Welcome to the one-stop hub with information for preparing for the PL-300: Microsoft Power BI Data Analyst certification exam. Upon successful completion of the exam, you earn the Microsoft Certified: Power BI Data Analyst Associate certification.
This hub provides information directly here (topic-by-topic), links to a number of external resources, tips for preparing for the exam, practice tests, and section questions to help you prepare. Bookmark this page and use it as a guide to ensure that you are fully covering all relevant topics for the PL-300 exam and making use of as many of the resources available as possible.
Skills tested at a glance (as specified in the official study guide)
Prepare the data (25–30%)
Model the data (25–30%)
Visualize and analyze the data (25–30%)
Manage and secure Power BI (15–20%)
Click on each hyperlinked topic below to go to the preparation content and practice questions for that topic. And there are also 2 practice exams provided below.
Link to the free, comprehensive, self-paced course on Microsoft Learn – Design and manage analytics solutions using Power BI It contains 5 Learning Paths, each with multiple Modules, and each module has multiple Units. It will take some time to do it, but we recommend that you complete this entire course, including the exercises/labs.
Schedule time to learn, study, perform labs, and do practice exams and questions
Schedule the exam based on when you think you will be ready; scheduling the exam gives you a target and drives you to keep working on it; but keep in mind that it can be rescheduled based on the rules of the provider.
Use the various resources above and below to learn
Take the free Microsoft Learn practice test, any other available practice tests, and do the practice questions in each section and the two practice tests available on this hub.
Good luck to you passing the PL-300: Microsoft Power BI Data Analyst certification exam and earning the Microsoft Certified: Power BI Data Analyst Associate certification!
PL-300: Microsoft Power BI Data Analyst practice exam
Total Questions: 60 Time Recommendation: 120 minutes
Note: We have sectioned the questions to help you prepare, but the real exam will have questions from the sections appearing randomly. The answers are at the end, and we recommend only looking at the answers after you have attempted the questions.
Exam Structure & Weighting (60 Questions)
Domain
%
Questions
Prepare the data
~27%
16
Model the data
~27%
16
Visualize and analyze the data
~27%
16
Manage and secure Power BI
~19%
12
Total
100%
60
SECTION 1: Prepare the Data (Questions 1–16)
1. (Single choice) You connect to a CSV file containing sales data. The file is updated daily with additional rows. What should you do to ensure Power BI always imports only new records?
A. Use Import mode B. Enable Incremental Refresh C. Use DirectQuery D. Create a calculated table
2. (Scenario – Multi-select) You are cleaning customer data in Power Query. You need to:
Remove rows where CustomerID is null
Replace empty strings in Country with “Unknown”
Which two steps should you use? (Select two)
A. Filter rows B. Replace values C. Conditional column D. Remove errors
3. (Fill in the blank) The Power Query feature used to profile data by showing column distribution, quality, and profile is called __________.
4. (Single choice) You want to reduce model size by removing unused columns before loading data. Where should this be done?
A. In DAX B. In Power BI Service C. In Power Query Editor D. In the Data view
5. (Scenario – Single choice) A dataset contains numeric values stored as text. What is the best approach to fix this?
A. Convert data type in the report view B. Create a calculated column C. Change data type in Power Query D. Use FORMAT() in DAX
6. (Multi-select) Which transformations are considered query folding–friendly? (Select two)
A. Filtering rows B. Adding an Index column C. Merging queries D. Custom M function logic
7. (Single choice) What does query folding primarily help with?
A. Improving report aesthetics B. Reducing dataset size C. Pushing transformations to the source system D. Enabling DirectQuery
8. (Scenario – Single choice) You want to append monthly Excel files from a folder automatically. What connector should you use?
A. Excel Workbook B. SharePoint Folder C. Folder D. Web
9. (Matching) Match the Power Query feature to its purpose:
Feature
Purpose
A. Merge Queries
1. Stack tables vertically
B. Append Queries
2. Combine tables horizontally
C. Group By
3. Aggregate rows
10. (Single choice) Which data source supports DirectQuery?
A. Excel B. CSV C. SQL Server D. JSON
11. (Scenario – Multi-select) You want to reduce refresh time. Which actions help? (Select two)
A. Remove unused columns B. Increase report page count C. Apply filters early D. Use calculated columns
12. (Single choice) What does enabling “Enable load” = Off do?
A. Deletes the query B. Prevents data refresh C. Prevents data from loading into the model D. Disables query folding
13. (Single choice) Which transformation breaks query folding most often?
A. Filtering B. Sorting C. Custom column with M code D. Renaming columns
14. (Fill in the blank) The language used by Power Query is called __________.
15. (Scenario – Single choice) You need to standardize country names across multiple sources. What is the best approach?
A. DAX LOOKUPVALUE B. Power Query Replace Values C. Calculated table D. Visual-level filter
16. (Single choice) What is the main benefit of disabling Auto Date/Time?
A. Faster report rendering B. Better compression and simpler models C. Enables time intelligence D. Required for DirectQuery
SECTION 2: Model the Data (Questions 17–32)
17. (Single choice) What is the recommended cardinality between a fact table and a dimension table?
A. Many-to-many B. One-to-one C. One-to-many D. Many-to-one
18. (Scenario – Single choice) You have Sales and Customers tables. Each sale belongs to one customer. How should the relationship be defined?
A. Many-to-many B. One-to-many from Customers to Sales C. One-to-one D. Inactive
19. (Multi-select) Which actions improve model performance? (Select two)
A. Reduce column cardinality B. Use bi-directional filters everywhere C. Star schema design D. Hide fact table columns
20. (Fill in the blank) A __________ table contains descriptive attributes used for slicing and filtering.
21. (Scenario – Single choice) When should you use a calculated column instead of a measure?
A. When performing aggregations B. When results must be stored per row C. When using slicers D. When reducing model size
22. (Single choice) Which DAX function safely handles divide-by-zero errors?
A. DIV B. IFERROR C. DIVIDE D. CALCULATE
23. (Scenario – Single choice) You need a dynamic calculation that responds to filters. What should you use?
A. Calculated column B. Calculated table C. Measure D. Static column
24. (Matching) Match the DAX concept to its description:
Concept
Description
A. Row context
1. Filters applied by visuals
B. Filter context
2. Iteration over rows
C. Context transition
3. Row → filter conversion
25. (Single choice) What does CALCULATE primarily do?
A. Creates relationships B. Changes filter context C. Adds rows to tables D. Improves compression
26. (Multi-select) Which are valid time intelligence functions? (Select two)
A. TOTALYTD B. SAMEPERIODLASTYEAR C. SUMX D. VALUES
27. (Scenario – Single choice) You need Year-over-Year growth. What prerequisite must be met?
A. Auto Date/Time enabled B. Continuous date column C. Marked Date table D. Calculated column
28. (Single choice) What does marking a table as a Date table do?
A. Improves visuals B. Enables time intelligence accuracy C. Reduces refresh time D. Enables RLS
29. (Multi-select) Which DAX functions are iterators? (Select two)
A. SUMX B. AVERAGEX C. SUM D. COUNT
30. (Scenario – Single choice) You need to model a many-to-many relationship. What is the recommended solution?
A. Bi-directional filters B. Bridge table C. Calculated column D. Duplicate keys
31. (Single choice) What is the main drawback of bi-directional relationships?
A. Slower refresh B. Increased ambiguity and performance cost C. Larger dataset size D. Disabled measures
32. (Fill in the blank) The recommended schema design in Power BI is the __________ schema.
SECTION 3: Visualize and Analyze the Data (Questions 33–48)
33. (Single choice) Which visual best shows trends over time?
A. Bar chart B. Table C. Line chart D. Card
34. (Scenario – Single choice) You want users to explore details by clicking on a value in a chart. What feature should you use?
A. Drillthrough B. Tooltip C. Drill-down D. Bookmark
35. (Multi-select) Which visuals support drill-down? (Select two)
A. Matrix B. Card C. Bar chart D. KPI
36. (Fill in the blank) A page that shows detailed information for a selected data point is called a __________ page.
37. (Single choice) Which feature allows navigation between predefined report states?
A. Filters B. Slicers C. Bookmarks D. Tooltips
38. (Scenario – Single choice) You want to highlight values above a threshold. What should you use?
A. Conditional formatting B. Custom visual C. Calculated column D. Page filter
39. (Multi-select) Which elements can be used as slicers? (Select two)
A. Numeric columns B. Measures C. Date columns D. Calculated tables
40. (Single choice) What does a tooltip page provide?
A. Navigation B. Additional context on hover C. Data refresh D. Security
41. (Scenario – Single choice) You want visuals on one page to affect another page. What should you use?
A. Drill-down B. Sync slicers C. RLS D. Visual interactions
42. (Single choice) Which feature allows exporting summarized data only?
A. Export underlying data B. Export summarized data C. Analyze in Excel D. Paginated reports
43. (Multi-select) Which actions improve report performance? (Select two)
A. Limit visuals per page B. Use high-cardinality slicers C. Use measures instead of columns D. Disable interactions
44. (Single choice) What is the purpose of a KPI visual?
A. Show raw data B. Compare actuals to targets C. Display trends D. Filter visuals
45. (Scenario – Single choice) You need a visual that supports hierarchical navigation. What should you choose?
A. Card B. Line chart C. Matrix D. Gauge
46. (Fill in the blank) The feature that allows users to ask natural language questions is called __________.
47. (Single choice) What determines visual interaction behavior?
A. Data model B. Report theme C. Edit interactions settings D. Dataset permissions
48. (Single choice) Which visual is best for comparing proportions?
A. Table B. Pie chart C. Scatter plot D. Line chart
SECTION 4: Manage and Secure Power BI (Questions 49–60)
49. (Single choice) What does Row-Level Security (RLS) control?
A. Visual visibility B. Data access by user C. Dataset refresh D. Workspace roles
50. (Scenario – Single choice) You need different users to see different regions’ data. What should you implement?
A. App audiences B. RLS roles C. Workspace permissions D. Object-level security
51. (Multi-select) Which roles can publish content? (Select two)
A. Viewer B. Contributor C. Member D. Admin
52. (Single choice) Where is RLS created?
A. Power BI Service only B. Power BI Desktop C. Azure Portal D. Excel
53. (Single choice) What is Object-Level Security (OLS) used for?
A. Hiding rows B. Hiding columns or tables C. Encrypting data D. Managing refresh
54. (Scenario – Single choice) You want users to consume reports without editing. Which workspace role is best?
A. Admin B. Member C. Contributor D. Viewer
55. (Fill in the blank) A packaged, read-only distribution of reports is called a Power BI __________.
56. (Single choice) Which feature controls dataset refresh schedules?
A. Gateway B. Dataset settings C. Workspace D. App
57. (Multi-select) Which authentication methods are supported by Power BI gateways? (Select two)
A. Windows B. OAuth C. Basic D. Anonymous
58. (Scenario – Single choice) You want on-premises SQL data to refresh in Power BI Service. What is required?
A. DirectQuery B. On-premises data gateway C. Azure SQL D. Incremental refresh
59. (Single choice) Who can manage workspace users?
A. Viewer B. Contributor C. Member D. Admin
60. (Single choice) What is the primary benefit of Power BI apps?
A. Faster refresh B. Centralized content distribution C. Improved DAX performance D. Reduced dataset size
ANSWER KEY WITH EXPLANATIONS
Below are correct answers and explanations, including why incorrect options are not correct. (Use this section after completing the exam.)
SECTION 1: Prepare the Data (1-16)
B – Incremental Refresh loads only new/changed data
A, B – Filter rows removes nulls; Replace Values handles empty strings
Data profiling
C – Remove columns before loading
C – Best practice is Power Query transformation
A, C – Folding-friendly operations
C – Pushes logic to the source
C – Folder connector handles multiple files
A-2, B-1, C-3
C – SQL Server supports DirectQuery
A, C – Reduce data early
C – Prevents model loading
C – Custom M breaks folding
M
B – Clean once at ingestion
B – Avoids hidden date tables
SECTION 2: Model the Data (17–32)
17. Correct Answer: C — One-to-many
Why correct: In a star schema, dimension tables have unique keys and fact tables contain repeated keys.
Why others are incorrect:
A/B/D create ambiguity or are rarely appropriate in analytical models.
18. Correct Answer: B — One-to-many from Customers to Sales
Why correct: One customer can have many sales, but each sale belongs to one customer.
Why others are incorrect:
Many-to-many and one-to-one do not reflect the business reality.
Inactive relationships are only used when multiple relationships exist.
19. Correct Answers: A, C
Why correct:
Reducing column cardinality improves compression.
Star schemas reduce relationship complexity and improve performance.
Why others are incorrect:
Bi-directional filters add overhead.
Hiding columns improves usability, not performance.
PL-300: Microsoft Power BI Data Analyst practice exam
Total Questions: 60 Time Recommendation: 120 minutes
Note: We have sectioned the questions to help you prepare, but the real exam will have questions from the sections appearing randomly. The answers are at the end, and we recommend only looking at the answers after you have attempted the questions.
SECTION 1: Prepare the Data (Questions 1–16)
1. (Scenario – Single choice) You are importing data from a SQL Server database. You want to ensure transformations are executed at the source whenever possible. What should you prioritize?
A. Using Import mode B. Maintaining query folding C. Creating calculated columns D. Disabling Auto Date/Time
2. (Multi-select) Which Power Query actions typically preserve query folding? (Select two)
A. Filtering rows B. Adding a custom column with complex M logic C. Removing columns D. Changing column order
3. (Fill in the blank) Power BI’s feature that automatically detects column data types during import is called __________.
4. (Scenario – Single choice) You need to combine two tables with the same columns but different rows. What should you use?
A. Merge Queries B. Append Queries C. Relationship D. Lookup column
5. (Single choice) Which data type is most memory-efficient for categorical values?
A. Text B. Whole Number C. Decimal Number D. DateTime
6. (Scenario – Multi-select) You are profiling a dataset and notice unexpected null values. Which tools help identify data quality issues? (Select two)
A. Column quality B. Column distribution C. Conditional columns D. Replace errors
7. (Single choice) Which connector allows ingestion of multiple files stored in a directory?
A. Excel Workbook B. SharePoint List C. Folder D. Web API
8. (Scenario – Single choice) You want to standardize values such as “USA”, “U.S.”, and “United States”. What is the most scalable solution?
A. DAX calculated column B. Replace Values in Power Query C. Visual-level filter D. Manual edits in Data view
9. (Matching) Match the transformation to its outcome:
Transformation
Outcome
A. Group By
1. Reduce row-level detail
B. Remove duplicates
2. Aggregate data
C. Filter rows
3. Exclude unwanted records
10. (Single choice) Which data source does NOT support DirectQuery?
A. Azure SQL Database B. SQL Server C. Excel workbook D. Azure Synapse Analytics
11. (Scenario – Single choice) A column contains numbers and text. You need to fix errors without removing rows. What is the best option?
A. Remove errors B. Replace errors C. Change data type D. Split column
12. (Multi-select) Which actions reduce dataset size? (Select two)
A. Removing unused columns B. Increasing column cardinality C. Disabling Auto Date/Time D. Using calculated tables
13. (Single choice) Which step most commonly breaks query folding?
A. Sorting rows B. Renaming columns C. Adding a custom M function D. Filtering
14. (Fill in the blank) Power Query transformations are written using the __________ language.
15. (Scenario – Single choice) You want to reuse a transformation across multiple queries. What should you create?
A. Calculated table B. Custom column C. Function D. Measure
16. (Single choice) Why is disabling Auto Date/Time considered a best practice?
A. It improves visual formatting B. It reduces hidden tables and model size C. It enables DirectQuery D. It improves gateway performance
SECTION 2: Model the Data (Questions 17–32)
17. (Single choice) Which schema design is recommended for Power BI models?
A. Snowflake B. Relational C. Star D. Hierarchical
18. (Scenario – Single choice) You have multiple fact tables sharing the same Date table. What relationship setup is recommended?
A. Many-to-many B. One-to-one C. One-to-many from Date D. Bi-directional
19. (Multi-select) Which actions improve DAX performance? (Select two)
A. Using variables B. Using volatile functions C. Reducing iterator usage D. Increasing column cardinality
20. (Fill in the blank) A table that stores transactional events is called a __________ table.
21. (Scenario – Single choice) You need a calculation that must be evaluated only once during refresh. What should you use?
A. Measure B. Calculated column C. Visual filter D. Slicer
22. (Single choice) Which function changes filter context?
A. SUM B. FILTER C. CALCULATE D. VALUES
23. (Scenario – Single choice) You need a metric that responds to slicers and cross-highlighting. What should you create?
A. Calculated table B. Calculated column C. Measure D. Static column
24. (Matching) Match the DAX concept to its definition:
Concept
Definition
A. Filter context
1. Row-by-row evaluation
B. Row context
2. Visual and slicer filters
C. Iterator
3. Loops through rows
25. (Single choice) Which DAX function safely handles division when the denominator is zero?
A. IF B. DIV C. DIVIDE D. CALCULATETABLE
26. (Multi-select) Which functions are considered time intelligence? (Select two)
A. DATEADD B. SAMEPERIODLASTYEAR C. SUMX D. FILTER
27. (Scenario – Single choice) Why should you mark a Date table?
A. To enable RLS B. To improve visual formatting C. To ensure correct time intelligence D. To reduce refresh duration
28. (Single choice) What is the purpose of a bridge table?
A. Speed up refresh B. Resolve many-to-many relationships C. Enable DirectQuery D. Create calculated measures
29. (Multi-select) Which are iterator functions? (Select two)
A. COUNT B. SUMX C. AVERAGEX D. DISTINCT
30. (Scenario – Single choice) You have two date relationships between the same tables. One is inactive. How do you use the inactive one?
A. USERELATIONSHIP B. CROSSFILTER C. RELATED D. LOOKUPVALUE
31. (Single choice) What is a key downside of calculated columns?
A. They cannot be filtered B. They increase model size C. They cannot use DAX D. They slow down visuals
32. (Fill in the blank) The recommended relationship direction in most models is __________.
SECTION 3: Visualize and Analyze the Data (Questions 33–48)
33. (Single choice) Which visual best compares values across categories?
A. Line chart B. Bar chart C. Scatter plot D. Area chart
34. (Scenario – Single choice) You want users to navigate to a detail page by right-clicking a visual. What should you configure?
A. Drill-down B. Drillthrough C. Bookmark D. Tooltip
35. (Multi-select) Which visuals support hierarchies? (Select two)
A. Matrix B. Card C. Bar chart D. Gauge
36. (Fill in the blank) A report page designed to show details for a selected value is called a __________ page.
37. (Single choice) Which feature allows toggling between different visual states?
A. Filters B. Bookmarks C. Themes D. Sync slicers
38. (Scenario – Single choice) You want values over target to appear green and under target red. What should you use?
A. KPI visual B. Conditional formatting C. Measure D. Theme
39. (Multi-select) Which fields can be used in a slicer? (Select two)
A. Measures B. Date columns C. Text columns D. Tooltips
40. (Single choice) What is the primary purpose of report tooltips?
A. Navigation B. Additional context on hover C. Filtering D. Security
41. (Scenario – Single choice) You want slicer selections on one page to apply to other pages. What should you use?
A. Drillthrough B. Visual interactions C. Sync slicers D. Bookmarks
42. (Single choice) Which export option respects RLS and aggregation?
A. Export underlying data B. Export summarized data C. Copy visual D. Analyze in Excel
43. (Multi-select) Which actions improve report performance? (Select two)
A. Reduce number of visuals B. Use complex custom visuals everywhere C. Prefer measures over columns D. Increase page interactions
44. (Single choice) What does a KPI visual compare?
A. Actual vs target B. Categories vs totals C. Trends over time D. Part-to-whole
45. (Scenario – Single choice) Which visual supports row and column grouping with totals?
A. Table B. Matrix C. Card D. Gauge
46. (Fill in the blank) The feature that allows users to ask questions using natural language is __________.
47. (Single choice) Where do you configure how visuals affect each other?
A. Model view B. Edit interactions C. Dataset settings D. Themes
48. (Single choice) Which visual is best for showing part-to-whole relationships?
A. Line chart B. Pie chart C. Scatter plot D. Table
SECTION 4: Manage and Secure Power BI (Questions 49–60)
49. (Single choice) Row-Level Security primarily restricts access to:
A. Reports B. Rows of data C. Dashboards D. Workspaces
50. (Scenario – Single choice) Different users must see different departments’ data using the same report. What should you implement?
A. App audiences B. RLS roles C. Workspace permissions D. Bookmarks
51. (Multi-select) Which workspace roles can publish content? (Select two)
A. Viewer B. Contributor C. Member D. Admin
52. (Single choice) Where are RLS roles defined?
A. Power BI Service B. Power BI Desktop C. Azure AD D. SQL Server
53. (Single choice) What does Object-Level Security control?
A. Row visibility B. Column or table visibility C. Dataset refresh D. Report access
54. (Scenario – Single choice) Which role should be assigned to users who only consume content?
A. Admin B. Member C. Contributor D. Viewer
55. (Fill in the blank) A curated, read-only package of Power BI content is called an __________.
56. (Single choice) Which component enables scheduled refresh for on-premises data?
A. DirectQuery B. Dataset C. Gateway D. Workspace
57. (Multi-select) Which authentication types are supported by on-premises data gateways? (Select two)
A. Windows B. OAuth C. Basic D. Anonymous
58. (Scenario – Single choice) You want to minimize refresh time for a very large dataset. What should you configure?
A. RLS B. Incremental refresh C. DirectQuery D. OLS
59. (Single choice) Who can manage users and permissions in a workspace?
A. Viewer B. Contributor C. Member D. Admin
60. (Single choice) What is a primary advantage of Power BI apps?
A. Faster DAX calculations B. Controlled content distribution C. Reduced data volume D. Improved gateway reliability
ANSWER KEY WITH EXPLANATIONS
Prepare the Data (1–16)
B — Query folding pushes transformations to the source
A, C — Filtering and removing columns fold well
Type detection
B — Append stacks rows
B — Whole numbers compress best
A, B — Profiling tools reveal quality issues
C — Folder connector ingests multiple files
B — Clean once at ingestion
A-2, B-1, C-3
C — Excel does not support DirectQuery
B — Replace errors preserves rows
A, C — Less data, fewer hidden tables
C — Custom M breaks folding
M
C — Functions promote reuse
B — Prevents unnecessary date tables
Model the Data (17–32)
C — Star schema is best practice
C — Date is a shared dimension
A, C — Variables and fewer iterators improve performance
Fact
B — Calculated columns are refresh-time only
C — CALCULATE modifies filters
C — Measures are dynamic
A-2, B-1, C-3
C — DIVIDE handles zero safely
A, B — Both are time intelligence
C — Required for correct time calcs
B — Bridge resolves many-to-many
B, C — Iterators loop rows
A — USERELATIONSHIP activates inactive relationships
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections: Manage and secure Power BI (15–20%) --> Secure and govern Power BI items --> Apply sensitivity labels
Below are 10 practice questions (with answers and explanations) for this topic of the exam. There are also 2 practice tests for the PL-300 exam with 60 questions each (with answers) available on the hub.
Practice Questions
Question 1
What is the primary purpose of sensitivity labels in Power BI?
A. To restrict which rows of data users can see B. To control workspace access C. To classify and protect sensitive data D. To improve report performance
Correct Answer:C
Explanation: Sensitivity labels are used to classify data based on sensitivity and enable protection and governance—not to control access or filter data.
Question 2
Where are sensitivity labels created and managed?
A. Power BI Desktop B. Power BI Service C. Microsoft Purview (Microsoft 365 compliance portal) D. Microsoft Entra ID
Correct Answer:C
Explanation: Sensitivity labels are centrally defined and managed in Microsoft Purview. Power BI only consumes and applies them.
Question 3
Which Power BI items can have sensitivity labels applied? (Select all that apply)
A. Semantic models B. Reports C. Dashboards D. Measures
Correct Answer:A, B, C
Explanation: Labels can be applied to semantic models, reports, and dashboards, but not to individual measures or columns.
Question 4
What happens when a report is created using a labeled semantic model?
A. The report ignores the label B. The report automatically inherits the label C. The report applies Row-Level Security D. The report requires Admin approval
Correct Answer:B
Explanation: Sensitivity labels inherit and propagate to downstream content such as reports.
Question 5
Which statement about sensitivity labels is true?
A. Sensitivity labels filter data at query time B. Sensitivity labels replace Row-Level Security C. Sensitivity labels classify content but do not restrict row visibility D. Sensitivity labels control workspace membership
Correct Answer:C
Explanation: Sensitivity labels classify data and support protection but do not filter rows or control access.
Question 6
A user exports data from a labeled Power BI report to Excel. What is the expected behavior?
A. The label is removed B. The label remains and is applied to the Excel file C. Export is blocked automatically D. RLS is disabled
Correct Answer:B
Explanation: Sensitivity labels propagate to exported files, helping protect data outside Power BI.
Question 7
Which scenario best demonstrates the value of sensitivity labels?
A. Limiting data visibility by region B. Preventing users from editing reports C. Ensuring confidential data remains protected when shared or exported D. Reducing dataset refresh times
Correct Answer:C
Explanation: Sensitivity labels help protect data beyond Power BI by enforcing classification and downstream protections.
Question 8
Which Power BI security feature should be used instead of sensitivity labels to restrict rows of data?
A. Workspace roles B. Object-Level Security C. Row-Level Security D. Build permission
Correct Answer:C
Explanation: Row-Level Security (RLS) restricts which rows users can see. Sensitivity labels do not.
Question 9
Where can sensitivity labels be applied by a user?
A. Only in Power BI Desktop B. Only in the Power BI Service C. In both Power BI Desktop and Power BI Service D. Only by Power BI Admins
Correct Answer:C
Explanation: Sensitivity labels can be applied or updated in both Desktop and the Service, depending on permissions.
Question 10
Which statement best describes how sensitivity labels fit into Power BI security?
A. They replace workspace roles and RLS B. They are optional and unrelated to governance C. They complement other security features by supporting data classification D. They are only used for auditing
Correct Answer:C
Explanation: Sensitivity labels are part of a layered security and governance approach, complementing permissions, RLS, and workspace roles.
Final PL-300 Exam Reminders
Sensitivity labels are about classification and protection, not access control
Labels are created in Microsoft Purview, applied in Power BI
Labels propagate to reports and exported files
Labels work alongside RLS and permissions—not instead of them
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections: Manage and secure Power BI (15–20%) --> Secure and govern Power BI items --> Apply sensitivity labels
Note that there are 10 practice questions (with answers and explanations) for each topic of the exam. There are also 2 practice tests for the PL-300 exam with 60 questions each (with answers) available on the hub.
Overview
Applying sensitivity labels is an important governance capability within Power BI and a tested topic in the “Manage and secure Power BI (15–20%)” domain of the PL-300: Microsoft Power BI Data Analyst certification exam. Sensitivity labels help organizations classify, protect, and control the handling of data across Power BI content and the broader Microsoft ecosystem.
For the exam, you should understand what sensitivity labels are, where they come from, how and where they are applied, what they do (and do not) enforce, and how they support data governance and compliance.
What Are Sensitivity Labels?
Sensitivity labels are metadata tags used to classify data based on its level of sensitivity, such as:
Public
Internal
Confidential
Highly Confidential
They are part of Microsoft Purview Information Protection (formerly Microsoft Information Protection) and are used consistently across Microsoft services, including:
Power BI
Microsoft Excel, Word, and PowerPoint
SharePoint and OneDrive
Key Concept: Sensitivity labels are about data classification and protection, not row-level filtering.
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections: Manage and secure Power BI (15–20%) --> Secure and govern Power BI items --> Configure Row-Level Security Group Membership
Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.
Overview
Configuring Row-Level Security (RLS) group membership is a key governance and scalability topic within the “Manage and secure Power BI (15–20%)” domain of the PL-300: Microsoft Power BI Data Analyst certification exam. This topic builds on basic RLS concepts and focuses on how users are assigned to RLS roles, with an emphasis on using Microsoft Entra ID (Azure AD) security groups instead of individual users.
For the exam, you should understand where RLS roles are defined, where group membership is configured, how group-based RLS behaves, and why it is considered a best practice.
What Is RLS Group Membership?
RLS group membership refers to assigning security groups (rather than individual users) to Row-Level Security roles in a Power BI semantic model. Any user who is a member of the group automatically inherits the data access defined by the role.
This approach:
Improves scalability
Simplifies administration
Aligns with enterprise security standards
Reduces ongoing maintenance
Exam Focus: The PL-300 exam strongly favors group-based RLS as the recommended approach.
Where RLS Group Membership Is Configured
Understanding where actions occur is frequently tested.
Power BI Desktop
Create RLS roles
Define DAX filter expressions
No users or groups are assigned here
Power BI Service
Assign users or security groups to RLS roles
Manage role membership after publishing
Key Distinction:
Roles and filters → Desktop
Users and groups → Service
Why Use Security Groups for RLS?
Benefits of Group-Based RLS
Centralized identity management Groups are managed in Microsoft Entra ID, not Power BI.
Automatic access updates Adding or removing users from a group instantly updates data access.
Reduced administrative effort No need to modify RLS settings when staff changes.
Auditability and compliance Easier to review who has access and why.
Exam Tip: If a question asks for the most scalable or best practice approach, choose security groups.
Types of Groups Used in RLS
Supported Group Types
Microsoft Entra ID security groups (recommended)
Mail-enabled security groups
Not Recommended / Not Supported
Distribution lists (not ideal for security)
Microsoft 365 groups (not designed for RLS scenarios)
PL-300 Expectation: Know that security groups are the preferred option for RLS role membership.
Assigning Groups to RLS Roles
Step-by-Step (Power BI Service)
Publish the semantic model from Power BI Desktop
In the Power BI Service, open the semantic model
Select Security
Choose an RLS role
Add one or more security groups
Save changes
Once assigned, all group members inherit the role’s data filters.
Group Membership and Dynamic RLS
Group membership is often combined with dynamic RLS for maximum flexibility.
Common Pattern
RLS role contains a dynamic filter using USERPRINCIPALNAME()
A mapping table links users to business entities (e.g., region, department)
A security group controls who is subject to that role
This pattern:
Minimizes the number of roles
Supports large organizations
Separates identity management from data logic
How Group-Based RLS Is Evaluated
When a user opens a report:
Power BI identifies the user’s Entra ID group memberships
The user is matched to assigned RLS roles
The union of all applicable role filters is applied
Only authorized rows are returned
Important Exam Concept: Users in multiple roles see the combined (union) of allowed data—not the most restrictive set.
Testing Group-Based RLS
In Power BI Desktop
Use View as
Test role logic only (group membership is not evaluated here)
In Power BI Service
Use View as role
Or test by signing in as a user who belongs to the group
Exam Awareness: Group membership itself cannot be fully tested in Desktop—only in the Service.
Common Pitfalls (Exam-Relevant)
Assigning individual users instead of groups
Expecting RLS to apply before publishing
Forgetting that group membership changes happen outside Power BI
Confusing workspace roles with RLS roles
Assuming admins bypass RLS automatically
RLS Group Membership vs Workspace Roles
Feature
Workspace Roles
RLS Group Membership
Controls content access
✅
❌
Controls data visibility
❌
✅
Uses Entra ID groups
✅
✅
Defined in Desktop
❌
❌
Assigned in Service
✅
✅
PL-300 Focus: These are complementary—not interchangeable—security mechanisms.
Governance and Best Practices
Always prefer security groups over individuals
Use clear, business-aligned group names
Keep RLS logic simple and documented
Coordinate with identity administrators
Review group membership regularly
Common Exam Scenarios
You may be asked to identify:
The best way to manage RLS for hundreds of users
Why a user gained or lost data access without a model change
Where to update access when an employee changes roles
How group membership impacts RLS evaluation
Key Takeaways for the PL-300 Exam
RLS roles are defined in Power BI Desktop
Group membership is configured in the Power BI Service
Microsoft Entra ID security groups are the recommended approach
Group-based RLS improves scalability and governance
Users see the union of all assigned RLS roles
RLS applies to all reports and apps using the semantic model
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections: Manage and secure Power BI (15–20%) --> Secure and govern Power BI items --> Implement Row-Level Security (RLS) Roles
Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.
Overview
Implementing Row-Level Security (RLS) is a critical skill for Power BI Data Analysts and a key topic within the “Manage and secure Power BI (15–20%)” domain of the PL-300: Microsoft Power BI Data Analyst certification exam. RLS ensures that users only see the data they are authorized to view, even when accessing the same reports or semantic models.
For the exam, you must understand how RLS roles are created, how they are implemented using DAX, how users and groups are assigned, and how RLS behaves in the Power BI Service.
What Is Row-Level Security?
Row-Level Security restricts access to specific rows of data in a semantic model based on the identity of the user viewing the report.
RLS:
Is defined in Power BI Desktop
Uses DAX filter expressions
Is enforced in the Power BI Service
Applies to all reports that use the semantic model
Key Concept: RLS controls data visibility, not report visibility.
RLS Architecture in Power BI
The RLS workflow consists of four main steps:
Define roles in Power BI Desktop
Create DAX filter expressions for tables
Publish the semantic model to the Power BI Service
Assign users or groups to roles in the Service
Each role defines which rows are visible when the user is a member of that role.
Creating RLS Roles in Power BI Desktop
Step 1: Create Roles
In Power BI Desktop:
Go to Model view or Report view
Select Modeling → Manage roles
Create one or more roles (e.g., SalesWest, SalesEast)
Roles are placeholders until users or groups are assigned in the Power BI Service.
Step 2: Define Table Filters (DAX)
RLS is implemented using DAX filter expressions applied to tables.
Example: Static RLS
[Region] = "West"
This filter ensures that users assigned to the role only see rows where Region equals West.
Exam Tip: RLS filters act like WHERE clauses and reduce visible rows—not columns.
Static vs Dynamic RLS
Static RLS
Filters are hardcoded values
Each role represents a specific segment
Easy to understand, but not scalable
Example:
[Department] = "Finance"
Dynamic RLS (Highly Exam-Relevant)
Dynamic RLS uses the logged-in user’s identity to filter data automatically.
Common functions:
USERPRINCIPALNAME()
USERNAME()
Example:
[Email] = USERPRINCIPALNAME()
Dynamic RLS:
Scales well
Reduces number of roles
Is commonly used in enterprise models
Best Practice: Use dynamic RLS with a user-to-dimension mapping table.
Assigning Users to RLS Roles (Power BI Service)
After publishing the semantic model:
Go to the Power BI Service
Navigate to the semantic model
Select Security
Assign users or Microsoft Entra ID (Azure AD) groups to roles
Best Practice: Always assign security groups, not individual users.
Testing RLS
In Power BI Desktop
Use Modeling → View as
Test roles before publishing
Validate DAX logic
In Power BI Service
Use View as role
Confirm correct filtering for assigned users
Exam Tip: “View as” does not bypass RLS—it simulates user access.
RLS Behavior in Common Scenarios
Reports and Dashboards
RLS applies automatically
Users cannot see restricted data
Visual totals reflect filtered data
Power BI Apps
RLS is enforced
No additional configuration required
Analyze in Excel / External Tools
RLS is enforced if the user has Build permission
Users cannot bypass RLS through external connections
Important RLS Limitations (Exam Awareness)
RLS does not hide tables or columns (use Object-Level Security for that)
RLS cannot be applied directly to measures
Workspace Admins are not exempt from RLS unless explicitly configured
RLS does not apply in Power BI Desktop for the model author unless using “View as”
Object-Level Security (OLS) vs RLS
Feature
RLS
OLS
Controls rows
✅
❌
Controls columns/tables
❌
✅
Configured in Desktop
✅
❌ (External tools)
Exam depth
High
Awareness only
PL-300 Focus: RLS concepts are tested far more deeply than OLS.
Governance and Best Practices
Use dynamic RLS wherever possible
Centralize security logic in the semantic model
Use groups, not individuals
Document role logic for maintainability
Test RLS thoroughly before sharing reports
Common Exam Scenarios
You may be asked to determine:
Why different users see different values in the same report
How to reduce the number of RLS roles
How to implement user-based filtering
Where RLS logic is created vs enforced
Key Takeaways for the PL-300 Exam
RLS restricts row-level data visibility
Roles and filters are created in Power BI Desktop
Users and groups are assigned in the Power BI Service
Dynamic RLS uses USERPRINCIPALNAME()
RLS applies to all reports and apps using the semantic model
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections: Manage and secure Power BI (15–20%) --> Secure and govern Power BI items --> Configure Access to Semantic Models
Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.
Overview
Configuring access to semantic models (formerly known as datasets) is a core responsibility of a Power BI Data Analyst and a key topic within the “Manage and secure Power BI (15–20%)” domain of the PL-300 exam. This topic focuses on how access to data models is controlled, shared, governed, and secured so that users can interact with data appropriately—without compromising data integrity or confidentiality.
For the exam, you should understand how semantic models are shared, who can access them, what level of access they have, and how security is enforced at both the model and row level.
What Is a Semantic Model in Power BI?
A semantic model is the business-ready representation of data in Power BI. It includes:
Tables, relationships, and hierarchies
Measures, calculated columns, and KPIs
Data formatting and metadata
Security rules (such as Row-Level Security)
Semantic models are published to the Power BI Service and act as the foundation for reports, dashboards, and analysis.
Access Control Concepts You Must Know
Workspace Roles
Access to semantic models is primarily governed by workspace roles in the Power BI Service:
Role
Capabilities Related to Semantic Models
Viewer
Can view reports and read data (if permitted)
Contributor
Can create and edit content, including reports
Member
Can publish, update, and share semantic models
Admin
Full control, including managing permissions and security
Exam Tip: Viewers cannot create new reports from a semantic model unless Build permission is explicitly granted.
Semantic Model Permissions
Semantic models support item-level permissions, separate from workspace roles.
Key permissions include:
Read – Allows users to view data used in reports
Build – Allows users to create new reports using the semantic model
Reshare – Allows users to share the semantic model with others
These permissions can be assigned to:
Individual users
Security groups
Microsoft Entra ID (Azure AD) groups
Best Practice: Grant access using security groups instead of individual users for scalability and easier management.
Build Permission (Highly Exam-Relevant)
Build permission is one of the most tested concepts in this topic.
With Build permission, users can:
Create new reports using the semantic model
Use the model in Excel (Analyze in Excel)
Use the model via external tools (when allowed)
Without Build permission:
Users can view reports
Users cannot create new reports from the model
Build permission can be granted:
Automatically through workspace role (Member/Admin)
Manually on the semantic model
Via sharing settings
Sharing Semantic Models
Semantic models can be shared in several ways:
Through workspace access
By directly sharing the semantic model
By publishing reports that use the model
Via Power BI Apps
When sharing, you can choose whether recipients:
Can build new content
Can reshare the model
Are restricted by existing security rules
Exam Scenario: A user can view a report but cannot create their own—this often indicates missing Build permission.
Row-Level Security (RLS)
Row-Level Security restricts which rows of data a user can see within a semantic model.
Key RLS concepts:
Roles are defined in Power BI Desktop
DAX filters control row visibility
Users or groups are assigned to roles in the Power BI Service
RLS applies to all reports using the model
Types of RLS:
Static RLS – Fixed filters (e.g., Region = “West”)
Dynamic RLS – Filters based on the logged-in user (e.g., USERPRINCIPALNAME())
Important: RLS is enforced at the semantic model level, not the report level.
Object-Level Security (OLS) (Awareness Level)
While not deeply tested, you should be aware that Object-Level Security can:
Hide tables, columns, or measures from specific users
Be configured using external tools (e.g., Tabular Editor)
OLS complements RLS but is more advanced and typically managed by model developers.
Certified Dataset / Endorsed Semantic Models
To support governance, Power BI allows semantic models to be endorsed:
Promoted – Indicates the model is reliable and ready for reuse
Certified – Officially validated and approved by data owners or admins
Endorsements help users:
Identify trusted data sources
Avoid using unofficial or duplicate models
Exam Tip: Certification requires specific tenant permissions and approval workflows.
Power BI Apps and Semantic Models
When distributing content via a Power BI App:
Access to the semantic model is controlled through the app
Users can be allowed to connect to the underlying semantic model
RLS still applies
Apps provide a controlled, read-only distribution method while maintaining centralized security.
Common Exam Scenarios
You may be asked to determine:
Why a user cannot build a report from an existing model
How to allow self-service reporting without giving full workspace access
How to restrict data visibility for different users
Which permission or role best fits a business requirement
Key Takeaways for the PL-300 Exam
Semantic models are secured through workspace roles and item-level permissions
Build permission is essential for report creation and analysis
Row-Level Security controls data visibility per user
Use groups, not individuals, for scalable access control
Endorsed and certified models support governance and trust
Security is applied at the semantic model level, not per report
Just a FYI … this topic emphasizes balancing self-service analytics with strong data governance, a recurring theme throughout the PL-300 exam.
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections: Manage and secure Power BI (15–20%) --> Secure and govern Power BI items --> Configure Item-Level Access
Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.
Overview
Item-level access in Power BI controls who can access specific Power BI items—such as reports, dashboards, semantic models (datasets), and apps—and what actions they can perform on those items.
This topic is part of the Manage and secure Power BI (15–20%) exam domain and falls specifically under Secure and govern Power BI items, making it a critical governance concept for PL-300 candidates.
Unlike workspace roles (which define broad permissions across an entire workspace), item-level access allows more granular control over individual Power BI assets.
What Is Item-Level Access?
Item-level access refers to permissions assigned directly to individual Power BI items, independent of workspace roles. These permissions determine whether users can:
View an item
Share an item
Build new content using an item
Reshare or export data
Modify or manage the item
Item-level access is commonly configured for:
Reports
Dashboards
Semantic models (datasets)
Apps (indirectly through audience access)
Why Item-Level Access Matters (Exam Perspective)
From a PL-300 standpoint, item-level access is important because it helps:
Enforce principle of least privilege
Enable self-service BI safely
Separate content creation from content consumption
Support enterprise governance without duplicating workspaces
Expect exam questions that test when to use item-level permissions instead of workspace roles, and how item-level access interacts with security features like RLS.
Configuring Item-Level Access by Item Type
1. Report-Level Access
Reports can be shared directly with users or groups.
Key capabilities:
View report
Share report (optional)
Build new content (if underlying model allows it)
How it’s configured:
Use the Share button on a report
Assign access to users, security groups, or distribution lists
Important exam note: Sharing a report does not automatically grant access to the underlying semantic model unless explicitly allowed.
2. Dashboard-Level Access
Dashboards are typically shared for executive or summary-level consumption.
Key characteristics:
View-only by default
No data modeling or editing
Tiles link back to underlying reports (which require separate access)
Exam tip: Users must also have access to the source reports behind dashboard tiles to avoid broken visuals.
3. Semantic Model (Dataset) Item-Level Access
Semantic models support some of the most important item-level permissions.
Key permissions:
Read – view reports using the model
Build – create new reports or analyze in Excel
Reshare – share the dataset with others
Common use case:
Grant Build permission to analysts so they can create their own reports without modifying the dataset.
Exam highlight: The Build permission is essential for self-service BI scenarios and is frequently tested.
4. App Access (Audience-Based)
Apps use audiences to control item-level visibility.
What audiences allow you to do:
Show different content to different user groups
Hide specific reports or dashboards
Control navigation and access without duplicating content
Best practice:
Use Azure AD security groups for app audiences.
Item-Level Access vs Workspace Roles
Feature
Workspace Roles
Item-Level Access
Scope
Entire workspace
Individual items
Granularity
Coarse
Fine-grained
Best for
Content creators/admins
Consumers & self-service
Exam focus
Governance
Security precision
Key exam takeaway: Workspace roles control what users can do, while item-level access controls what items they can access.
Item-Level Access and Row-Level Security (RLS)
These two are often confused on the exam.
Item-level access controls access to content
RLS controls data visibility within content
They are complementary, not interchangeable.
Example scenario:
Item-level access → Can the user open the report?
RLS → What rows of data does the user see after opening it?
Best Practices for Configuring Item-Level Access
Use Azure AD security groups instead of individuals
Grant Build permission carefully
Avoid oversharing datasets
Combine item-level access with RLS for data security
Prefer apps and audiences for large-scale distribution
Forgetting that dashboard tiles require report access
Overlooking Build permission in self-service scenarios
Summary for PL-300 Exam Readiness
To succeed on PL-300 questions about item-level access, you should be able to:
✔ Identify when item-level access is required ✔ Configure permissions for reports, dashboards, and datasets ✔ Understand Build vs Read permissions ✔ Explain how item-level access differs from workspace roles ✔ Combine item-level access with RLS appropriately
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections: Manage and secure Power BI (15–20%) --> Secure and govern Power BI items --> Assign Workspace Roles
Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.
Overview
In Power BI, workspaces are collaborative containers used to develop, manage, and distribute content such as semantic models (datasets), reports, dashboards, dataflows, and apps. Assigning workspace roles is a core governance task that ensures users have the appropriate level of access—no more and no less—based on their responsibilities.
For the PL-300 exam, you are expected to understand:
The four workspace roles
What each role can and cannot do
When to assign each role
How workspace roles relate to security, governance, and content lifecycle
Power BI Workspace Roles
Power BI provides four predefined workspace roles:
1. Admin
Highest level of access
Admins have full control over the workspace and its contents.
Key capabilities:
Add or remove users and assign roles
Update workspace settings
Publish, update, and delete all content
Configure semantic model settings (refresh, credentials, endorsements)
Publish and update workspace apps
Delete the workspace
Typical use cases:
Power BI service administrators
BI platform owners
Lead analytics engineers
🔑 Exam tip: Only Admins can manage workspace access and delete a workspace.
2. Member
Content creators and managers
Members can actively create and manage content, but they cannot manage workspace access.
Key capabilities:
Create, edit, and delete reports and dashboards
Publish semantic models
Configure scheduled refresh
Publish and update workspace apps
Share content (depending on tenant settings)
Limitations:
Cannot add or remove workspace users
Cannot delete the workspace
Typical use cases:
Power BI developers
Data analysts responsible for production content
3. Contributor
Content creators without publishing authority
Contributors can build and modify content, but they cannot publish apps or manage access.
Key capabilities:
Create and edit reports and semantic models
Upload PBIX files
Modify existing content they have access to
Limitations:
Cannot publish or update workspace apps
Cannot manage workspace users
Cannot change workspace settings
Typical use cases:
Analysts building reports for review
Developers working in shared or pre-production workspaces
4. Viewer
Read-only access
Viewers can consume content but cannot modify anything.
Key capabilities:
View reports, dashboards, and apps
Interact with visuals (filters, slicers)
Export data (if allowed)
Limitations:
Cannot create or edit content
Cannot publish apps
Cannot configure refresh or settings
Typical use cases:
Business users
Executives and stakeholders
Consumers of certified content
🔑 Exam tip: Viewers require a Power BI Pro license unless the workspace is in Premium capacity.
Assigning Workspace Roles
Workspace roles are assigned in the Power BI service:
Navigate to the workspace
Select Access
Add users or groups
Assign the appropriate role (Admin, Member, Contributor, Viewer)
🔐 Best practice: Assign Azure AD security groups instead of individual users to simplify governance and reduce maintenance.
Governance and Security Considerations
Least Privilege Principle
Always assign the lowest role necessary for a user to perform their job.
Consumers → Viewer
Report authors → Contributor or Member
Platform owners → Admin
Separation of Duties
Use different workspaces for:
Development
Testing
Production
Assign higher roles in dev, more restrictive roles in prod.
Workspace Roles vs Item-Level Security
Workspace roles control what users can do
Row-level security (RLS) controls what data users can see
Both are often used together.
Common Exam Scenarios
You may see questions such as:
Which role allows a user to publish an app but not manage access? → Member
Which role is required to assign users to a workspace? → Admin
Which role should be assigned to report consumers? → Viewer
Why use Contributor instead of Member? → To prevent app publishing or access management
Key Takeaways for PL-300
Know all four workspace roles
Understand capabilities vs limitations
Admin = access + settings
Member = manage content + apps
Contributor = build content only
Viewer = consume content only
Assign roles strategically for security and governance
The Data Community 