Tag: PL-300: Microsoft Power BI Data Analyst

Business Intelligence Platform, Data Education & Training, PL-300, Power BI

Practice Questions: Implement Row-Level Security Roles (PL-300 Exam Prep)

 
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Secure and govern Power BI items
      --> Implement row-level security roles

Below are 10 practice questions (with answers and explanations) for this topic of the exam.
There are also 2 practice tests for the PL-300 exam with 60 questions each (with answers) available on the hub.

Practice Questions

Question 1

Where are Row-Level Security roles and filters created?

A. In the Power BI Service
B. In Power BI Desktop
C. In Microsoft Entra ID
D. In Power BI Apps

Correct Answer: B

Explanation:
RLS roles and DAX filters are created in Power BI Desktop. Users and groups are assigned to those roles later in the Power BI Service.

Question 2

Which DAX function is most commonly used to implement dynamic RLS?

A. USERELATIONSHIP()
B. USERNAME()
C. USERPRINCIPALNAME()
D. SELECTEDVALUE()

Correct Answer: C

Explanation:
USERPRINCIPALNAME() returns the logged-in user’s email/UPN and is the most commonly used function for dynamic RLS scenarios.

Question 3

A single semantic model must filter sales data so that users only see rows matching their email address. What is the best approach?

A. Create one role per user
B. Create static RLS roles by region
C. Use dynamic RLS with a user-mapping table
D. Use Object-Level Security

Correct Answer: C

Explanation:
Dynamic RLS with a user-to-dimension mapping table scales efficiently and avoids creating many static roles.

Question 4

What happens if a user belongs to multiple RLS roles?

A. Access is denied
B. Only the most restrictive role is applied
C. The union of all role filters is applied
D. The first role alphabetically is applied

Correct Answer: C

Explanation:
Power BI applies the union of RLS role filters, meaning users see data allowed by any role they belong to.

Question 5

Which statement about Row-Level Security behavior is correct?

A. RLS is applied at the report level
B. RLS applies only to dashboards
C. RLS is enforced at the semantic model level
D. RLS must be reconfigured for each report

Correct Answer: C

Explanation:
RLS is enforced at the semantic model level and automatically applies to all reports and apps using that model.

Question 6

You test RLS using View as role in Power BI Desktop. What does this feature do?

A. Permanently applies RLS to the model
B. Bypasses RLS for the model author
C. Simulates how the report appears for a role
D. Assigns users to roles automatically

Correct Answer: C

Explanation:
View as allows you to simulate role behavior to validate RLS logic before publishing.

Question 7

Which type of RLS is least scalable in enterprise environments?

A. Dynamic RLS
B. RLS using USERPRINCIPALNAME()
C. Static RLS with hard-coded values
D. Group-based RLS

Correct Answer: C

Explanation:
Static RLS requires separate roles for each data segment, making it difficult to maintain at scale.

Question 8

A user accesses a report through a Power BI App. How does RLS behave?

A. RLS is ignored
B. RLS must be redefined in the app
C. RLS is enforced automatically
D. Only static RLS is enforced

Correct Answer: C

Explanation:
RLS is always enforced at the semantic model level, including when content is accessed through apps.

Question 9

Which security feature should be used if you need to hide entire columns or tables from certain users?

A. Row-Level Security
B. Workspace roles
C. Object-Level Security
D. Build permission

Correct Answer: C

Explanation:
RLS controls rows only. Object-Level Security (OLS) is used to hide tables or columns.

Question 10

Which best practice is recommended when assigning users to RLS roles?

A. Assign individual users directly
B. Assign workspace Admins only
C. Assign Microsoft Entra ID security groups
D. Assign report-level permissions

Correct Answer: C

Explanation:
Using security groups improves scalability, governance, and ease of maintenance.

Final PL-300 Exam Reminders

  • RLS controls data visibility, not report access
  • Dynamic RLS is heavily tested
  • RLS applies everywhere the semantic model is used
  • Users see the union of multiple roles
  • RLS is defined in Desktop, enforced in the Service

Go back to the PL-300 Exam Prep Hub main page

Data Education & Training, PL-300, Power BI

Practice Questions: Configure Row-Level Security Group Membership (PL-300 Exam Prep)

 
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections: 
Manage and secure Power BI (15–20%) 
    --> Secure and govern Power BI items 
        --> Configure row-level security group membership

Below are 10 practice questions (with answers and explanations) for this topic of the exam. 
There are also 2 practice tests for the PL-300 exam with 60 questions each (with answers) available on the hub.

Practice Questions

Question 1

Where are security groups assigned to RLS roles?

A. Power BI Desktop
B. Power BI Service
C. Microsoft Entra ID only
D. Power BI App settings

Correct Answer: B

Explanation:
RLS roles and filters are created in Power BI Desktop, but users and security groups are assigned to roles in the Power BI Service after the model is published.

Question 2

Which approach is considered a best practice for managing RLS membership at scale?

A. Assign individual users to each role
B. Create one role per user
C. Assign Microsoft Entra ID security groups to roles
D. Use workspace Admin access

Correct Answer: C

Explanation:
Using Entra ID security groups simplifies administration, supports scalability, and aligns with enterprise security standards.

Question 3

What happens when a user is added to an Entra ID security group that is already assigned to an RLS role?

A. The semantic model must be republished
B. The role must be recreated
C. The user automatically inherits the RLS permissions
D. The user must be manually added in Power BI

Correct Answer: C

Explanation:
Group-based RLS automatically applies to all members of the group without changes to the model or Power BI configuration.

Question 4

Which type of group is recommended for RLS role membership?

A. Distribution list
B. Microsoft 365 group
C. Entra ID security group
D. Power BI workspace group

Correct Answer: C

Explanation:
Entra ID security groups are designed for access control and are the preferred option for RLS scenarios.

Question 5

A user belongs to two security groups, each assigned to a different RLS role. How is access determined?

A. The most restrictive role applies
B. The first role applied alphabetically applies
C. Access is denied
D. The union of both roles applies

Correct Answer: D

Explanation:
Power BI applies the union of all RLS roles a user belongs to, allowing access to any data permitted by either role.

Question 6

Which action requires updating Microsoft Entra ID, not Power BI?

A. Modifying a DAX RLS filter
B. Creating a new RLS role
C. Adding a user to an RLS role via group membership
D. Testing RLS with View as

Correct Answer: C

Explanation:
User membership in security groups is managed in Entra ID, not in Power BI.

Question 7

Which statement about testing group-based RLS is correct?

A. Group membership can be fully tested in Power BI Desktop
B. Group membership is evaluated only in the Power BI Service
C. RLS does not apply to groups
D. Groups bypass dynamic RLS

Correct Answer: B

Explanation:
Power BI Desktop can test role logic, but actual group membership is evaluated only in the Power BI Service.

Question 8

Why is group-based RLS preferred over assigning individual users?

A. It improves report performance
B. It hides tables and columns
C. It reduces the need to update Power BI when users change roles
D. It removes the need for DAX filters

Correct Answer: C

Explanation:
Group-based RLS allows access changes to be managed centrally without modifying Power BI roles or republishing models.

Question 9

Which security concept is often confused with RLS group membership but serves a different purpose?

A. Build permission
B. Workspace roles
C. Object-Level Security
D. All of the above

Correct Answer: D

Explanation:
All listed options are different security mechanisms that control content access or structure, not row-level data visibility.

Question 10

What is the primary role of Power BI in a group-based RLS solution?

A. Managing group membership
B. Authenticating users
C. Enforcing data filters defined in RLS roles
D. Creating security groups

Correct Answer: C

Explanation:
Power BI enforces RLS filters at query time, while identity and group membership are managed externally in Entra ID.

Final PL-300 Exam Reminders

  • Use Entra ID security groups for RLS membership
  • Assign groups in the Power BI Service
  • RLS role logic lives in Power BI Desktop
  • Users see the union of all assigned roles
  • Group membership changes do not require republishing

Go back to the PL-300 Exam Prep Hub main page