sensitivity labels help protect data beyond Power BI by enforcing classification and downstream protections.

Question 8

Which Power BI security feature should be used instead of sensitivity labels to restrict rows of data?

A. Workspace roles
B. Object-Level Security
C. Row-Level Security
D. Build permission

Correct Answer: C

Explanation:
Row-Level Security (RLS) restricts which rows users can see. Sensitivity labels do not.

Question 9

Where can sensitivity labels be applied by a user?

A. Only in Power BI Desktop
B. Only in the Power BI Service
C. In both Power BI Desktop and Power BI Service
D. Only by Power BI Admins

Correct Answer: C

Explanation:
Sensitivity labels can be applied or updated in both Desktop and the Service, depending on permissions.

Question 10

Which statement best describes how sensitivity labels fit into Power BI security?

A. They replace workspace roles and RLS
B. They are optional and unrelated to governance
C. They complement other security features by supporting data classification
D. They are only used for auditing

Correct Answer: C

Explanation:
Sensitivity labels are part of a layered security and governance approach, complementing permissions, RLS, and workspace roles.

Final PL-300 Exam Reminders

Sensitivity labels are about classification and protection, not access control
Labels are created in Microsoft Purview, applied in Power BI
Labels propagate to reports and exported files
Labels work alongside RLS and permissions—not instead of them

Go back to the PL-300 Exam Prep Hub main page

Business Intelligence, Data Governance, Data Security, Microsoft Certification, PL-300, Power BI January 17, 2026

Apply Sensitivity Labels (PL-300 Exam Prep)

This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Secure and govern Power BI items
      --> Apply sensitivity labels

Note that there are 10 practice questions (with answers and explanations) for each topic of the exam.
There are also 2 practice tests for the PL-300 exam with 60 questions each (with answers) available on the hub.

Overview

Applying sensitivity labels is an important governance capability within Power BI and a tested topic in the “Manage and secure Power BI (15–20%)” domain of the PL-300: Microsoft Power BI Data Analyst certification exam. Sensitivity labels help organizations classify, protect, and control the handling of data across Power BI content and the broader Microsoft ecosystem.

For the exam, you should understand what sensitivity labels are, where they come from, how and where they are applied, what they do (and do not) enforce, and how they support data governance and compliance.

What Are Sensitivity Labels?

Sensitivity labels are metadata tags used to classify data based on its level of sensitivity, such as:

Public
Internal
Confidential
Highly Confidential

They are part of Microsoft Purview Information Protection (formerly Microsoft Information Protection) and are used consistently across Microsoft services, including:

Power BI
Microsoft Excel, Word, and PowerPoint
SharePoint and OneDrive

Key Concept: Sensitivity labels are about data classification and protection, not row-level filtering.

Purpose of Sensitivity Labels in Power BI

Sensitivity labels help organizations:

Identify sensitive or regulated data
Apply consistent data classification standards
Enforce downstream protections (e.g., encryption, restrictions)
Improve visibility and compliance reporting
Reduce the risk of data leakage

From an exam perspective, labels support governance, not access control.

Where Sensitivity Labels Come From

Sensitivity labels are:

Defined centrally in Microsoft Purview (via the Microsoft 365 compliance portal)
Created and managed by security or compliance administrators
Made available to Power BI through tenant settings

Power BI does not create labels—it only consumes and applies them.

Power BI Items That Can Be Labeled

Sensitivity labels can be applied to:

Semantic models
Reports
Dashboards
Dataflows
Excel files connected to Power BI datasets

Exam Tip: Labels are applied to items, not to individual columns or rows.

How Sensitivity Labels Are Applied

Manual Application

Users can manually apply sensitivity labels:

In Power BI Desktop
In the Power BI Service

Typically:

A label dropdown is available
Users select the appropriate classification
The label is saved as metadata on the item

Automatic / Default Labeling (Awareness Level)

Organizations may configure:

Default labels for new content
Mandatory labeling, requiring a label before saving or publishing

These configurations are handled outside Power BI but affect user behavior inside it.

Inheritance and Propagation

Sensitivity labels can inherit and propagate across Power BI content.

Examples:

A report inherits the label from its semantic model
Exported data (e.g., to Excel) retains the sensitivity label
Downstream files carry the classification

Exam Focus: Labels help maintain data classification beyond Power BI.

What Sensitivity Labels Do NOT Do

This distinction is frequently tested.

Sensitivity labels:

❌ Do not filter rows (that’s RLS)
❌ Do not control who can open reports
❌ Do not replace workspace roles or permissions

Sensitivity labels:

✅ Classify content
✅ Enable downstream protection
✅ Support compliance and governance

Sensitivity Labels vs Other Security Features

Feature	Purpose
Workspace roles	Control who can access content
RLS	Restrict which rows users can see
Object-Level Security	Hide tables or columns
Sensitivity labels	Classify and protect data

PL-300 Focus: Understand how sensitivity labels complement, not replace, other security features.

Enforcement and Protection (Conceptual Awareness)

Depending on configuration, sensitivity labels may enforce:

Encryption of exported files
Restrictions on sharing
Watermarking or headers in documents
Limited access outside the organization

In Power BI, enforcement is typically indirect, affecting data after it leaves the service.

Applying Labels in Power BI Desktop vs Service

Power BI Desktop

Labels can be applied during report or model development
Labels are published with the content

Power BI Service

Labels can be applied or updated after publishing
Admins may enforce labeling policies

Governance Best Practices

Use sensitivity labels consistently across content
Align labels with organizational data policies
Apply labels at the semantic model level where possible
Educate users on correct label usage
Combine labels with RLS and permissions for layered security

Common Exam Scenarios

You may be asked to determine:

How to classify confidential data in Power BI
What happens when data is exported from a labeled report
Whether labels restrict user access
Which feature supports data classification and compliance

Key Takeaways for the PL-300 Exam

Sensitivity labels classify data by sensitivity level
Labels are created in Microsoft Purview, not Power BI
Power BI supports applying labels to multiple item types
Labels propagate to downstream content
Sensitivity labels support governance, not row-level filtering
Labels complement RLS, permissions, and workspace roles

Practice Questions

Go to the Practice Questions for this topic.

BI Administration, Data Security, Microsoft Certification, PL-300, Power BI January 17, 2026

Configure Row-Level Security Group Membership (PL-300 Exam Prep)

This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Secure and govern Power BI items
      --> Configure Row-Level Security Group Membership

Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.

Overview

Configuring Row-Level Security (RLS) group membership is a key governance and scalability topic within the “Manage and secure Power BI (15–20%)” domain of the PL-300: Microsoft Power BI Data Analyst certification exam. This topic builds on basic RLS concepts and focuses on how users are assigned to RLS roles, with an emphasis on using Microsoft Entra ID (Azure AD) security groups instead of individual users.

For the exam, you should understand where RLS roles are defined, where group membership is configured, how group-based RLS behaves, and why it is considered a best practice.

What Is RLS Group Membership?

RLS group membership refers to assigning security groups (rather than individual users) to Row-Level Security roles in a Power BI semantic model. Any user who is a member of the group automatically inherits the data access defined by the role.

This approach:

Improves scalability
Simplifies administration
Aligns with enterprise security standards
Reduces ongoing maintenance

Exam Focus: The PL-300 exam strongly favors group-based RLS as the recommended approach.

Where RLS Group Membership Is Configured

Understanding where actions occur is frequently tested.

Power BI Desktop

Create RLS roles
Define DAX filter expressions
No users or groups are assigned here

Power BI Service

Assign users or security groups to RLS roles
Manage role membership after publishing

Key Distinction:

Roles and filters → Desktop

Users and groups → Service

Why Use Security Groups for RLS?

Benefits of Group-Based RLS

Centralized identity management
Groups are managed in Microsoft Entra ID, not Power BI.
Automatic access updates
Adding or removing users from a group instantly updates data access.
Reduced administrative effort
No need to modify RLS settings when staff changes.
Auditability and compliance
Easier to review who has access and why.

Exam Tip: If a question asks for the most scalable or best practice approach, choose security groups.

Types of Groups Used in RLS

Supported Group Types

Microsoft Entra ID security groups (recommended)
Mail-enabled security groups

Not Recommended / Not Supported

Distribution lists (not ideal for security)
Microsoft 365 groups (not designed for RLS scenarios)

PL-300 Expectation: Know that security groups are the preferred option for RLS role membership.

Assigning Groups to RLS Roles

Step-by-Step (Power BI Service)

Publish the semantic model from Power BI Desktop
In the Power BI Service, open the semantic model
Select Security
Choose an RLS role
Add one or more security groups
Save changes

Once assigned, all group members inherit the role’s data filters.

Group Membership and Dynamic RLS

Group membership is often combined with dynamic RLS for maximum flexibility.

Common Pattern

RLS role contains a dynamic filter using USERPRINCIPALNAME()
A mapping table links users to business entities (e.g., region, department)
A security group controls who is subject to that role

This pattern:

Minimizes the number of roles
Supports large organizations
Separates identity management from data logic

How Group-Based RLS Is Evaluated

When a user opens a report:

Power BI identifies the user’s Entra ID group memberships
The user is matched to assigned RLS roles
The union of all applicable role filters is applied
Only authorized rows are returned

Important Exam Concept:
Users in multiple roles see the combined (union) of allowed data—not the most restrictive set.

Testing Group-Based RLS

In Power BI Desktop

Use View as
Test role logic only (group membership is not evaluated here)

In Power BI Service

Use View as role
Or test by signing in as a user who belongs to the group

Exam Awareness: Group membership itself cannot be fully tested in Desktop—only in the Service.

Common Pitfalls (Exam-Relevant)

Assigning individual users instead of groups
Expecting RLS to apply before publishing
Forgetting that group membership changes happen outside Power BI
Confusing workspace roles with RLS roles
Assuming admins bypass RLS automatically

RLS Group Membership vs Workspace Roles

Feature	Workspace Roles	RLS Group Membership
Controls content access	✅	❌
Controls data visibility	❌	✅
Uses Entra ID groups	✅	✅
Defined in Desktop	❌	❌
Assigned in Service	✅	✅

PL-300 Focus: These are complementary—not interchangeable—security mechanisms.

Governance and Best Practices

Always prefer security groups over individuals
Use clear, business-aligned group names
Keep RLS logic simple and documented
Coordinate with identity administrators
Review group membership regularly

Common Exam Scenarios

You may be asked to identify:

The best way to manage RLS for hundreds of users
Why a user gained or lost data access without a model change
Where to update access when an employee changes roles
How group membership impacts RLS evaluation

Key Takeaways for the PL-300 Exam

RLS roles are defined in Power BI Desktop
Group membership is configured in the Power BI Service
Microsoft Entra ID security groups are the recommended approach
Group-based RLS improves scalability and governance
Users see the union of all assigned RLS roles
RLS applies to all reports and apps using the semantic model

Practice Questions

Go to the Practice Questions for this topic.

BI Administration, Data Governance, Data Security, Microsoft Certification, PL-300, Power BI January 17, 2026January 17, 2026

Implement Row-Level Security (RLS) Roles (PL-300 Exam Prep)

This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Secure and govern Power BI items
      --> Implement Row-Level Security (RLS) Roles

Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.

Overview

Implementing Row-Level Security (RLS) is a critical skill for Power BI Data Analysts and a key topic within the “Manage and secure Power BI (15–20%)” domain of the PL-300: Microsoft Power BI Data Analyst certification exam. RLS ensures that users only see the data they are authorized to view, even when accessing the same reports or semantic models.

For the exam, you must understand how RLS roles are created, how they are implemented using DAX, how users and groups are assigned, and how RLS behaves in the Power BI Service.

What Is Row-Level Security?

Row-Level Security restricts access to specific rows of data in a semantic model based on the identity of the user viewing the report.

RLS:

Is defined in Power BI Desktop
Uses DAX filter expressions
Is enforced in the Power BI Service
Applies to all reports that use the semantic model

Key Concept: RLS controls data visibility, not report visibility.

RLS Architecture in Power BI

The RLS workflow consists of four main steps:

Define roles in Power BI Desktop
Create DAX filter expressions for tables
Publish the semantic model to the Power BI Service
Assign users or groups to roles in the Service

Each role defines which rows are visible when the user is a member of that role.

Creating RLS Roles in Power BI Desktop

Step 1: Create Roles

In Power BI Desktop:

Go to Model view or Report view
Select Modeling → Manage roles
Create one or more roles (e.g., SalesWest, SalesEast)

Roles are placeholders until users or groups are assigned in the Power BI Service.

Step 2: Define Table Filters (DAX)

RLS is implemented using DAX filter expressions applied to tables.

Example: Static RLS

[Region] = "West"

This filter ensures that users assigned to the role only see rows where Region equals West.

Exam Tip: RLS filters act like WHERE clauses and reduce visible rows—not columns.

Static vs Dynamic RLS

Static RLS

Filters are hardcoded values
Each role represents a specific segment
Easy to understand, but not scalable

Example:

[Department] = "Finance"

Dynamic RLS (Highly Exam-Relevant)

Dynamic RLS uses the logged-in user’s identity to filter data automatically.

Common functions:

USERPRINCIPALNAME()
USERNAME()

Example:

[Email] = USERPRINCIPALNAME()

Dynamic RLS:

Scales well
Reduces number of roles
Is commonly used in enterprise models

Best Practice: Use dynamic RLS with a user-to-dimension mapping table.

Assigning Users to RLS Roles (Power BI Service)

After publishing the semantic model:

Go to the Power BI Service
Navigate to the semantic model
Select Security
Assign users or Microsoft Entra ID (Azure AD) groups to roles

Best Practice: Always assign security groups, not individual users.

Testing RLS

In Power BI Desktop

Use Modeling → View as
Test roles before publishing
Validate DAX logic

In Power BI Service

Use View as role
Confirm correct filtering for assigned users

Exam Tip: “View as” does not bypass RLS—it simulates user access.

RLS Behavior in Common Scenarios

Reports and Dashboards

RLS applies automatically
Users cannot see restricted data
Visual totals reflect filtered data

Power BI Apps

RLS is enforced
No additional configuration required

Analyze in Excel / External Tools

RLS is enforced if the user has Build permission
Users cannot bypass RLS through external connections

Important RLS Limitations (Exam Awareness)

RLS does not hide tables or columns (use Object-Level Security for that)
RLS cannot be applied directly to measures
Workspace Admins are not exempt from RLS unless explicitly configured
RLS does not apply in Power BI Desktop for the model author unless using “View as”

Object-Level Security (OLS) vs RLS

Feature	RLS	OLS
Controls rows	✅	❌
Controls columns/tables	❌	✅
Configured in Desktop	✅	❌ (External tools)
Exam depth	High	Awareness only

PL-300 Focus: RLS concepts are tested far more deeply than OLS.

Governance and Best Practices

Use dynamic RLS wherever possible
Centralize security logic in the semantic model
Use groups, not individuals
Document role logic for maintainability
Test RLS thoroughly before sharing reports

Common Exam Scenarios

You may be asked to determine:

Why different users see different values in the same report
How to reduce the number of RLS roles
How to implement user-based filtering
Where RLS logic is created vs enforced

Key Takeaways for the PL-300 Exam

RLS restricts row-level data visibility
Roles and filters are created in Power BI Desktop
Users and groups are assigned in the Power BI Service
Dynamic RLS uses USERPRINCIPALNAME()
RLS applies to all reports and apps using the semantic model
RLS is enforced at the semantic model level

Practice Questions

Go to the Practice Questions for this topic.

BI Administration, Data Security, Microsoft Certification, PL-300, Power BI January 17, 2026

Configure Access to Semantic Models (PL-300 Exam Prep)

This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Secure and govern Power BI items
      --> Configure Access to Semantic Models

Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.

Overview

Configuring access to semantic models (formerly known as datasets) is a core responsibility of a Power BI Data Analyst and a key topic within the “Manage and secure Power BI (15–20%)” domain of the PL-300 exam. This topic focuses on how access to data models is controlled, shared, governed, and secured so that users can interact with data appropriately—without compromising data integrity or confidentiality.

For the exam, you should understand how semantic models are shared, who can access them, what level of access they have, and how security is enforced at both the model and row level.

What Is a Semantic Model in Power BI?

A semantic model is the business-ready representation of data in Power BI. It includes:

Tables, relationships, and hierarchies
Measures, calculated columns, and KPIs
Data formatting and metadata
Security rules (such as Row-Level Security)

Semantic models are published to the Power BI Service and act as the foundation for reports, dashboards, and analysis.

Access Control Concepts You Must Know

Workspace Roles

Access to semantic models is primarily governed by workspace roles in the Power BI Service:

Role	Capabilities Related to Semantic Models
Viewer	Can view reports and read data (if permitted)
Contributor	Can create and edit content, including reports
Member	Can publish, update, and share semantic models
Admin	Full control, including managing permissions and security

Exam Tip: Viewers cannot create new reports from a semantic model unless Build permission is explicitly granted.

Semantic Model Permissions

Semantic models support item-level permissions, separate from workspace roles.

Key permissions include:

Read – Allows users to view data used in reports
Build – Allows users to create new reports using the semantic model
Reshare – Allows users to share the semantic model with others

These permissions can be assigned to:

Individual users
Security groups
Microsoft Entra ID (Azure AD) groups

Best Practice: Grant access using security groups instead of individual users for scalability and easier management.

Build Permission (Highly Exam-Relevant)

Build permission is one of the most tested concepts in this topic.

With Build permission, users can:

Create new reports using the semantic model
Use the model in Excel (Analyze in Excel)
Use the model via external tools (when allowed)

Without Build permission:

Users can view reports
Users cannot create new reports from the model

Build permission can be granted:

Automatically through workspace role (Member/Admin)
Manually on the semantic model
Via sharing settings

Sharing Semantic Models

Semantic models can be shared in several ways:

Through workspace access
By directly sharing the semantic model
By publishing reports that use the model
Via Power BI Apps

When sharing, you can choose whether recipients:

Can build new content
Can reshare the model
Are restricted by existing security rules

Exam Scenario: A user can view a report but cannot create their own—this often indicates missing Build permission.

Row-Level Security (RLS)

Row-Level Security restricts which rows of data a user can see within a semantic model.

Key RLS concepts:

Roles are defined in Power BI Desktop
DAX filters control row visibility
Users or groups are assigned to roles in the Power BI Service
RLS applies to all reports using the model

Types of RLS:

Static RLS – Fixed filters (e.g., Region = “West”)
Dynamic RLS – Filters based on the logged-in user (e.g., USERPRINCIPALNAME())

Important: RLS is enforced at the semantic model level, not the report level.

Object-Level Security (OLS) (Awareness Level)

While not deeply tested, you should be aware that Object-Level Security can:

Hide tables, columns, or measures from specific users
Be configured using external tools (e.g., Tabular Editor)

OLS complements RLS but is more advanced and typically managed by model developers.

Certified Dataset / Endorsed Semantic Models

To support governance, Power BI allows semantic models to be endorsed:

Promoted – Indicates the model is reliable and ready for reuse
Certified – Officially validated and approved by data owners or admins

Endorsements help users:

Identify trusted data sources
Avoid using unofficial or duplicate models

Exam Tip: Certification requires specific tenant permissions and approval workflows.

Power BI Apps and Semantic Models

When distributing content via a Power BI App:

Access to the semantic model is controlled through the app
Users can be allowed to connect to the underlying semantic model
RLS still applies

Apps provide a controlled, read-only distribution method while maintaining centralized security.

Common Exam Scenarios

You may be asked to determine:

Why a user cannot build a report from an existing model
How to allow self-service reporting without giving full workspace access
How to restrict data visibility for different users
Which permission or role best fits a business requirement

Key Takeaways for the PL-300 Exam

Semantic models are secured through workspace roles and item-level permissions
Build permission is essential for report creation and analysis
Row-Level Security controls data visibility per user
Use groups, not individuals, for scalable access control
Endorsed and certified models support governance and trust
Security is applied at the semantic model level, not per report

Just a FYI … this topic emphasizes balancing self-service analytics with strong data governance, a recurring theme throughout the PL-300 exam.

Practice Questions

Go to the Practice Questions for this topic.

BI Administration, Data Security, Microsoft Certification, PL-300, Power BI January 17, 2026

Configure Item-Level Access in Power BI (PL-300 Exam Prep)

This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Secure and govern Power BI items
      --> Configure Item-Level Access

Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.

Overview

Item-level access in Power BI controls who can access specific Power BI items—such as reports, dashboards, semantic models (datasets), and apps—and what actions they can perform on those items.

This topic is part of the Manage and secure Power BI (15–20%) exam domain and falls specifically under Secure and govern Power BI items, making it a critical governance concept for PL-300 candidates.

Unlike workspace roles (which define broad permissions across an entire workspace), item-level access allows more granular control over individual Power BI assets.

What Is Item-Level Access?

Item-level access refers to permissions assigned directly to individual Power BI items, independent of workspace roles. These permissions determine whether users can:

View an item
Share an item
Build new content using an item
Reshare or export data
Modify or manage the item

Item-level access is commonly configured for:

Reports
Dashboards
Semantic models (datasets)
Apps (indirectly through audience access)

Why Item-Level Access Matters (Exam Perspective)

From a PL-300 standpoint, item-level access is important because it helps:

Enforce principle of least privilege
Enable self-service BI safely
Separate content creation from content consumption
Support enterprise governance without duplicating workspaces

Expect exam questions that test when to use item-level permissions instead of workspace roles, and how item-level access interacts with security features like RLS.

Configuring Item-Level Access by Item Type

1. Report-Level Access

Reports can be shared directly with users or groups.

Key capabilities:

View report
Share report (optional)
Build new content (if underlying model allows it)

How it’s configured:

Use the Share button on a report
Assign access to users, security groups, or distribution lists

Important exam note:
Sharing a report does not automatically grant access to the underlying semantic model unless explicitly allowed.

2. Dashboard-Level Access

Dashboards are typically shared for executive or summary-level consumption.

Key characteristics:

View-only by default
No data modeling or editing
Tiles link back to underlying reports (which require separate access)

Exam tip:
Users must also have access to the source reports behind dashboard tiles to avoid broken visuals.

3. Semantic Model (Dataset) Item-Level Access

Semantic models support some of the most important item-level permissions.

Key permissions:

Read – view reports using the model
Build – create new reports or analyze in Excel
Reshare – share the dataset with others

Common use case:

Grant Build permission to analysts so they can create their own reports without modifying the dataset.

Exam highlight:
The Build permission is essential for self-service BI scenarios and is frequently tested.

4. App Access (Audience-Based)

Apps use audiences to control item-level visibility.

What audiences allow you to do:

Show different content to different user groups
Hide specific reports or dashboards
Control navigation and access without duplicating content

Best practice:

Use Azure AD security groups for app audiences.

Item-Level Access vs Workspace Roles

Feature	Workspace Roles	Item-Level Access
Scope	Entire workspace	Individual items
Granularity	Coarse	Fine-grained
Best for	Content creators/admins	Consumers & self-service
Exam focus	Governance	Security precision

Key exam takeaway:
Workspace roles control what users can do, while item-level access controls what items they can access.

Item-Level Access and Row-Level Security (RLS)

These two are often confused on the exam.

Item-level access controls access to content
RLS controls data visibility within content

They are complementary, not interchangeable.

Example scenario:

Item-level access → Can the user open the report?
RLS → What rows of data does the user see after opening it?

Best Practices for Configuring Item-Level Access

Use Azure AD security groups instead of individuals
Grant Build permission carefully
Avoid oversharing datasets
Combine item-level access with RLS for data security
Prefer apps and audiences for large-scale distribution

Common Exam Traps to Watch For

Assuming report sharing grants dataset access automatically
Confusing workspace roles with item permissions
Forgetting that dashboard tiles require report access
Overlooking Build permission in self-service scenarios

Summary for PL-300 Exam Readiness

To succeed on PL-300 questions about item-level access, you should be able to:

✔ Identify when item-level access is required
✔ Configure permissions for reports, dashboards, and datasets
✔ Understand Build vs Read permissions
✔ Explain how item-level access differs from workspace roles
✔ Combine item-level access with RLS appropriately

Practice Questions

Go to the Practice Questions for this topic.

BI Administration, Data Security, Microsoft Certification, PL-300, Power BI January 17, 2026

Assign Workspace Roles (PL-300 Exam Prep)

This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Secure and govern Power BI items
      --> Assign Workspace Roles

Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.

Overview

In Power BI, workspaces are collaborative containers used to develop, manage, and distribute content such as semantic models (datasets), reports, dashboards, dataflows, and apps.
Assigning workspace roles is a core governance task that ensures users have the appropriate level of access—no more and no less—based on their responsibilities.

For the PL-300 exam, you are expected to understand:

The four workspace roles
What each role can and cannot do
When to assign each role
How workspace roles relate to security, governance, and content lifecycle

Power BI Workspace Roles

Power BI provides four predefined workspace roles:

1. Admin

Highest level of access

Admins have full control over the workspace and its contents.

Key capabilities:

Add or remove users and assign roles
Update workspace settings
Publish, update, and delete all content
Configure semantic model settings (refresh, credentials, endorsements)
Publish and update workspace apps
Delete the workspace

Typical use cases:

Power BI service administrators
BI platform owners
Lead analytics engineers

🔑 Exam tip: Only Admins can manage workspace access and delete a workspace.

2. Member

Content creators and managers

Members can actively create and manage content, but they cannot manage workspace access.

Key capabilities:

Create, edit, and delete reports and dashboards
Publish semantic models
Configure scheduled refresh
Publish and update workspace apps
Share content (depending on tenant settings)

Limitations:

Cannot add or remove workspace users
Cannot delete the workspace

Typical use cases:

Power BI developers
Data analysts responsible for production content

3. Contributor

Content creators without publishing authority

Contributors can build and modify content, but they cannot publish apps or manage access.

Key capabilities:

Create and edit reports and semantic models
Upload PBIX files
Modify existing content they have access to

Limitations:

Cannot publish or update workspace apps
Cannot manage workspace users
Cannot change workspace settings

Typical use cases:

Analysts building reports for review
Developers working in shared or pre-production workspaces

4. Viewer

Read-only access

Viewers can consume content but cannot modify anything.

Key capabilities:

View reports, dashboards, and apps
Interact with visuals (filters, slicers)
Export data (if allowed)

Limitations:

Cannot create or edit content
Cannot publish apps
Cannot configure refresh or settings

Typical use cases:

Business users
Executives and stakeholders
Consumers of certified content

🔑 Exam tip: Viewers require a Power BI Pro license unless the workspace is in Premium capacity.

Assigning Workspace Roles

Workspace roles are assigned in the Power BI service:

Navigate to the workspace
Select Access
Add users or groups
Assign the appropriate role (Admin, Member, Contributor, Viewer)

🔐 Best practice: Assign Azure AD security groups instead of individual users to simplify governance and reduce maintenance.

Governance and Security Considerations

Least Privilege Principle

Always assign the lowest role necessary for a user to perform their job.

Consumers → Viewer
Report authors → Contributor or Member
Platform owners → Admin

Separation of Duties

Use different workspaces for:

Development
Testing
Production

Assign higher roles in dev, more restrictive roles in prod.

Workspace Roles vs Item-Level Security

Workspace roles control what users can do
Row-level security (RLS) controls what data users can see

Both are often used together.

Common Exam Scenarios

You may see questions such as:

Which role allows a user to publish an app but not manage access? → Member
Which role is required to assign users to a workspace? → Admin
Which role should be assigned to report consumers? → Viewer
Why use Contributor instead of Member? → To prevent app publishing or access management

Key Takeaways for PL-300

Know all four workspace roles
Understand capabilities vs limitations
Admin = access + settings
Member = manage content + apps
Contributor = build content only
Viewer = consume content only
Assign roles strategically for security and governance

Practice Questions

Go to the Practice Questions for this topic.

BI Administration, Business Intelligence, Data Governance, Data Strategy, Microsoft Certification, PL-300, Power BI January 17, 2026

Configure a Semantic Model Scheduled Refresh (PL-300 Exam Prep)

This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Create and manage workspaces and assets
      --> Configure a Semantic Model Scheduled Refresh

Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.

Overview

A semantic model scheduled refresh ensures that Power BI reports and dashboards display up-to-date data without requiring manual intervention. For the PL-300 exam, this topic focuses on understanding when scheduled refresh is supported, what prerequisites are required, and how to configure refresh settings correctly in the Power BI service.

This skill sits at the intersection of data connectivity, security, and workspace management.

What Is a Semantic Model Scheduled Refresh?

A scheduled refresh automatically reimports data into a Power BI semantic model (dataset) at defined times using the Power BI service. It applies only to Import mode and composite models with imported tables.

Scheduled refresh does not apply to:

DirectQuery-only models
Live connections to Power BI or Analysis Services

Prerequisites for Scheduled Refresh

Before configuring scheduled refresh, the following conditions must be met:

1. Dataset Must Be Published

Scheduled refresh can only be configured after publishing the semantic model to the Power BI service.

2. Valid Data Source Credentials

You must provide and maintain valid credentials for all data sources used in the dataset.

Supported authentication methods vary by source and may include:

OAuth
Basic authentication
Windows authentication
Organizational account

3. Gateway (If Required)

A gateway is required when the semantic model connects to:

On-premises data sources
Data sources in a private network
On-premises dataflows

Cloud-based sources (such as Azure SQL Database or SharePoint Online) do not require a gateway.

4. Import Mode Tables

At least one table in the semantic model must use Import mode. DirectQuery-only models do not support scheduled refresh.

Configuring Scheduled Refresh

Scheduled refresh is configured in the Power BI service, not in Power BI Desktop.

Key Configuration Steps

Navigate to the workspace
Select the semantic model
Open Settings
Configure:
- Data source credentials
- Gateway connection (if applicable)
- Refresh schedule

Refresh Frequency and Limits

Shared Capacity

Up to 8 refreshes per day
Minimum interval of 30 minutes

Premium Capacity

Up to 48 refreshes per day
Shorter refresh intervals supported

These limits are enforced per dataset.

Refresh Options and Settings

Scheduled Refresh

Allows you to define:

Days of the week
Time slots
Time zone
Enable/disable refresh

Refresh Failure Notifications

You can configure email notifications to alert dataset owners if a refresh fails.

Incremental Refresh

Incremental refresh:

Requires Power BI Desktop configuration
Reduces refresh time by refreshing only new or changed data
Still depends on scheduled refresh to execute

Common Causes of Refresh Failure

Expired credentials
Gateway offline or misconfigured
Data source schema changes
Timeout due to large datasets
Unsupported data source authentication

Scenarios Where Scheduled Refresh Is Not Needed

DirectQuery datasets (data is queried live)
Live connections to Analysis Services
Manual refresh and republish workflows (not recommended for production)

Exam-Focused Decision Rules

For the PL-300 exam, remember:

Import mode = scheduled refresh
DirectQuery = no scheduled refresh
On-premises source = gateway required
Refresh settings live in the Power BI service
Premium capacity allows more frequent refreshes

Common Exam Traps

Confusing scheduled refresh with DirectQuery
Assuming all datasets require a gateway
Forgetting credential configuration
Thinking refresh schedules are set in Desktop

Key Takeaways

Scheduled refresh keeps semantic models current
Configuration happens in the Power BI service
Gateways depend on data source location
Capacity affects refresh frequency
Incremental refresh improves performance but still relies on scheduling

Practice Questions

Go to the Practice Questions for this topic.

BI Administration, Data Integration, Microsoft Certification, PL-300, Power BI January 17, 2026

Identify When a Gateway Is Required (PL-300 Exam Prep)

This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Create and manage workspaces and assets
      --> Identify When a Gateway Is Required

Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.

Overview

In Power BI, a data gateway acts as a secure bridge between on-premises data sources and the Power BI service in the cloud. Understanding when a gateway is required—and when it is not—is a core skill assessed in the Manage and secure Power BI section of the PL-300 exam.

This topic focuses less on installing gateways and more on decision-making: recognizing data source locations, connection modes, and refresh requirements.

What Is a Power BI Gateway?

A Power BI gateway is software installed on a local machine or server within a private network. It enables the Power BI service to:

Refresh data from on-premises sources
Query on-premises data in real time (DirectQuery or Live connection)
Maintain secure communication without opening inbound firewall ports

There are two main gateway types:

On-premises data gateway (standard) – supports multiple users and services
On-premises data gateway (personal) – single-user scenarios (limited use, not recommended for enterprise)

When a Gateway Is Required

You must use a gateway when both of the following are true:

The data source is on-premises or in a private network
The Power BI service needs to access the data after publishing

Common Scenarios That Require a Gateway

1. Scheduled Refresh from On-Premises Data

If a dataset connects to:

SQL Server (on-premises)
Oracle, Teradata, SAP
On-premises file shares
On-premises data warehouses

…and you want scheduled refresh, a gateway is required.

2. DirectQuery or Live Connections to On-Premises Sources

A gateway is required for:

DirectQuery to on-premises SQL Server
Live connections to Analysis Services (SSAS) on-premises

This applies even if no refresh schedule exists, because queries are sent at report view time.

3. On-Premises Dataflows

If a Power BI dataflow connects to on-premises data, a gateway is required to refresh the dataflow.

4. Hybrid Scenarios

If a dataset combines:

Cloud data (e.g., Azure SQL Database)
On-premises data (e.g., local SQL Server)

A gateway is still required for the on-premises portion.

When a Gateway Is NOT Required

A gateway is not needed when Power BI can access the data source directly from the cloud.

Common Scenarios That Do NOT Require a Gateway

1. Cloud Data Sources

No gateway is required for:

Azure SQL Database
Azure Synapse Analytics
Azure Data Lake Storage
SharePoint Online
OneDrive
Power BI semantic models
Dataverse
Public web data

2. Import-Only Reports Viewed in Power BI Desktop

While working only in Power BI Desktop, no gateway is needed—even for on-premises data—because Desktop connects directly.

A gateway becomes relevant only after publishing.

3. Manual Refresh in Power BI Desktop

If data refresh happens manually in Desktop and the dataset is republished, no gateway is required (though this is not scalable).

Gateway and Connection Mode Summary

Connection Mode	On-Premises Source	Gateway Required
Import (Scheduled Refresh)	Yes	Yes
Import (Cloud Source)	No	No
DirectQuery	Yes	Yes
Live Connection (SSAS)	Yes	Yes
Dataflows (On-Prem)	Yes	Yes
Desktop-only	Yes	No

Exam-Focused Decision Rules

For the PL-300 exam, remember these rules:

On-premises + Power BI Service = Gateway
Cloud source = No gateway
DirectQuery always needs a gateway if the source is on-premises
Desktop usage alone does not require a gateway
Hybrid datasets still require a gateway

Common Exam Traps

Assuming a gateway is needed for all refresh scenarios
Forgetting that Azure SQL Database does NOT require a gateway
Confusing publishing with refresh
Overlooking gateway needs for dataflows

Key Takeaways

Gateways are about location, not data size
They enable secure, outbound-only communication
The exam tests recognition, not installation steps
Focus on where the data lives and how Power BI accesses it

Practice Questions

Go to the Practice Questions for this topic.