CCNA Manage and secure Power BI Questions

75 of 164 questions · Page 1/3 · Manage and secure Power BI · Answers revealed

1
Multi-Selecteasy

A Power BI administrator wants to allow users to create dashboards and reports, but prevent them from sharing content outside the organization. Which two settings should be configured in the Power BI admin portal? (Choose two.)

Select 2 answers
A.Disable 'Create workspaces' in the tenant settings.
B.Disable 'Export data' in the tenant settings.
C.Disable 'Featured tables' in the tenant settings.
D.Disable 'Share content with external users' in the tenant settings.
E.Disable 'Publish to web' in the tenant settings.
AnswersD, E

This setting prevents users from sharing reports and dashboards with external email addresses.

Why this answer

Option A (control 'Share content with external users') and Option D (disable 'Publish to web') are correct. Option A directly blocks sharing with external users. Option D prevents public sharing via embed codes.

Option B (create workspaces) is irrelevant to sharing. Option C (export data) is about exporting, not sharing. Option E (featured tables) is unrelated.

2
MCQhard

Your organization uses Power BI and has implemented Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security). A user reports that they are unable to export data from a Power BI report. The Power BI tenant settings allow export. What could be the cause?

A.The 'Export to Excel' setting is disabled in the Power BI admin portal.
B.A sensitivity label with high classification is applied to the report, automatically blocking export.
C.The user is an external guest user.
D.A Microsoft Defender for Cloud Apps session policy is blocking the export based on the user's risk level or the report's sensitivity.
AnswerD

Defender for Cloud Apps can enforce real-time session controls that block downloads.

Why this answer

Option D is correct because Defender for Cloud Apps can create session policies that block downloads based on risk or sensitivity. Option A is wrong because the tenant setting allows export. Option B is wrong because the user is not a guest.

Option C is wrong because sensitivity labels alone do not block export; they need DLP policies.

3
MCQhard

A Power BI administrator needs to ensure that reports containing sensitive financial data are only accessible to users who have completed mandatory training and are using compliant devices. The organization uses Microsoft Entra ID and Microsoft Intune. Which feature should the administrator configure?

A.Deploy Microsoft Purview to scan the reports and enforce access policies
B.Use row-level security (RLS) to filter data based on user training status
C.Create a Conditional Access policy that requires device compliance and a specific group membership for training completion
D.Apply sensitivity labels to the reports and require MFA
AnswerC

Conditional Access can enforce device compliance and user attributes like group membership.

Why this answer

Option B is correct because Conditional Access policies in Microsoft Entra ID can enforce access controls based on device compliance (Intune) and training completion (custom attribute or group membership). Option A is wrong because sensitivity labels classify and protect data, but do not enforce device compliance or training. Option C is wrong because RLS restricts data within a report, not access to the report itself.

Option D is wrong because Microsoft Purview is for data governance, not access policies.

4
MCQmedium

Refer to the exhibit. A Power BI administrator reviews a row-level security (RLS) policy for the Sales dataset. The SalesManager role should see all sales above $10,000, and the SalesRep role should see all sales above $0. However, users in the SalesRep role report that they cannot see any data when they open the report. What is the most likely issue?

A.The SalesRep role is not assigned to any users
B.The column name in the filter expression does not match the actual column name in the dataset
C.The filter expression uses a comparison operator that is not supported in RLS
D.The RLS role uses a filter on a measure, not a column
AnswerB

Mismatched column names cause RLS to not apply, resulting in no data.

Why this answer

Option C is correct because the filter expression uses the column name 'SalesAmount' but the actual column may be named differently (e.g., 'Amount'). RLS filters must match the exact column name in the dataset. Option A is wrong because RLS can filter on any numeric column.

Option B is wrong because if the role is assigned, users would see data based on the filter. Option D is wrong because the '>' operator is valid.

5
MCQmedium

A data analyst publishes a Power BI dataset to a Premium workspace and grants 'Build' permission to a group of report creators. One report creator complains that they cannot see certain tables in the dataset when building a new report. What is the most likely cause?

A.The user lacks direct query permissions to the underlying data source.
B.The user does not have 'Build' permission on the dataset.
C.The dataset is configured with service principal authentication, and the user is not using a service principal.
D.Row-level security (RLS) is configured on the dataset, hiding some tables.
AnswerD

RLS can restrict visibility of table rows, but not tables; however, if RLS roles are misconfigured, certain tables may appear empty, but the user still sees the table structure.

Why this answer

Option C is correct. Row-level security (RLS) filters the data a user can see, but it does not hide tables from the data model view. Option A is wrong because 'Build' permission allows users to build reports from the dataset.

Option B is wrong because data source credentials are managed at the dataset level, not per user. Option D is wrong because the dataset is in a Premium workspace; service principal access is not required for report creation.

6
MCQmedium

Refer to the exhibit. You have a Power BI dataset configured with the refresh schedule shown. On Monday at 04:00 UTC, you check the refresh history and see the refresh failed. What is the most likely cause?

A.The on-premises data gateway is not installed.
B.The refresh time is set to 03:00 UTC, but the dataset is in a different time zone.
C.The refresh schedule only runs on weekdays, but Monday is considered a weekend in some regions.
D.The service principal used for authentication has expired or lacks permissions.
AnswerD

Service principal authentication requires valid credentials and permissions.

Why this answer

The connection string uses 'ActiveDirectoryServicePrincipal' which requires a service principal to be registered in Microsoft Entra ID. If the service principal does not have the correct permissions or the secret expired, the refresh will fail. Option B is correct.

Option A is wrong because the gateway is not needed for Azure SQL. Option C is wrong because the refresh time is on the hour. Option D is wrong because the refresh schedule is set only on weekdays, but Monday is a weekday, so that's fine.

7
MCQmedium

You are a Power BI administrator. A user reports that their scheduled data refresh fails with error 'The data source credentials are no longer valid.' The dataset uses a SQL Server database with Windows authentication. What should you do first to resolve the issue?

A.Reinstall the on-premises data gateway on the server.
B.Reassign the dataset to a different Premium capacity.
C.Modify the dataset to use 'Impersonate the authenticated user' for data sources.
D.Ask the user to update the data source credentials in the Power BI service dataset settings.
AnswerD

Windows credentials may expire; updating them in the service resolves the error.

Why this answer

Option C is correct because the most common cause for Windows authentication failures is a password change; the user can update credentials in the dataset settings. Option A is wrong because the on-premises gateway is not necessarily the issue. Option B is wrong because impersonation does not apply to Windows credentials.

Option D is wrong because capacity reassignment does not fix credential issues.

8
MCQeasy

You need to ensure that only the Finance team can access a specific Power BI dashboard. What is the most efficient way to accomplish this?

A.Create a new workspace, add the Finance team as Members, and move the dashboard to that workspace.
B.Share the dashboard directly with the Finance team security group, granting only 'View' permissions.
C.Add the Finance team as Admins of the workspace containing the dashboard.
D.Publish the dashboard as an app and assign the Finance team as the audience.
AnswerB

Direct sharing is quick and allows granular access.

Why this answer

Option A is correct because sharing the dashboard directly with the Finance team security group is the simplest and most efficient method. Option B is wrong because it would require moving the dashboard. Option C is wrong because apps are for distributing multiple items.

Option D is wrong because it would affect all content in the workspace.

9
MCQmedium

You manage a Power BI environment. A user wants to share a dashboard with an external partner. You need to ensure the partner cannot export data or share the dashboard further. What should you do?

A.Create a composite model on top of the dataset and share the report as an app.
B.Create a new workspace and add the partner as a Viewer.
C.Add the partner as a guest user in Microsoft Entra ID and share the dashboard directly, ensuring the 'Allow recipients to share' and 'Allow users to export data' options are unchecked.
D.Publish the dashboard to a public website using 'Publish to web'.
AnswerC

Direct sharing with a guest allows granular permission control.

Why this answer

Option C is correct because sharing with an external user as a guest restricts them based on their guest permissions; you can disable export and resharing in the sharing dialog. Option A is wrong because Publish to web makes it public. Option B is wrong because building a composite model is not a sharing method.

Option D is wrong because the partner would need to be a guest anyway.

10
Multi-Selectmedium

Which TWO actions should a Power BI admin take to ensure compliance with data residency requirements? (Choose two.)

Select 2 answers
A.Configure the default storage location in the Power BI admin portal.
B.Enable 'Data residency' settings in the admin portal.
C.Use Power BI Report Server for on-premises data.
D.Store datasets in Azure Data Lake Storage.
E.Assign workspaces to Premium capacities in specific regions using Multi-Geo.
AnswersA, E

Default storage location can be set at tenant creation.

Why this answer

Options A and D are correct because data residency can be controlled by choosing the region where the tenant is created and by using Multi-Geo capabilities for Premium capacities. Option B is wrong because data is stored in the region of the capacity. Option C is wrong because the admin portal does not allow users to choose residency.

Option E is wrong because Azure Data Lake is not a storage for Power BI data.

11
MCQeasy

A data analyst needs to ensure that a Power BI dataset used in a shared workspace is refreshed daily at 6 AM. The data source is an Azure SQL Database. The analyst's account has database permissions. What should the analyst configure?

A.Enable XMLA endpoints for the workspace.
B.Configure scheduled refresh in the dataset settings.
C.Install an on-premises data gateway.
D.Configure refresh in the report settings.
AnswerB

Scheduled refresh allows setting a daily refresh at a specific time.

Why this answer

Option B is correct because a scheduled refresh in the dataset settings allows configuring refresh frequency and time. Option A is wrong because Gateway is needed only for on-premises sources. Option C is wrong because XMLA endpoints are for advanced management, not scheduling refresh.

Option D is wrong because the refresh is scheduled on the dataset, not the report.

12
MCQhard

Refer to the exhibit. A Power BI administrator runs a PowerShell script to get an access token for the Power BI API. The output shows a token with claims. Based on the token, which authentication method was used?

A.Multi-factor authentication (MFA)
B.Device code flow
C.Password-based authentication
D.Certificate-based authentication
AnswerC

Correct. The 'pwd' claim indicates password.

Why this answer

Option B is correct because the 'amr' claim contains 'pwd', which indicates password-based authentication. Option A is wrong because MFA would show 'mfa' in amr. Option C is wrong because certificate-based authentication would show 'cert'.

Option D is wrong because device code flow would show 'device_authentication'.

13
MCQmedium

Your organization uses Power BI Premium per user. You need to ensure that a specific report is only accessible via a Power BI app and not directly in the workspace. What should you do?

A.In the workspace settings, set 'Allow users to access the workspace content directly' to disabled.
B.Remove the users from the workspace role.
C.Publish the report to a different workspace.
D.Share the report only with the app users.
AnswerA

This forces app-only access.

Why this answer

Option D is correct because hiding the report from users in the workspace forces access via the app only. Option A is wrong because sharing still gives direct access. Option B is wrong because removing access entirely prevents app access too.

Option C is wrong because it doesn't restrict.

14
Multi-Selecteasy

Which TWO are valid methods to secure access to a Power BI dataset? (Select exactly two.)

Select 2 answers
A.Row-level security (RLS)
B.Column-level security (CLS)
C.Object-level security (OLS)
D.App permissions
E.Data encryption at rest
AnswersA, C

Filters rows based on user.

Why this answer

Row-level security (RLS) and object-level security (OLS) are the two primary methods. Option A is correct, Option B is correct. Option C is wrong because column-level security is not a separate feature; it's OLS.

Option D is wrong because app permissions control access to the app, not the dataset directly. Option E is wrong because data encryption is not a dataset-level access control.

15
MCQmedium

A company has Power BI Premium capacity. They want to allow developers to deploy datasets using the XMLA endpoint with a service principal. What must the admin configure?

A.Enable service principal access in the Power BI admin portal under 'Developer settings'.
B.Install an on-premises data gateway.
C.Add the service principal as a member of the workspace.
D.Create an app registration in Microsoft Entra ID.
AnswerA

Service principal access must be explicitly enabled for the tenant.

Why this answer

Option C is correct because service principals need to be enabled in the capacity settings and assigned to the workspace. Option A is wrong because service principals need specific permissions, not just reader. Option B is wrong because the gateway is not required for cloud sources.

Option D is wrong because app registration is needed but enabling in capacity is the key step.

16
MCQhard

You manage a Power BI environment where users frequently create personal workspaces. The finance team requires that all financial reports be placed in a managed workspace to enforce data protection labels from Microsoft Purview. What should you implement to prevent users from saving financial reports to their personal workspaces?

A.Require sensitivity labels on all financial datasets.
B.Disable the 'Allow sharing with external users' tenant setting.
C.Enable the 'Block external data sharing' setting in Microsoft Purview.
D.Disable the 'Create workspaces (My Workspace)' tenant setting in the admin portal.
AnswerD

Disabling this setting prevents users from creating personal workspaces, enforcing the use of managed workspaces.

Why this answer

Option C is correct because the Power BI admin portal allows you to block the creation of personal workspaces, forcing users to use managed workspaces. Option A is wrong because sensitivity labels are applied to content but do not prevent saving to personal workspaces. Option B is wrong because tenant settings for sharing do not restrict workspace creation.

Option D is wrong because the external data sharing setting is unrelated.

17
MCQmedium

You are a Power BI administrator for a large enterprise. The organization uses Microsoft Purview Information Protection sensitivity labels. You have enabled sensitivity labels in the Power BI admin portal and published labels in the Microsoft 365 Compliance Center. Users have been assigned the appropriate licenses. However, when a user tries to apply a sensitivity label to a report in the Power BI service, the label options are grayed out. The user has a Power BI Pro license and is a Member of the workspace where the report resides. The report is stored in a workspace that is backed by a Premium capacity. What is the most likely reason the user cannot apply the label?

A.The user does not have the required Azure Rights Management (Azure RMS) license or permissions to apply labels.
B.The sensitivity labels have not been published to the user's security group.
C.The workspace is not enabled for sensitivity labels; you need to enable labels at the workspace level.
D.The user's role in the workspace is insufficient; they need at least Contributor role to apply labels.
AnswerA

Applying labels requires Azure Information Protection rights.

Why this answer

Option C is correct because to apply sensitivity labels in Power BI, the user must have the 'Azure Information Protection' (AIP) rights (e.g., 'Rights Management' or 'Protection') enabled. Even with a Pro license, if the user does not have the AIP add-on or the rights assigned, they cannot apply labels. Option A is wrong because the workspace is backed by Premium, but labels work in shared capacity too.

Option B is wrong because the user is a Member, which allows editing. Option D is wrong because the labels are published.

18
MCQeasy

You are a Power BI administrator. A user reports that they cannot see a shared dashboard in their Power BI account. You verify that the dashboard has been shared with the user. What is the most likely cause?

A.The user is looking in the wrong workspace or the dashboard is located in a different workspace.
B.The dashboard owner does not have a Power BI Pro license.
C.The user is signed in with the wrong Microsoft Entra ID account.
D.The dashboard has not been shared with the user's security group.
AnswerA

Shared dashboards appear in the 'Shared with me' list or the workspace they are in; the user may be looking in the wrong place.

Why this answer

Option B is correct because the user may be accessing the wrong workspace or the dashboard may be shared in a different workspace context. Option A is wrong because if the user is signed in with the wrong account, they would see a different set of items. Option C is wrong because the dashboard was shared, so sharing is not the issue.

Option D is wrong because the dashboard owner's license does not affect visibility for the user.

19
MCQmedium

Your organization uses Power BI and has a requirement that all reports must be accessible to users with screen readers. You need to configure the Power BI service to enforce accessibility compliance. What should you do?

A.Use Microsoft Entra ID to enforce conditional access for accessibility.
B.Use Microsoft Intune to enforce accessibility policies on user devices.
C.Set accessibility properties on each report individually.
D.In the Power BI admin portal, enable the 'Enforce accessibility requirements' setting.
AnswerD

This setting enforces accessibility checks.

Why this answer

Option A is correct because accessibility settings in Power BI service can enforce requirements like alt text and tab order. Option B is wrong because Microsoft Intune manages devices, not Power BI accessibility. Option C is wrong because Microsoft Entra ID does not have accessibility settings for Power BI.

Option D is wrong because report-level settings are manual, not enforced tenant-wide.

20
MCQmedium

You have a Power BI dataset that uses DirectQuery to a SQL Server data warehouse. You need to ensure that when users view reports, they see only data relevant to their department. The data warehouse contains a 'Department' column. What should you implement?

A.Configure the data source credentials to pass the user's identity.
B.Create separate datasets for each department and grant access accordingly.
C.Implement object-level security (OLS) on the 'Department' column.
D.Define row-level security (RLS) roles in Power BI Desktop and assign users.
AnswerD

RLS filters data at the row level based on user identity.

Why this answer

Option B is correct because row-level security (RLS) in Power BI allows you to filter data based on the user's identity. By defining roles and using DAX filters like 'Department = USERPRINCIPALNAME()', you can restrict data. Option A is wrong because object-level security (OLS) controls access to tables/columns, not rows.

Option C is wrong because data source credentials are used for connection, not for filtering. Option D is wrong because Power BI does not support query passthrough for RLS; RLS is implemented in Power BI.

21
MCQeasy

You are configuring a Power BI data gateway for a scheduled refresh. The data source is an on-premises SQL Server database. Which authentication method should you use for the gateway to connect to the SQL Server?

A.Windows authentication (Kerberos)
B.OAuth 2.0
C.Service Principal
D.Basic authentication with SQL login
AnswerA

Standard for on-prem SQL Server.

Why this answer

The gateway typically uses Windows authentication (Kerberos) for on-premises SQL Server to support single sign-on and pass-through. Option B is correct. Option A is wrong because OAuth is for cloud services.

Option C is wrong because Basic is less secure and not recommended. Option D is wrong because Service Principal is for Azure resources.

22
MCQeasy

You have a Power BI workspace that contains a report connected to an Azure Analysis Services (AAS) model. The data source uses Single Sign-On (SSO) with Microsoft Entra ID. When users access the report, they see an error that the data cannot be refreshed. What is the most likely cause?

A.Row-level security (RLS) is not configured on the AAS model.
B.The data source credentials are stored in the dataset.
C.The service principal used for authentication has expired.
D.The dataset is configured in Import mode.
AnswerD

SSO only works with DirectQuery or Live Connection.

Why this answer

Option B is correct because SSO requires the dataset to use DirectQuery or Live Connection mode; Import mode does not support SSO. Option A is incorrect because the data source credentials are passed via SSO, not stored. Option C is incorrect because row-level security is applied at query time, not during connection.

Option D is incorrect because SSO uses the user's identity, not a service principal.

23
MCQeasy

Refer to the exhibit. User2 wants to add a new user to the Finance workspace. Can User2 perform this action, and why?

A.Yes, because User2 is a Contributor.
B.Yes, because User2 is a Member.
C.No, because the Premium capacity does not allow adding users.
D.No, because only Admins can add users.
AnswerD

Admin role is required to add users.

Why this answer

Option B is correct because only workspace Admins can add users. User2 is a Member, which does not include the permission to manage membership. Option A is wrong because Contributors cannot add users.

Option C is wrong because Member cannot add users. Option D is wrong because the capacity does not affect workspace membership permissions.

24
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that Power BI reports can only be viewed on managed devices that are compliant with company policies. What should you configure?

A.Power BI Premium capacity setting 'Restrict access to mobile devices'.
B.Conditional Access policy in Microsoft Entra ID requiring device compliance.
C.Power BI tenant setting 'Require users to sign in with Microsoft Entra ID'.
D.Mobile app management (MAM) policy in Microsoft Intune.
AnswerB

Conditional Access can block access from non-compliant devices.

Why this answer

Option A is correct because conditional access policies in Microsoft Entra ID can require compliant devices. Option B is wrong because it doesn't enforce device compliance. Option C is wrong because it's for mobile app protection, not device compliance.

Option D is wrong because it's for capacity.

25
MCQmedium

Refer to the exhibit. A Power BI administrator is reviewing a dataset configuration exported from a workspace. The dataset connects to an on-premises SQL Server using Windows authentication. The administrator wants to configure a gateway to support scheduled refresh without storing credentials. Which gateway type and configuration should be used?

A.Use the on-premises data gateway (standard mode) and configure Kerberos constrained delegation for single sign-on
B.Use the on-premises data gateway (standard mode) and store the connection string in the gateway
C.Use the on-premises data gateway (personal mode) and store the Windows credentials in the gateway
D.Use the virtual network (VNet) gateway and configure a service principal
AnswerA

Kerberos delegation allows seamless Windows authentication without storing credentials.

Why this answer

Option D is correct because the on-premises data gateway supports Windows authentication via Kerberos constrained delegation, allowing refresh without storing credentials. Option A is wrong because the personal gateway is only for a single user and requires credentials. Option B is wrong because the VNet gateway is for Azure VNets, not on-premises.

Option C is wrong because the on-premises data gateway does not need a connection string stored in the gateway; it uses the dataset's connection string.

26
MCQeasy

Your organization uses Power BI Premium per capacity. You need to ensure that only users from a specific Microsoft Entra ID security group can access the Power BI service. What should you do?

A.Disable the 'Publish to web' setting in the tenant admin portal.
B.Set the capacity to a different SKU.
C.Create a security group in the workspace and add users to that group.
D.Configure the Power BI tenant settings to 'Allow users to access Power BI service' and specify the security group.
AnswerD

This restricts access to the specified group.

Why this answer

Option A is correct because enabling tenant-level integration with Microsoft Entra ID allows restricting access to specific security groups. Option B is wrong because disabling public sharing doesn't restrict access. Option C is wrong because app security groups are for workspace access, not tenant access.

Option D is wrong because capacity settings control resources, not user access.

27
MCQhard

Refer to the exhibit. You are reviewing the configuration of a Power BI dataset with row-level security (RLS). A user named 'user@contoso.com' reports that they can see all data when they should see only data for their region. What is the most likely cause?

A.The 'effectiveIdentity' is set to the user's email, bypassing RLS.
B.The RLS roles are missing the 'SalesRole' mapping to the dataset.
C.The dataset does not have any RLS roles defined.
D.The user is not assigned to any RLS role.
AnswerA

The effective identity setting forces the dataset to use that identity, ignoring RLS for that user.

Why this answer

Option C is correct because the 'effectiveIdentity' property in the exhibit is set to 'user@contoso.com', which overrides RLS and allows that user to see all data. In Power BI, the effective identity is used for testing but in production, it should not be set for a specific user if RLS is intended. Option A is wrong because the roles include users, so RLS is configured.

Option B is wrong because the exhibit does not indicate a missing role mapping. Option D is wrong because the roles are defined; the issue is the effective identity.

28
MCQmedium

Refer to the exhibit. You are a Power BI administrator reviewing a workspace capacity configuration in the Power BI admin portal. Based on the exhibit, which of the following is true?

A.The workspace has data classification set to 'General'.
B.The workspace is on a Premium capacity with ABFSSmall storage format.
C.The workspace uses a customer-managed encryption key.
D.The workspace allows data sources from SharePoint Online.
AnswerB

'ABFSSmall' is a valid Premium capacity storage format.

Why this answer

Option C is correct because 'ABFSSmall' is a valid Premium capacity storage format (Azure Blob File System Small). Option A is wrong because encryption is 'ServiceManaged', not 'CustomerKey'. Option B is wrong because there is no 'SharePoint' in allowedDataSources.

Option D is wrong because the data classification is set to 'Confidential', not 'General'.

29
MCQmedium

You are a Power BI administrator. A user reports they cannot publish a report to a shared workspace because they receive an error 'You need at least a Contributor role to publish to this workspace.' The user is a member of a security group that has been assigned the Viewer role on the workspace. What should you do to allow the user to publish?

A.Grant the user Read permission on the report in the workspace.
B.Add the user as a Contributor directly to the workspace, or change the security group role to Contributor.
C.Change the user's role to Viewer on the workspace and ask them to use the 'Publish to web' option.
D.Create a new workspace and add the user as a Member.
AnswerB

Contributor role allows publishing. Adding the user directly overrides the group role.

Why this answer

Option C is correct because the Viewer role does not allow publishing; the user needs at least a Contributor role. Adding them directly as a Contributor overrides the group assignment. Option A is wrong because Power BI does not allow granting permissions on individual reports in a workspace.

Option B is wrong because Viewer allows viewing only. Option D is wrong because the app workspace already exists.

30
MCQhard

You are managing a Power BI deployment that uses Premium capacity. Users report that reports are loading slowly during peak hours. You need to identify whether the capacity is being overused. Which metric should you monitor?

A.Memory usage percentage.
B.Total dataset size in the workspace.
C.CPU high time percentage.
D.Average query execution time.
AnswerC

Correct. High CPU indicates capacity overload.

Why this answer

Option C is correct because CPU over-utilization is a key indicator of capacity stress in Premium. The 'CPU high' metric directly reflects processing load. Option A is wrong because query execution time is a result, not a direct capacity metric.

Option B is wrong because memory usage is important but CPU is more directly tied to responsiveness. Option D is wrong because dataset size is a design factor, not a real-time capacity metric.

31
Multi-Selectmedium

Which TWO actions should you take to ensure that sensitive columns (e.g., customer names) are not visible to certain users in a Power BI report? (Select exactly two.)

Select 2 answers
A.Use object-level security (OLS) to hide the columns for specific roles.
B.Apply dynamic data masking on the dataset in Power BI service.
C.Use row-level security (RLS) to filter out rows containing sensitive data.
D.Create separate datasets with and without sensitive columns and assign permissions accordingly.
E.Set the report to not allow users with certain roles to view the report.
AnswersA, D

OLS can hide columns or tables.

Why this answer

Object-level security (OLS) can hide entire columns from roles. Row-level security (RLS) filters rows but cannot hide columns. Building separate datasets is one way but not efficient.

Option A and B are correct. Option C is wrong because RLS does not hide columns. Option D is wrong because that controls access to the report, not column visibility.

Option E is wrong because masking is not available in Power BI.

32
MCQhard

A Power BI report uses a composite model combining Import and DirectQuery sources. When a user filters a visual, the report takes a long time to update. The admin wants to diagnose performance issues. Which tool should the admin use?

A.DAX Studio.
B.Performance Analyzer in Power BI Desktop.
C.Power BI activity log.
D.On-premises data gateway log.
AnswerB

Performance Analyzer provides detailed timing for each visual and query.

Why this answer

Option C is correct because Performance Analyzer shows query durations for each visual, helping identify slow queries. Option A is wrong because DAX Studio analyzes DAX queries but not the full report performance. Option B is wrong because the activity log shows events but not query-level details.

Option D is wrong because the gateway log is for gateway activities.

33
Multi-Selectmedium

You need to enforce that only users with a specific sensitivity label can access a Power BI report. Which TWO actions should you take?

Select 2 answers
A.Assign users to the Viewer role in the workspace.
B.Enable sensitivity labels for Power BI in Microsoft Purview.
C.Configure row-level security (RLS) on the dataset.
D.Set the default sensitivity label for the workspace.
E.Create a label-based access control policy in Microsoft Purview.
AnswersB, E

Required to use labels in Power BI.

Why this answer

Options A and C are correct. Sensitivity labels must be enabled for Power BI via Microsoft Purview, and then you can restrict access using label-based policies. Option B is wrong because row-level security controls data, not access to the report.

Option D is wrong because workspace roles do not consider sensitivity labels. Option E is wrong because that setting controls default label, not access restriction.

34
MCQhard

You are configuring row-level security (RLS) for a Power BI dataset. The sales data includes a 'Region' column. You want users in the 'Sales Managers' group to see data only for their assigned region, which is stored in a separate mapping table. You create the following DAX filter: [Region] = LOOKUPVALUE(EmployeeRegion[Region], EmployeeRegion[UserPrincipalName], USERPRINCIPALNAME()). When testing, a user in 'Sales Managers' sees no data. What is the most likely issue?

A.The LOOKUPVALUE function returns multiple values for the user, causing an error.
B.The USERPRINCIPALNAME function is not supported in RLS filters.
C.The DAX filter syntax is incorrect; it should use CALCULATE.
D.RLS requires a Premium capacity license.
AnswerA

Correct. Duplicate entries cause LOOKUPVALUE to fail.

Why this answer

Option C is correct because LOOKUPVALUE returns an error if multiple values are found (e.g., duplicate user entries in the mapping table), causing the filter to fail and return no data. Option A is wrong because RLS does not require Premium. Option B is wrong because the USERPRINCIPALNAME function is correct for Power BI Service.

Option D is wrong because the DAX itself is syntactically correct; the issue is with data.

35
MCQmedium

You are a Power BI administrator. A user reports that they cannot see any data when they open a report that uses row-level security (RLS). The user is a member of the 'Sales' RLS role, which filters data to [Region] = 'North America'. However, the report shows blank visuals. What is the most likely cause?

A.The user does not have permission to view the report.
B.The user is also a member of a workspace role that overrides RLS.
C.The RLS role was defined in the Power BI service after publishing, but the user was not added.
D.The RLS filter uses an exact string match, but the actual region values in the data are different (e.g., 'North America' vs 'North America ' or 'NA').
AnswerD

A mismatch in string values would result in no data being returned.

Why this answer

Option D is correct because if the 'North America' region name in the data does not exactly match the filter (e.g., 'North America' vs 'NA'), the filter will not match any rows. Option A is wrong because the user can see the report, just no data. Option B is wrong because RLS roles are usually defined in Desktop.

Option C is wrong because the user is in the Sales role, so they should see data.

36
MCQhard

Your company uses Microsoft Purview Information Protection sensitivity labels. You publish a Power BI dataset that includes columns containing personally identifiable information (PII). You want to automatically apply sensitivity labels based on column sensitivity. What should you configure?

A.Configure an auto-labeling policy in Microsoft Purview.
B.Use Microsoft Defender for Cloud Apps session controls.
C.Apply a sensitivity label to the dataset manually in Power BI Service.
D.Enable Microsoft Sentinel to label Power BI assets.
AnswerA

Auto-labeling can scan and label based on sensitive data patterns.

Why this answer

Option A is correct because auto-labeling policies in Microsoft Purview can scan and label Power BI datasets. Option B is wrong because Microsoft Defender for Cloud Apps applies labels based on app-level behavior, not column data. Option C is wrong because sensitivity labels in Power BI are manual or inherited from data sources.

Option D is wrong because Microsoft Sentinel is for security information and event management.

37
MCQhard

Refer to the exhibit. A user is a member of both 'HRManager' and 'Executive' RLS roles. The dataset uses DirectQuery. When the user views a report showing all employees, what data will they see?

A.All rows in the Employees table.
B.Only rows where Department is both 'HR' and 'Executive' (intersection).
C.No rows because roles conflict.
D.Rows where Department is 'HR' or 'Executive' (union).
AnswerD

Multiple roles are additive with OR logic.

Why this answer

Option B is correct because in Power BI, when a user belongs to multiple RLS roles, the filters are combined using OR logic, so the user sees rows satisfying either role. Option A is wrong because it would require intersection (AND). Option C is wrong because all rows are not returned.

Option D is wrong because both roles are applied.

38
MCQeasy

Your organization uses Microsoft Purview to catalog Power BI assets. You need to ensure that all published reports and dashboards are automatically scanned and added to the catalog. What should you do?

A.Register the Power BI tenant as a data source in Microsoft Purview.
B.Enable 'Allow Azure Active Directory authentication' in the Power BI admin portal.
C.Apply sensitivity labels to all assets.
D.Create a new workspace in Power BI and assign the catalog admin role.
AnswerA

Registering the tenant enables automatic scanning.

Why this answer

Option B is correct. Registering a Power BI tenant as a data source in Purview enables automatic scanning of all Power BI assets. Option A is wrong because sensitivity labels help with classification but do not automatically add assets to the catalog.

Option C is wrong because enabling 'Allow Azure Active Directory (now Microsoft Entra ID) authentication' is not required for scanning. Option D is wrong because creating a new workspace does not trigger scanning.

39
MCQeasy

You are a Power BI administrator. A user in the Sales department needs to create reports using a shared dataset, but should not be able to modify the dataset or share it with others. What is the minimum permission level you should assign to the user on the dataset?

A.Reshare
B.Build
C.Write
D.Read
AnswerB

Build permission allows users to create reports based on the dataset without modifying or sharing it.

Why this answer

Option C is correct because 'Build' permission allows a user to create reports based on a dataset without being able to modify or share the dataset. Option A is wrong because 'Read' permission only allows viewing reports, not building new ones. Option B is wrong because 'Reshare' is not a standalone permission; sharing is part of the 'Share' permission.

Option D is wrong because 'Write' would allow modifications.

40
MCQeasy

An administrator wants to monitor all Power BI activities, including viewing reports, exporting data, and sharing workspaces. Which tool should they use?

A.Power BI activity log in the admin portal
B.Power BI usage metrics report
C.Power BI capacity metrics app
D.Microsoft 365 audit log
AnswerA

The activity log records detailed user actions.

Why this answer

Option A is correct because the Power BI activity log captures user activities such as viewing, exporting, and sharing. Option B is wrong because the usage metrics report shows aggregate usage, not detailed activities. Option C is wrong because Microsoft 365 audit log is broader but less specific to Power BI; the activity log is the dedicated tool.

Option D is wrong because the admin portal's capacity metrics focus on performance.

41
MCQeasy

You need to ensure that only members of the 'Sales' security group can edit reports in the 'Sales Reports' workspace. The workspace currently has four members: three from Sales and one from Marketing. What should you do?

A.Add the Sales security group as a workspace Admin and remove the Marketing user.
B.Configure the workspace to allow only specific users to edit by using the 'Restrict editing' option.
C.Publish the reports to a Power BI app and grant the Sales group 'Build' permissions.
D.Assign the Sales security group the 'Contributor' role and keep the Marketing user as 'Member'.
AnswerA

Adding the Sales group with Admin role grants edit access, and removing the Marketing user prevents their access.

Why this answer

Option C is correct because by assigning the 'Sales' group as the workspace admin or contributor, you can control access. However, the scenario requires that only Sales members can edit; the Marketing member must be removed or assigned a lower role. Removing the Marketing user from the workspace ensures they cannot edit.

Option A is wrong because adding the Sales group as Admin does not automatically remove the Marketing user. Option B is wrong because workspace roles cannot be assigned per user role; they are workspace-wide. Option D is wrong because app permissions do not control editing access.

42
MCQeasy

You are a Power BI administrator. You need to prevent users from exporting underlying data from reports. Which tenant setting should you disable?

A.'Export data'
B.'Export reports as PowerPoint presentations'
C.'Export reports as PDF files'
D.'Export reports as MHTML files'
AnswerA

This setting controls exporting underlying data.

Why this answer

Option A is correct because 'Export data' controls the ability to export underlying data. Option B is wrong because 'Export reports as PowerPoint' is for exporting the report itself. Option C is wrong because 'Export reports as PDF' is for static exports.

Option D is wrong because 'Export reports as MHTML' is also for report export.

43
MCQmedium

You are a Power BI administrator. A user reports that they cannot see a specific dataset in the Power BI service, even though they have been assigned the 'Contributor' role on the workspace containing that dataset. The dataset was created by another user. What is most likely the cause?

A.The user needs 'Build' permission on the dataset.
B.The user's Power BI license is insufficient.
C.The dataset is published as an app and the user has not installed the app.
D.The user needs to be assigned the 'Viewer' role on the workspace.
AnswerA

Build permission allows users to view and use datasets created by others.

Why this answer

The Contributor role does not include the ability to view datasets created by others unless those datasets are shared or the user has Build permission. Option B is correct because Build permission is required to view datasets that are not owned by the user. Option A is wrong because Viewer role is not needed for viewing datasets; Contributor already has higher access.

Option C is wrong because the dataset was created in the same workspace, not in a separate app. Option D is wrong because the user is already a workspace member; no additional licensing is needed for viewing.

44
MCQhard

Refer to the exhibit. An Azure Policy is applied to your subscription. What is the effect of this policy on Power BI workspaces?

A.It denies creation or update of workspaces assigned to Premium capacity.
B.It denies creation of any new Power BI workspace.
C.It denies creation of workspaces that are not Premium.
D.It allows workspaces with Premium per user (PPU) SKU.
AnswerA

The deny effect prevents actions on Premium workspaces.

Why this answer

Option C is correct because the policy denies creation or update of workspaces with SKU 'Premium'. Option A is wrong because it denies Premium, not non-Premium. Option B is wrong because it denies creation of Premium workspaces, not all.

Option D is wrong because it applies to Premium, not premium per user.

45
MCQeasy

Refer to the exhibit. You are reviewing a DAX expression used in a Power BI measure. You need to ensure that only users in the 'West' region see data for that region. Which approach should you use?

A.Implement row-level security (RLS) in the dataset with a role filter.
B.Use the CALCULATE function with a filter on the report page.
C.Modify the measure to include a conditional statement that checks the user's email.
D.Create a calculated column with the same logic.
AnswerA

Correct. RLS restricts data access at the row level.

Why this answer

Option C is correct because the DAX expression is a measure that calculates the sum for the 'West' region, but it does not restrict data for other users. To enforce security, you need to implement row-level security (RLS) by adding a filter in the dataset roles. Option A is wrong because you cannot restrict the measure to specific users directly.

Option B is wrong because the measure itself calculates for West only, but RLS is needed for security. Option D is wrong because the measure is already specific to West.

46
MCQhard

A Power BI admin receives a support ticket that a user cannot see any data in a report that uses row-level security (RLS). The report is based on a dataset with a single table 'Sales' and RLS roles defined. The user is assigned to the role 'SalesManager' which filters Sales[Region] = 'West'. The dataset uses Import mode. The user can see the report but all visuals show blank. What is the most likely cause?

A.The RLS filter removes all rows for the user's role.
B.The user does not have permission to view the report page.
C.The user is viewing a dashboard tile instead of the report.
D.The dataset was refreshed using an RLS bypass account.
AnswerA

If Sales[Region] = 'West' returns no rows, visuals will be blank.

Why this answer

Option D is correct because RLS in Import mode filters at the dataset level; if the user's role filters out all data (e.g., no rows match 'West'), visuals will appear blank. Option A is wrong because RLS does not affect the report page layout. Option B is wrong because RLS is applied regardless of dashboard tiles.

Option C is wrong because RLS is applied after data refresh, so the data load includes all rows but RLS filters query results.

47
Multi-Selecthard

A Power BI administrator needs to prevent users from creating new workspaces, but allow existing workspaces to continue functioning. Which two settings should be configured? (Choose two.)

Select 2 answers
A.Set the 'Maximum number of workspaces a user can create' to 0 for all security groups.
B.In the Power BI admin portal, under 'Workspace settings', disable 'Create workspaces' for all users.
C.Remove the 'Create workspace' button from the Power BI navigation pane using custom branding.
D.Enable 'Block users from creating workspaces' in the Power BI admin portal.
E.In the Power BI admin portal, disable 'Use workspaces' for all users.
AnswersB, D

This setting prevents users from creating new workspaces.

Why this answer

Option A (disable 'Create workspaces' for all users) and Option D (enable 'Block users from creating workspaces' in the admin portal) are correct. Option A is a tenant setting to disable workspace creation. Option D is the actual admin portal setting.

Option B is wrong because disabling 'Use workspaces' would break existing workspaces. Option C is wrong because setting a group policy is not the correct approach. Option E is wrong because removing workspace creation from the admin portal is not a granular setting.

48
MCQmedium

A company uses Power BI Premium per capacity. A report developer needs to share a report with external users who do not have Power BI licenses. The report uses a live connection to an Azure Analysis Services model. What should the admin configure to allow external access?

A.Enable Publish to web for the report.
B.Configure Bring Your Own Tenant (BYOT) with Azure B2B.
C.Configure Azure B2B guest users in the same tenant.
D.Share the report directly with external email addresses.
AnswerB

BYOT allows external users to access content using their own organization's Power BI licenses.

Why this answer

Option B is correct because Bring Your Own Tenant (BYOT) with Azure B2B allows external users to access content via their own organization's tenant. Option A is wrong because guest users in the same tenant require licenses. Option C is wrong because Publish to web makes data public.

Option D is wrong because sharing requires internal licenses.

49
Multi-Selectmedium

Which TWO of the following are valid ways to enforce row-level security (RLS) on a Power BI dataset? (Choose two.)

Select 2 answers
A.Use Power BI Report Builder to define RLS on paginated reports.
B.Create RLS rules directly in the Power BI service under dataset security.
C.Define roles and role members in Power BI Desktop using DAX filter expressions.
D.Assign users to security groups in Microsoft Entra ID and map those groups to RLS roles in the Power BI service.
E.Configure RLS in the source database when using DirectQuery with single sign-on (SSO).
AnswersC, E

This is the primary method to create RLS in Power BI Desktop.

Why this answer

Options A and C are correct. RLS can be defined in Power BI Desktop using static roles, and in DirectQuery with SSO, RLS can be enforced in the source database. Option B is wrong because RLS is not applied via the Power BI service interface for datasets; it's defined in Desktop.

Option D is wrong because RLS in Power BI is not based on Microsoft Entra ID groups; it's based on roles defined in the model. Option E is wrong because RLS is not configured in Excel.

50
MCQhard

You are a Power BI administrator for a large enterprise. The company has a Power BI tenant with thousands of workspaces. You need to audit all shared links (shareable links) that have been created across the tenant to identify any that are shared with external users. You also need to revoke any links that were created more than 90 days ago. You want to use a PowerShell script to accomplish this efficiently. The script must output a CSV file with columns: LinkId, WorkspaceName, ReportName, CreatedDate, ExternalSharing. What should you do?

A.Enable Power BI activity logs and query Log Analytics for shareable links.
B.Use the Power BI REST API cmdlet Get-PowerBIShareableLink to retrieve and filter links by CreatedDate, then revoke with Remove-PowerBIShareableLink.
C.Use Microsoft Graph API to audit and manage Power BI shareable links.
D.Use the Power BI admin portal to manually export shareable links.
AnswerB

Power BI REST API provides programmatic access to shareable links.

Why this answer

Option B is correct because the Power BI REST API (via PowerShell) can retrieve shareable links and filter by creation date. Option A is wrong because the admin portal lacks automation. Option C is wrong because Microsoft Graph API does not directly manage Power BI shareable links.

Option D is wrong because Log Analytics does not provide shareable link metadata.

51
MCQmedium

Your organization uses Power BI in a shared capacity model. A report developer complains that a new report published to a workspace does not appear in the 'My workspace' area. They have the Contributor role on the workspace. What is the most likely cause?

A.The Contributor role does not have permission to publish reports to the workspace.
B.The report was automatically added to 'My workspace' but was deleted by an administrator.
C.Reports published to a workspace do not appear in 'My workspace' unless the user manually saves a copy there.
D.The user does not have a Power BI Pro license.
AnswerC

Correct. Reports published to a workspace are stored in that workspace, not in 'My workspace'.

Why this answer

Option A is correct because reports published to a workspace are stored in that workspace, not in 'My workspace'. The Contributor role allows publishing to the workspace, but the report will appear in the workspace, not the user's personal workspace. Option B is wrong because the Contributor role can publish content.

Option C is wrong because there is no license issue. Option D is wrong because the report is not automatically added to 'My workspace'.

52
Multi-Selectmedium

You need to audit Power BI activities such as viewing reports, sharing dashboards, and exporting data. Which TWO actions should you take to enable and access audit logs? (Choose two.)

Select 2 answers
A.Configure Microsoft Defender for Cloud Apps to forward logs to Microsoft Sentinel.
B.Access the audit log from the Microsoft 365 compliance portal.
C.Enable the 'Create audit logs for Power BI activities' tenant setting in the admin portal.
D.Use the 'Export' feature in Power BI to export audit logs to a CSV file.
E.Set up a diagnostic setting in Azure Monitor to collect Power BI logs.
AnswersB, C

Audit logs are stored and accessible in the Microsoft 365 compliance portal.

Why this answer

Options A and C are correct. Enabling the audit log in the Power BI admin portal is the first step. Option C is correct because audit logs are stored in the Microsoft 365 compliance portal.

Option B is wrong because Microsoft Defender for Cloud Apps is not the primary storage for audit logs. Option D is wrong because Azure Monitor is not used for Power BI audit logs. Option E is wrong because Power BI itself does not store audit logs; it sends them to the Microsoft 365 audit log.

53
Multi-Selecthard

Your organization uses Power BI Premium with a shared capacity. You need to ensure that a specific workspace's data stays in the European region. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Configure the default geographic region for the tenant to Europe.
B.Create a Power BI Premium capacity in the European region.
C.Set the data residency option in the dataset settings to Europe.
D.Move the workspace to the Premium capacity created in Europe.
E.Apply a Microsoft Purview sensitivity label with encryption to the datasets.
AnswersB, D

Premium capacities can be created in specific Azure regions to enforce data residency.

Why this answer

Options A and C are correct. Creating a Premium capacity assigned to a European region ensures data residency. Moving the workspace to that capacity ensures the data is stored in Europe.

Option B is wrong because sensitivity labels do not control data residency. Option D is wrong because the default region is set at the tenant level, not per workspace. Option E is wrong because Power BI does not allow per-dataset regional settings.

54
MCQmedium

You are a Power BI administrator. Your organization uses Microsoft Entra ID for identity management. You need to ensure that only users from specific security groups can access the Power BI service. What should you configure?

A.In the Power BI admin portal, configure the 'Allow users to access Power BI' setting to specify the security groups.
B.Create a conditional access policy in Microsoft Entra ID that grants access to Power BI only for members of the allowed security groups.
C.Configure the 'B2B guest user settings' to allow only specific domains.
D.Modify the workspace access permissions to include only the allowed security groups.
AnswerB

Conditional access policies can restrict access to cloud apps like Power BI based on group membership.

Why this answer

Option C is correct because conditional access policies in Microsoft Entra ID can restrict access to the Power BI service based on security group membership. Option A is wrong because the Power BI admin portal does not have a setting to restrict access to specific security groups. Option B is wrong because guest user settings control external access, not internal group restrictions.

Option D is wrong because workspace access settings control access to workspaces, not the service itself.

55
Multi-Selectmedium

Which TWO methods can a Power BI admin use to enforce the use of sensitivity labels on reports? (Choose two.)

Select 2 answers
A.Deploy a Microsoft Intune policy to block unlabeled reports.
B.Configure default labels in Power BI Desktop.
C.Apply labels automatically using Microsoft Purview Information Protection.
D.Require users to apply sensitivity labels when publishing reports.
E.Use row-level security to hide unlabeled reports.
AnswersC, D

Automatic labeling can be configured based on content.

Why this answer

Options A and D are correct because the admin can enable mandatory labeling in the admin portal and use Microsoft Purview Information Protection to apply labels. Option B is wrong because labels are not applied in Power BI Desktop. Option C is wrong because RLS does not enforce labels.

Option E is wrong because there is no such policy in Microsoft Intune.

56
MCQhard

You are managing a Power BI environment that uses Microsoft Purview for data governance. You need to ensure that all new datasets automatically inherit sensitivity labels from their source data. What should you configure?

A.Enable 'Sensitivity labels' in Power BI tenant settings and require labels on datasets.
B.In Microsoft Purview, set up 'Automatic labeling' policies that propagate labels from source to Power BI datasets.
C.Use Microsoft Purview Data Map to scan source data and manually apply labels.
D.Configure a Power Automate flow to apply labels based on dataset metadata.
AnswerB

Automatic labeling policies can propagate labels.

Why this answer

Option D is correct because you need to set Purview to automatically apply labels based on source data labels. Option A is wrong because it only applies manual labels. Option B is wrong because it doesn't automatically inherit.

Option C is wrong because it's for classification, not automatic inheritance.

57
MCQmedium

Your organization uses Power BI with Premium capacity. You need to configure a scheduled refresh for a dataset that connects to an Azure SQL Database. The refresh must complete before 6:00 AM every day. The dataset currently takes 45 minutes to refresh. What is the most important consideration?

A.Use an on-premises data gateway to connect to Azure SQL.
B.Schedule the refresh to start early enough to complete by 6:00 AM, considering any other scheduled refreshes.
C.Configure incremental refresh to reduce the refresh time.
D.Ensure the dataset does not exceed the maximum number of daily refreshes (8 for shared, 48 for Premium).
AnswerB

Must ensure no overlap and enough time.

Why this answer

Scheduled refresh times are limited by the number of daily refreshes and the capacity's concurrency limits. Option D is correct because the refresh time must be within the available window and not conflict with other refreshes. Option A is wrong because Premium allows up to 48 refreshes per day.

Option B is wrong because incremental refresh is optional, not required. Option C is wrong because gateway is not needed for Azure SQL.

58
MCQeasy

You need to prevent users from sharing Power BI reports with people outside your organization. What should you configure in the Power BI admin portal?

A.Disable the 'Share content with external users' setting.
B.Disable the 'Export to Excel' setting.
C.Disable the 'Publish to web' setting.
D.Disable the 'Allow users to create email subscriptions' setting.
AnswerA

This setting directly controls the ability to share with external users.

Why this answer

Option D is correct because the 'Share content with external users' tenant setting controls whether users can share reports and dashboards with external users. Disabling this setting prevents external sharing. Option A is wrong because 'Export to Excel' is a separate setting.

Option B is wrong because 'Publish to web' is for public embedding. Option C is wrong because 'Create email subscriptions' does not control external sharing.

59
MCQeasy

A Power BI admin needs to audit which users have accessed a specific report in the last 30 days. Which log should the admin use?

A.Power BI activity log (audit log) in the Power BI admin portal.
B.Microsoft Defender XDR audit log.
C.Power BI usage metrics report.
D.Microsoft Purview audit log.
AnswerA

The activity log includes 'ViewReport' events with user and timestamp.

Why this answer

Option A is correct because the Power BI activity log captures user access events. Option B is wrong because the audit log in Microsoft 365 Defender may not have detailed Power BI access events. Option C is wrong because usage metrics reports show view counts but not per-user details.

Option D is wrong because the Microsoft Purview audit log is for compliance, not detailed access logs.

60
MCQhard

Your organization uses Power BI Premium and wants to enforce that users can only see data relevant to their department (Sales, Marketing, Finance) using row-level security (RLS). The dataset contains a 'Department' column. You have created three RLS roles, each with a filter like [Department] = "Sales". You publish the dataset and add users to the roles. However, users in the Sales role can see all data. What is the most likely cause?

A.The RLS roles were created in the Power BI service, not in Power BI Desktop.
B.The users are members of multiple RLS roles, so they see all data.
C.The RLS filter uses a string comparison that is case-sensitive and the data contains mixed case.
D.The users are also assigned to workspace roles (e.g., Member) that grant them access to the dataset without RLS restrictions.
AnswerD

Users with edit permissions on the dataset bypass RLS.

Why this answer

Option B is correct because if the users have workspace-level permissions that allow them to see all data (e.g., Admin, Member, Contributor), RLS is bypassed. Option A is wrong because the filter syntax is correct. Option C is wrong because RLS works in Power BI Desktop preview.

Option D is wrong because multiple roles don't cause this issue; they are additive.

61
Multi-Selectmedium

Which THREE of the following are valid methods to secure a Power BI dataset at the row level?

Select 3 answers
A.Row-level security using the USERPRINCIPALNAME() DAX function.
B.Azure role-based access control (Azure RBAC) on the data source.
C.Static row-level security (RLS) using roles defined in Power BI Desktop.
D.Object-level security (OLS) to restrict access to specific columns.
E.Dynamic row-level security using the USERNAME() DAX function.
AnswersA, C, E

USERPRINCIPALNAME() is used in dynamic RLS.

Why this answer

Options A, C, and E are correct. Static RLS uses roles defined in Power BI Desktop. Dynamic RLS uses USERNAME() or USERPRINCIPALNAME() to filter data based on the logged-in user.

Object-level security (OLS) is for table/column security, not row-level. Option D is wrong because Azure RBAC is for managing access to Azure resources, not for Power BI row-level security.

62
MCQmedium

Refer to the exhibit. You are setting up row-level security (RLS) for a Power BI dataset. The JSON snippet shows the role definition. A user reports that they see no data when they view the report. What is the most likely cause?

A.The filter syntax is incorrect; it should use CALCULATE.
B.The role name 'RegionManager' is reserved.
C.The 'SalesPerson' column should be used in the filter.
D.The LOOKUPVALUE function requires a relationship between tables.
AnswerD

Correct. Without a relationship, LOOKUPVALUE may fail or return incorrect results.

Why this answer

Option D is correct because the LOOKUPVALUE function is used without a relationship between the Sales and EmployeeRegion tables. LOOKUPVALUE does not create a relationship; it performs a lookup based on the current row context, which may not work correctly. In RLS, you typically use a filter that references a related table via a relationship.

Option A is wrong because the role name can be any string. Option B is wrong because the syntax is valid. Option C is wrong because the column definitions are fine.

63
MCQhard

You are a Power BI administrator. You need to audit all activities related to sharing reports and dashboards in the Power BI service. Which tool should you use?

A.Microsoft Purview compliance portal audit log
B.Azure diagnostic settings for Power BI
C.Power BI activity log (via admin API or portal)
D.Microsoft Sentinel
AnswerC

Directly logs all user actions.

Why this answer

The Power BI activity log provides auditing of all user activities, including sharing. Option A is correct. Option B is wrong because Microsoft Purview compliance portal has audit log but Power BI activity log is more specific and detailed.

Option C is wrong because diagnostic settings export logs to other destinations, not for direct querying. Option D is wrong because Microsoft Sentinel collects logs but is not the primary auditing tool.

64
MCQhard

Your organization uses Power BI with a shared capacity. You have a dataset that is refreshed daily from an on-premises SQL Server database using an on-premises data gateway. The dataset contains sensitive financial data. The security team requires that all access to the dataset be logged and that any access from outside the corporate network be flagged. You need to implement a monitoring solution. What should you do?

A.Audit the SQL Server database using Azure SQL Auditing.
B.Use Microsoft Defender for Cloud Apps to enforce conditional access policies.
C.Enable logging on the on-premises data gateway and monitor the logs.
D.Enable Power BI activity logging and stream to Azure Log Analytics, then create alerts on access events from external IPs.
AnswerD

Activity logs capture all access events and can be analyzed.

Why this answer

Option B is correct because enabling Power BI activity logging and streaming to Azure Log Analytics allows querying and alerting on access events. Option A is wrong because the data gateway logs do not include access events. Option C is wrong because Microsoft Defender for Cloud Apps can provide conditional access but not logging of all access.

Option D is wrong because Azure SQL Auditing is for database-level, not Power BI.

65
Multi-Selectmedium

Which TWO of the following are valid methods to share a Power BI report with external users (outside your organization)? (Choose two.)

Select 2 answers
A.Export the report to PDF and email it to the external user.
B.Send the external user a direct link to the report via email; they can view it without any additional setup.
C.Invite the external user as a guest in your Microsoft Entra ID (Azure AD) and share the report directly with them.
D.Embed the report in a SharePoint Online page using the Power BI web part.
E.Use the 'Publish to web' option to create an embed code that can be placed on a public website.
AnswersC, E

Azure AD B2B collaboration allows sharing with external guests.

Why this answer

Options A and D are correct. Option A: Using Azure AD B2B, you can invite external users as guest users and share reports directly. Option D: Publish to web (public) makes the report available to anyone.

Option B is wrong because sharing a link via email requires the recipient to have a Power BI license; if they are external, they need to be guest users. Option C is wrong because exporting to PDF is a manual process, not a sharing method. Option E is wrong because embedding in a public website is essentially Publish to web, but requires enabling the feature.

66
MCQeasy

Refer to the exhibit. You have a Power BI dataset with the JSON policy shown. You add a user to the USOnly role. What happens when that user views a report based on this dataset?

A.The user sees all rows in the Sales table.
B.The user sees only rows where Region is 'US' in the Sales table.
C.The user sees all rows but the SalesAmount column is hidden.
D.The user sees all rows in all tables of the dataset.
AnswerB

The role filters by Region='US'.

Why this answer

Option B is correct because row-level security (RLS) restricts data: only rows where Region is 'US' are visible. Option A is wrong because RLS does not hide the entire table. Option C is wrong because RLS does not affect columns.

Option D is wrong because RLS does not affect other tables unless defined.

67
MCQmedium

Refer to the exhibit. You are troubleshooting an RLS configuration. The role 'SalesManager' is intended to restrict the user 'salesmanager@contoso.com' to see only their data. However, the user sees all data. What is the most likely issue?

A.The filter expression should be '= "salesmanager@contoso.com"' without USERPRINCIPALNAME().
B.The filter expression compares the user's UPN to a static string, but there is no column in the table to filter against.
C.The dataset is using DirectQuery, which does not support RLS.
D.The model permission should be 'ReadAndExplore' instead of 'Read'.
AnswerB

RLS filters typically filter a column, not the user identity itself.

Why this answer

Option C is correct because USERPRINCIPALNAME() returns the user's UPN, but the filter expression compares it to a specific email address. For RLS to work, the filter should use a column that contains the user's UPN, or use a different function. Option A is wrong because the permission is correct.

Option B is wrong because the filter expression should evaluate to a Boolean. Option D is wrong because RLS works with imported data.

68
MCQhard

A Power BI dataset uses DirectQuery to a Snowflake data warehouse. Users report that the report takes more than 5 minutes to load. The dataset has complex DAX measures. The admin wants to improve performance without changing the data source. Which action is most effective?

A.Create aggregations in the dataset.
B.Switch the dataset to Import mode and schedule refresh.
C.Reduce the number of visuals and simplify measures.
D.Increase the Power BI Premium capacity size.
AnswerC

Fewer visuals and simpler DAX reduce the number of queries sent to Snowflake.

Why this answer

Option B is correct because reducing the number of visuals and simplifying measures can significantly reduce query time. Option A is wrong because Import mode would change the source architecture. Option C is wrong because aggregations help but building them requires changes.

Option D is wrong because increasing capacity does not optimize query performance.

69
MCQhard

Your organization uses Power BI and has deployed Microsoft Purview Data Loss Prevention (DLP) policies. You want to prevent users from exporting data from Power BI reports that contain credit card numbers. What should you configure?

A.Configure row-level security (RLS) to hide the credit card column from users.
B.Create a DLP policy in Microsoft Purview that detects credit card numbers in Power BI and set the action to block export.
C.Apply a Microsoft Purview sensitivity label 'Highly Confidential' to the dataset and configure the label to prevent export.
D.Disable the 'Export to Excel' and 'Export to CSV' settings in the Power BI admin portal.
AnswerB

DLP policies can block export when sensitive data is detected.

Why this answer

Option D is correct because DLP policies in Power BI can be applied to datasets and reports, and they can block export of data that matches sensitive info types like credit card numbers. Option A is wrong because sensitivity labels alone do not block export. Option B is wrong because RLS restricts data visibility, not export.

Option C is wrong because tenant settings control general export capabilities but not based on content.

70
MCQhard

Refer to the exhibit. A Power BI dataset has the scheduled refresh configuration shown in the JSON. The refresh fails on Monday, March 2, 2026. Who will be notified?

A.All workspace admins.
B.The dataset owner.
C.The Power BI tenant admin.
D.All users with access to the dataset.
AnswerB

MailOnFailure sends an email to the dataset owner.

Why this answer

Option B is correct. The 'notifyOption' is set to 'MailOnFailure', which sends a notification to the dataset owner when a refresh fails. Option A is wrong because the failure is on a scheduled day, but the notification is not sent to workspace admins.

Option C is wrong because the tenant admin is not automatically notified. Option D is wrong because the notification is sent to the owner, not to all users.

71
MCQmedium

You are a Power BI administrator. A user in your organization wants to share a report with an external user who does not have a Power BI license. You want to allow the external user to view the report without requiring them to sign in. What should you do?

A.Create a new user account in your Microsoft Entra ID for the external user and assign a Power BI Pro license.
B.Share the report directly with the external user's email address.
C.Invite the external user as a guest in Microsoft Entra ID, then share the report.
D.Use the 'Publish to web' option to generate an embed code and send the link to the external user.
AnswerD

Publish to web makes the report publicly accessible without sign-in.

Why this answer

Option C is correct because 'Publish to web' creates a public embed code that anyone can view without authentication. Option A is wrong because sharing directly requires the external user to have a Power BI license or be a guest. Option B is wrong because the external user must authenticate as a guest.

Option D is wrong because the external user would need a license to access the Power BI service.

72
Multi-Selecthard

Which THREE settings should you verify in the Power BI tenant admin portal to ensure that external users (guests) can access a published app?

Select 3 answers
A.Invite external users to your organization via Microsoft Entra ID.
B.Allow sharing with external users.
C.Allow Azure Active Directory (Microsoft Entra ID) external identities to access the Power BI service.
D.Show external users in lists of suggested people.
E.Allow external users to edit and manage content in the organization.
AnswersA, C, E

Correct. This must be enabled to add guest users.

Why this answer

Options A, C, and D are correct. 'Invite external users to your organization' must be enabled. 'Allow external users to edit and manage content in the organization' allows guest contributions. 'Allow Azure Active Directory (Microsoft Entra ID) external identities to access the Power BI service' enables guest access. Option B is wrong because sharing with external users is a separate setting, but not specifically for app access. Option E is wrong because that setting controls whether external users can see other external users.

73
MCQhard

You are a Power BI administrator. A Power BI dataset owner reports that the dataset is not refreshing automatically, but manual refreshes work fine. The dataset uses a cloud data source (Azure SQL Database) with OAuth2 credentials. What is the most likely cause?

A.Row-level security (RLS) is misconfigured.
B.The on-premises data gateway is offline.
C.The dataset exceeds the refresh limit for the assigned capacity.
D.The OAuth2 token used for the data source credentials has expired.
AnswerD

Expired OAuth tokens prevent automatic refreshes, but manual refreshes prompt the user to reauthenticate.

Why this answer

Option B is correct because OAuth2 tokens can expire, causing automatic refresh failures while manual refreshes work (since the user reauthenticates). Option A is wrong because gateway issues typically affect both manual and automatic refreshes. Option C is wrong because capacity restrictions would also affect manual refreshes.

Option D is wrong because RLS does not affect refresh functionality.

74
MCQmedium

Refer to the exhibit. You are configuring row-level security (RLS) for a Power BI dataset. The JSON shows a role named 'RegionManager' with a filter expression. Users assigned to this role complain that they see all regions instead of only 'North'. What is the likely cause?

A.The 'Read' permission should be 'ReadAndExplore' to apply filters.
B.The role name 'RegionManager' is case-sensitive and must match the user's group name.
C.The filter expression is written in M language, which is not supported for RLS.
D.The filter expression uses incorrect DAX syntax; it should reference the table name, e.g., 'Sales[Region] = "North"'.
AnswerD

Table-qualified column names are required.

Why this answer

Option B is correct because the DAX filter expression must reference a column in the correct format; '[Region] = "North"' is incorrect DAX syntax. The correct DAX should be 'Sales[Region] = "North"'. Option A is wrong because the role name is not case-sensitive.

Option C is wrong because the filter expression is a DAX expression, not M. Option D is wrong because the 'Read' permission is correct for viewing data.

75
MCQhard

A Power BI administrator deploys a dashboard that uses a real-time dataset from Azure Stream Analytics. The dashboard must refresh every minute. The administrator notices that the dashboard sometimes shows stale data. What is the most likely cause and solution?

A.The dashboard tile cache is set to the default 30 minutes. Reduce the cache duration to 1 minute in the dataset settings
B.The streaming dataset is not supported for dashboards. Use a push dataset instead
C.Enable automatic page refresh on the dashboard and set it to 1 minute
D.The refresh interval in the dataset is set to 30 minutes. Change it to 1 minute
AnswerA

Dashboard tiles cache data; reducing cache ensures fresh data.

Why this answer

Option A is correct because Power BI has a default dashboard tile cache of 30 minutes for streaming datasets; reducing the cache duration solves the issue. Option B is wrong because the data source is streaming, not push. Option C is wrong because automatic page refresh is for report pages, not dashboard tiles.

Option D is wrong because the issue is cache, not the refresh interval.

Page 1 of 3 · 164 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage and secure Power BI questions.