CCNA Manage and secure Power BI Questions

75 of 164 questions · Page 2/3 · Manage and secure Power BI · Answers revealed

76
Multi-Selectmedium

Which TWO actions can help enforce data security in Power BI when using Microsoft Entra ID?

Select 2 answers
A.Apply Conditional Access policies to require multi-factor authentication.
B.Implement row-level security (RLS) in the dataset.
C.Configure sensitivity labels to restrict access to reports.
D.Share reports via direct link with specific users.
E.Use Microsoft Intune app protection policies to prevent data leakage.
AnswersA, B

Correct. Conditional Access can enforce MFA for Power BI.

Why this answer

Options A and D are correct. Conditional Access policies can enforce MFA. RLS restricts data access at the row level.

Option B is wrong because app management policies are for app governance, not direct security. Option C is wrong because sensitivity labels classify data but do not enforce access. Option E is wrong because sharing via link is a distribution method, not security.

77
Multi-Selectmedium

You need to restrict access to a Power BI report that contains sensitive financial data. The report is published to a workspace. Which THREE actions can you take to control access? (Choose three.)

Select 3 answers
A.Disable the 'Export to Excel' setting for the report.
B.Apply a sensitivity label that restricts access to the report.
C.Implement row-level security (RLS) to filter data based on user identity.
D.Share the report directly with the users.
E.Assign users to the workspace with Viewer role.
AnswersC, D, E

RLS can restrict which data rows each user sees.

Why this answer

Options A, C, and D are correct. Assigning workspace roles controls who can view content in the workspace. Sharing the report with specific users allows granular access.

Row-level security (RLS) can filter data per user. Option B is wrong because sensitivity labels do not control access; they classify data. Option E is wrong because the 'Export to Excel' setting controls export, not access.

78
MCQeasy

Refer to the exhibit. The Power BI admin settings are shown. A user reports that they cannot share a dashboard with an external partner. What is the most likely reason?

A.The 'exportDataEnabled' setting is disabled.
B.The 'publishToWebEnabled' setting is disabled.
C.The 'workspaceCreationEnabled' setting is disabled.
D.The 'externalSharingEnabled' setting is disabled.
AnswerD

This setting directly controls sharing with external users.

Why this answer

Option B is correct because the setting 'externalSharingEnabled' is set to false, which prevents users from sharing content with external users. Option A is wrong because 'workspaceCreationEnabled' is true, allowing workspace creation. Option C is wrong because 'exportDataEnabled' is true.

Option D is wrong because 'publishToWebEnabled' is true and unrelated to sharing.

79
MCQeasy

You have a Power BI workspace that contains several dashboards and reports. You need to ensure that the workspace is certified and that only certified datasets can be used in reports across the tenant. You also want to display a certification badge on the workspace. What should you do?

A.Apply certification to the datasets in the workspace via the dataset settings.
B.Update the workspace description to include 'Certified'.
C.Mark the workspace as 'Featured' in the admin portal.
D.Enable the 'Endorsement' setting for the workspace.
AnswerA

Certification is per dataset.

Why this answer

Option B is correct because certification is applied to datasets, not workspaces. The certification badge appears on datasets. Option A is wrong because certification is not a workspace-level setting.

Option C is wrong because workspace description does not certify. Option D is wrong because that setting controls endorsement, not certification.

80
MCQeasy

You need to grant a user the ability to manage permissions, add members, and edit content in a Power BI workspace, but not delete the workspace. Which role should you assign?

A.Member
B.Admin
C.Contributor
D.Viewer
AnswerA

Correct. Member can manage members and edit content, but cannot delete.

Why this answer

Option B is correct because the Member role can edit content and manage members, but cannot delete the workspace. Option A is wrong because Admin can delete the workspace. Option C is wrong because Contributor can only edit content, not manage members.

Option D is wrong because Viewer has read-only access.

81
MCQhard

You are a Power BI data analyst at a financial services company. You have created a Power BI dataset that uses a live connection to an Azure Analysis Services (AAS) tabular model. The AAS model contains sensitive financial data. You need to implement row-level security (RLS) such that each user can only see data for their assigned region. The user's region is stored in a SQL Server database table called 'UserRegion' that maps user principal names (UPNs) to region IDs. The AAS model already has a 'Region' dimension table with a 'RegionID' column. You are not allowed to modify the AAS model. What should you do?

A.Use Power Query to filter the 'Region' table based on the current user's region stored in the SQL database.
B.Define RLS roles directly in the AAS model using the USERNAME() function.
C.In Power BI Desktop, import the 'UserRegion' table from SQL Server and define an RLS role that filters the 'Region' table using the USERPRINCIPALNAME() function.
D.Modify the AAS model to include the 'UserRegion' table and define RLS roles in AAS.
AnswerC

You can implement RLS in Power BI without modifying the AAS model by importing the mapping table and defining a role.

Why this answer

Option C is correct. You can implement RLS in Power BI Desktop by defining a role that uses the USERPRINCIPALNAME() function to filter the 'Region' table based on the 'UserRegion' table imported into the Power BI dataset. Option A is wrong because you cannot modify the AAS model.

Option B is wrong because RLS in AAS requires modifying the model. Option D is wrong because the 'Region' table is in AAS, not in the SQL database.

82
MCQhard

Refer to the exhibit. The Power BI admin portal shows capacity usage. The Sales workspace is on Premium capacity and the Marketing workspace is on Shared capacity. The admin notices that the Sales dataset refresh takes 45 minutes, and the Marketing dataset refresh takes 10 minutes. Users complain that during the Sales dataset refresh, the Marketing report becomes slow. What is the most likely cause?

A.The Marketing workspace should be moved to Premium capacity to avoid contention
B.The Sales dataset is too large and consumes Premium capacity resources, leaving no resources for Marketing
C.Both workspaces are on the same shared capacity node, and the Sales dataset refresh consumes node resources, slowing Marketing
D.The Marketing dataset requires a Pro license, which is not assigned
AnswerC

On shared capacity, workspaces share underlying resources; a heavy refresh can impact others.

Why this answer

Option B is correct because on Shared capacity, refreshes can be throttled by system load, and a long-running Premium refresh (Sales) can impact the shared capacity node's performance, affecting Marketing. Option A is wrong because Premium capacity is isolated; it would not directly slow Marketing. Option C is wrong because Marketing is on Shared, not Premium.

Option D is wrong because the issue is not about licenses but about capacity contention.

83
MCQhard

Your organization uses Microsoft Entra ID for identity management. You have a Power BI dataset that uses DirectQuery to an Azure Analysis Services (AAS) model. The AAS model is configured to use service principal authentication. Users report that when they open a report connected to this dataset, they see an error: 'Cannot connect to the data source. The credentials provided are invalid.' What is the most likely cause?

A.The service principal secret or certificate used for authentication has expired.
B.Row-level security (RLS) on the AAS model is not configured correctly.
C.The service principal does not have 'Read' permission on the AAS model.
D.The dataset is in Import mode and requires a scheduled refresh.
AnswerA

Expired credentials cause authentication failures.

Why this answer

Option A is correct. The service principal credentials may have expired or been revoked. Option B is wrong because the dataset uses DirectQuery, not Import mode.

Option C is wrong because RLS is configured on the Power BI dataset, not on AAS. Option D is wrong because the service principal is configured for authentication, but the error indicates invalid credentials, not lack of permissions.

84
MCQhard

You are troubleshooting a Power BI DirectQuery model connected to Azure Synapse Analytics. The report shows stale data even though the underlying database is updated hourly. What should you check first?

A.Whether the dataset is using Import mode instead of DirectQuery.
B.Whether the user has RLS permissions that filter data incorrectly.
C.Whether the report has 'Disable caching' enabled in the dataset settings.
D.Whether the dataset is configured for scheduled refresh.
AnswerC

Correct. DirectQuery still uses some caching; disabling it forces fresh queries.

Why this answer

Option A is correct because DirectQuery does not cache data; each query goes to the source. However, Power BI may cache query results at the report level. The 'Disable caching' option ensures fresh data.

Option B is wrong because scheduled refresh is for import models. Option C is wrong because RLS does not affect data freshness. Option D is wrong because storage mode is import; DirectQuery is a separate mode.

85
MCQeasy

Your Power BI workspace contains a dataset that uses a DirectQuery connection to Azure SQL Database. You need to ensure that only users with the 'Viewer' role in the workspace can query the dataset, but they should not be able to see the underlying SQL credentials. What should you do?

A.Use Windows authentication with the user's own credentials.
B.Use row-level security (RLS) to restrict query access.
C.Configure the dataset to use a service principal with a credential stored in Power BI.
D.Use object-level security (OLS) to hide the credential columns.
AnswerC

Service principal credentials are not exposed to users.

Why this answer

Option A is correct because using a service principal with a credential stored in Power BI ensures users do not see credentials. Option B is wrong because stored credentials are not visible to users. Option C is wrong because RLS does not hide credentials.

Option D is wrong because OLS does not apply to credentials.

86
MCQmedium

You need to ensure that only users with a specific security group in Microsoft Entra ID can access a Power BI dataset. The dataset is used in a shared workspace that also contains other datasets. What should you configure?

A.Move the dataset to a separate workspace and manage access via workspace roles.
B.Configure row-level security (RLS) on the dataset to filter data based on the security group.
C.Use the 'Share' feature on the dataset to grant access to the security group.
D.Configure the app permissions to restrict access to the dataset.
AnswerA

A separate workspace allows granular control via workspace roles, restricting dataset access to the assigned security group.

Why this answer

Option B is correct because in Power BI, workspace-level roles (Admin, Member, Contributor, Viewer) control access to the entire workspace. To restrict access to a specific dataset within a shared workspace, you must use row-level security (RLS) or a separate workspace. Option A is wrong because app permissions control the app, not the dataset directly.

Option C is wrong because sharing a report does not restrict dataset access. Option D is wrong because dataset-level permissions are not granularly configurable in the same way; RLS or separate workspace is required.

87
MCQmedium

You have a Power BI dataset that uses a live connection to an Azure Analysis Services (AAS) model. The AAS model has object-level security (OLS) that hides certain measures. Your Power BI report users need to see those measures. What should you do?

A.Use Power BI Desktop object-level security to override AAS settings.
B.Configure row-level security (RLS) in Power BI to grant access.
C.Change the dataset to import mode and then apply OLS in Power BI.
D.Modify the object-level security roles in Azure Analysis Services to include the measures.
AnswerD

Access is controlled by AAS.

Why this answer

Option C is correct because Power BI live connection respects AAS security; to show hidden measures, you need to modify OLS in AAS. Option A is wrong because RLS is for rows, not measures. Option B is wrong because OLS in Power BI is only for import mode.

Option D is wrong because you cannot override AAS security from Power BI.

88
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps to monitor Power BI activity. You need to receive an alert when a user exports a report with a sensitivity label of 'Highly Confidential' from Power BI service. What should you configure?

A.Set up a Microsoft 365 compliance alert for data export events.
B.Enable audit logging in Power BI and configure alerts in Microsoft Sentinel.
C.Apply a protection policy in Microsoft Purview that blocks export for 'Highly Confidential' labels.
D.Create an activity policy in Microsoft Defender for Cloud Apps.
AnswerD

Defender for Cloud Apps activity policies can detect exports with specific sensitivity labels and trigger alerts.

Why this answer

Option A is correct because Microsoft Defender for Cloud Apps allows you to create an activity policy that triggers alerts based on specific activities, such as exporting reports with specific sensitivity labels. Option B is wrong because Power BI audit logs can be monitored but require custom alerts via Sentinel or other tools; Defender for Cloud Apps provides built-in alerting. Option C is wrong because sensitivity labels themselves do not generate alerts.

Option D is wrong because Microsoft 365 compliance alerts are separate and not focused on Power BI exports.

89
MCQhard

Refer to the exhibit. You are reviewing a Power BI activity log entry. What action should you take to ensure compliance if the user who created the report should not have access to 'Confidential' data?

A.Delete the report immediately.
B.Change the sensitivity label on the report to 'General'.
C.Investigate the user's permissions on the dataset 'SalesDataset' to verify they are authorized to access confidential data.
D.Ignore the event because the report creation is logged but not necessarily a violation.
AnswerC

The user created a report labeled 'Confidential', so their access to the dataset should be reviewed.

Why this answer

Option B is correct because the activity log shows the user created a report with a 'Confidential' sensitivity label. The best action is to investigate the user's access permissions to the underlying dataset to ensure they are authorized. Option A is wrong because the report was already created.

Option C is wrong because removing the label does not address the root cause. Option D is wrong because the event indicates the report was created, not just an attempt.

90
MCQhard

Your Power BI tenant has a capacity-based license (Premium). You want to enforce that only reports with a specific sensitivity label from Microsoft Purview can be exported to PDF. What feature should you use?

A.Microsoft Intune app protection policies
B.Sensitivity labels from Microsoft Purview
C.Data loss prevention (DLP) policies for Power BI
D.Conditional Access policies in Microsoft Entra ID
AnswerB

Sensitivity labels can enforce protection like preventing export.

Why this answer

Sensitivity labels in Power BI can be used to control export actions. Option B is correct because sensitivity labels can restrict exporting based on label. Option A is wrong because data loss prevention (DLP) policies in Power BI are for preventing data exfiltration but not specifically tied to export formats.

Option C is wrong because app protection policies are for mobile devices. Option D is wrong because conditional access policies control access, not export.

91
MCQeasy

You create a Power BI report that uses a live connection to an Azure Analysis Services (AAS) model. You want to enforce row-level security defined in the AAS model. What should you do?

A.Use object-level security (OLS) instead.
B.No additional configuration needed; RLS from AAS is automatically applied.
C.Use Power BI service to create RLS roles on the dataset.
D.Define the same RLS roles in Power BI Desktop and publish.
AnswerB

Live connection passes through the security.

Why this answer

With a live connection, Power BI respects the RLS defined in the source model. Option A is correct. Option B is wrong because you cannot add RLS in Power BI for a live connection.

Option C is wrong because you cannot define RLS in Power BI for live connections. Option D is wrong because you do not need to redefine.

92
Multi-Selecthard

Which THREE components are required for a Power BI deployment pipeline? (Choose three.)

Select 3 answers
A.A workspace assigned to a Premium capacity.
B.An Azure DevOps repository for version control.
C.A service principal for automated deployments.
D.A deployment pipeline created in the Power BI service.
E.At least three stages (Development, Test, Production).
AnswersA, D, E

Deployment pipelines require Premium.

Why this answer

Options A, B, and C are correct. A deployment pipeline requires a workspace assigned to a Premium capacity, at least three stages (dev, test, prod), and the pipeline must be created in the Power BI service. Option D is incorrect because a separate Azure DevOps repository is not required; deployment pipelines are native to Power BI.

Option E is incorrect because a service principal is optional for automation, not required.

93
MCQmedium

You are deploying a Power BI solution for a multinational company. The data contains personally identifiable information (PII) subject to GDPR. You need to ensure that users outside the European Union cannot access the underlying data when viewing reports in the Power BI service. What should you implement?

A.Configure Power BI multi-geo and implement row-level security (RLS) based on user region.
B.Apply data classification labels to the datasets and configure protection policies.
C.Use Microsoft Entra ID Conditional Access policies to block access from non-EU IP addresses.
D.Use Microsoft Purview sensitivity labels to restrict access to EU users only.
AnswerA

Multi-geo ensures data residency, and RLS can filter data based on the user's region, effectively preventing non-EU users from seeing EU PII.

Why this answer

Option D is correct because Power BI allows setting geographic data residency at the tenant level, ensuring data is stored in a specific region. Additionally, row-level security (RLS) can restrict data access based on user location, but the question specifically mentions preventing access from outside the EU, which is best achieved by combining multi-geo with RLS. Option A is wrong because Microsoft Entra ID Conditional Access can block access to the service, but not to the data within reports.

Option B is wrong because data classification restricts actions but not access. Option C is wrong because sensitivity labels do not block access.

94
MCQhard

A Power BI administrator needs to allow an external partner organization to access a specific report without requiring them to have Power BI Pro licenses. The report is stored in a workspace assigned to a Premium capacity. What is the correct configuration?

A.Add the external users as members of the workspace and assign them a Viewer role
B.Publish the report to the web and share the public link
C.Invite the external users as guest users in Microsoft Entra ID, add them to the workspace with Viewer role, and share the report or app
D.Embed the report in a secure portal using the 'embed for your organization' option
AnswerC

B2B guest users can access Premium workspace content without Pro licenses.

Why this answer

Option D is correct because in a Premium capacity workspace, you can share reports with external users (B2B collaboration) and grant access via app or direct sharing; the external user's Microsoft Entra ID tenant is trusted, and they can access without a Pro license if the workspace is on Premium. Option A is wrong because publish to web makes the report public, not secure. Option B is wrong because embedding requires a license or capacity.

Option C is wrong because external users need to be invited as guests.

95
MCQmedium

You are a Power BI administrator. A user reports that their scheduled data refresh fails every day with the error 'The credentials provided for the data source are invalid.' The user has verified the credentials are correct. What is the most likely cause?

A.The user changed their password after configuring the refresh.
B.The data source requires OAuth authentication, and the refresh token has expired.
C.The on-premises data gateway is offline.
D.The dataset uses incremental refresh, which requires Premium capacity.
AnswerB

OAuth tokens expire; the user needs to re-authenticate the data source credentials in Power BI.

Why this answer

Option D is correct because if the data source uses OAuth, the refresh token may expire and need to be refreshed. Option A is wrong because the gateway status would show a different error. Option B is wrong because the user already verified credentials.

Option C is wrong because incremental refresh does not affect credential validity.

96
MCQmedium

A Power BI administrator needs to audit which users have exported data from a specific report in the last 30 days. What is the most efficient way to retrieve this information?

A.Use the Microsoft Purview compliance portal to search for 'Export' events.
B.Check the report's usage metrics report for export counts.
C.Query the Power BI activity log using the audit log search in the Microsoft 365 Defender portal.
D.Review the 'Export to Excel' metrics in the Azure Monitor for Power BI Premium.
AnswerC

The Power BI activity log captures export events and can be queried via the Microsoft 365 Defender portal.

Why this answer

Option A is correct because the Power BI activity log contains export events (e.g., 'ExportToCSV', 'ExportToExcel') that can be filtered by report and date. Option B is wrong because Azure Monitor for Power BI Premium provides metrics but not detailed user-level export logs. Option C is wrong because Microsoft Purview audit logs may not include Power BI export events.

Option D is wrong because the usage metrics report only shows aggregate usage, not individual export actions.

97
MCQhard

Your organization uses Power BI Premium capacity. You notice that reports are slow during peak hours. You need to identify which workspaces are consuming the most CPU resources on the capacity. What should you use?

A.Open the dataset in Power BI Desktop and view the performance analyzer.
B.Install and review the Power BI Premium Capacity Metrics app.
C.Enable diagnostic logging in Azure Monitor for the capacity.
D.Check the 'Capacity settings' in the Power BI admin portal.
AnswerB

This app provides per-workspace CPU metrics and other performance insights.

Why this answer

Option C is correct because the Power BI Premium Capacity Metrics app provides detailed metrics on CPU consumption per workspace, helping identify resource-intensive workspaces. Option A is wrong because the Admin portal shows overall capacity usage but not per workspace. Option B is wrong because Azure Monitor works only for Azure resources, not Power BI Premium capacities.

Option D is wrong because Power BI Desktop cannot monitor capacity usage.

98
MCQhard

You are a Power BI administrator. Your organization uses Microsoft Purview to manage sensitivity labels. You need to ensure that when a report is exported to PDF, the sensitivity label is automatically applied to the PDF file. What should you configure?

A.Enable the tenant setting 'Apply sensitivity labels to exported data' in the Power BI admin portal.
B.Enable 'Microsoft Purview Information Protection' file encryption settings.
C.Set the default sensitivity label for the workspace to 'Confidential'.
D.Configure a Microsoft Purview auto-labeling policy for Power BI reports.
AnswerA

This setting ensures that when a report with a sensitivity label is exported, the label is embedded in the exported file.

Why this answer

Option D is correct because Power BI can enforce sensitivity labels on exported files when the tenant setting 'Apply sensitivity labels to exported data' is enabled. Option A is wrong because the labeling policy applies at the report level, not during export. Option B is wrong because file encryption settings in Purview do not control Power BI export behavior.

Option C is wrong because the sensitivity label in the report does not automatically carry over to exports unless the tenant setting is enabled.

99
MCQmedium

You have a Power BI workspace named Sales. You need to ensure that only users in the Finance security group can view reports in this workspace, while members of the Sales team can edit and share content. What should you do?

A.Add Finance as Viewer, Sales as Member.
B.Add Finance as Contributor, Sales as Member.
C.Add Finance as Viewer, Sales as Admin.
D.Use row-level security to restrict Finance data, add both as Member.
AnswerA

Viewer can only view; Member can edit and share.

Why this answer

Option B is correct because workspace roles allow granular permissions: Viewer for Finance, Member for Sales. Option A is wrong because Contributor cannot share content. Option C is wrong because Admin gives full control.

Option D is wrong because row-level security does not control workspace access.

100
MCQmedium

You are a Power BI administrator. The company has a premium capacity that many users publish reports to. Recently, users have reported that some reports are slow to load. You suspect that the capacity is being overused by certain large datasets. You need to identify which workspaces and datasets are consuming the most memory and CPU resources on the capacity. You want to use a tool that provides historical metrics and can be queried. What should you do?

A.Install the Power BI Premium Capacity Metrics app from AppSource.
B.Use Performance Analyzer in Power BI Desktop for each report.
C.Use the Power BI admin portal to view capacity metrics in real-time.
D.Enable Power BI activity logs and query Log Analytics for capacity metrics.
AnswerA

The app provides historical metrics and can be queried.

Why this answer

Option D is correct because the Power BI Premium Capacity Metrics app provides detailed historical metrics on memory, CPU, and query activity. Option A is wrong because the admin portal only shows current status. Option B is wrong because Log Analytics requires configuration and may not have historical data.

Option C is wrong because Performance Analyzer is for individual reports, not capacity-wide.

101
MCQhard

Your organization uses Microsoft Purview Information Protection to label sensitive data in Power BI datasets. You need to ensure that when a report is exported to Excel, the sensitivity label is automatically applied. What should you configure?

A.Ensure the dataset has a sensitivity label and that the export inherits the label.
B.Use data loss prevention (DLP) policies in Microsoft Purview.
C.Set a default sensitivity label on the report.
D.Enable 'Apply sensitivity labels to exported data' in the Power BI admin portal.
AnswerA

Power BI automatically applies the dataset's sensitivity label to exported data when inheritance is configured.

Why this answer

Option D is correct because sensitivity labels are inherited from the dataset to downstream exports when the data source inherits the label. Option A is incorrect because labels are not applied via Power BI admin settings directly. Option B is incorrect because labels are not applied at export time; they are part of the data protection.

Option C is incorrect because labels are automatically applied based on the dataset's label, not configured individually on each report.

102
MCQhard

Your organization is implementing a data security strategy for Power BI. You need to ensure that sensitive data in datasets is protected at rest using customer-managed keys (CMK). What prerequisite must be met?

A.The workspace must be assigned to a Premium capacity (P or EM SKU).
B.Azure Purview must be configured for the tenant.
C.The Power BI tenant must be in a shared capacity.
D.The organization must use Bring Your Own Key (BYOK) for SQL Server.
AnswerA

CMK is only available in Premium capacities.

Why this answer

Option B is correct because Power BI Premium capacity with reserved capacity is required for CMK. Option A is wrong because CMK is not available in shared capacity. Option C is wrong because Azure Key Vault is needed but not sufficient alone.

Option D is wrong because Bring Your Own Key (BYOK) is for encryption keys, not CMK.

103
MCQhard

Your organization uses Power BI with a shared capacity (no Premium capacity). You need to implement row-level security (RLS) on a dataset that is used by multiple reports. Which of the following is a limitation you must consider?

A.RLS is not supported in shared capacity; you need a Premium license.
B.RLS roles must be created in the Power BI service after publishing; they cannot be created in Power BI Desktop.
C.RLS cannot be applied when the dataset uses DirectQuery to a data source that requires single sign-on (SSO) because the user's identity is passed through, and the source must enforce RLS.
D.RLS can only be applied to tables that are imported, not to tables using DirectQuery.
AnswerC

In DirectQuery with SSO, RLS in Power BI is bypassed; the source must enforce security.

Why this answer

Option B is correct because in shared capacity, RLS cannot be applied to datasets that use DirectQuery to Azure Analysis Services or other sources that require single sign-on (SSO) – RLS must be defined in the source. Option A is wrong because RLS works in shared capacity. Option C is wrong because RLS is defined in Power BI Desktop and works with import mode.

Option D is wrong because RLS can be defined in Power BI Desktop using DAX.

104
Multi-Selecthard

Which THREE conditions are required to use a service principal with Power BI? (Choose three.)

Select 3 answers
A.The service principal must have a Power BI Pro or Premium Per User license.
B.The service principal must be added as a member or admin of the workspace.
C.An on-premises data gateway must be installed.
D.Service principal access must be enabled in the Power BI admin portal.
E.The service principal must use XMLA endpoints.
AnswersA, B, D

Service principals need a license to access Power BI.

Why this answer

Options A, C, and E are correct. A: Service principal must have a Power BI license (Pro or Premium Per User). C: The service principal must be enabled in the admin portal.

E: Service principal must be a member of the workspace. Option B is wrong because a gateway is not required. Option D is wrong because XMLA endpoints are not required for all operations.

105
MCQeasy

You have a Power BI dataset that connects to an Azure SQL Database. You need to use single sign-on (SSO) so that users' identities are passed to the database. What authentication method should you configure?

A.Windows authentication
B.Key authentication
C.OAuth2 with Microsoft Entra ID
D.Basic authentication with a service account
AnswerC

OAuth2 enables SSO.

Why this answer

Option A is correct because SSO with Azure AD (now Microsoft Entra ID) passes the user identity. Option B is wrong because it uses a fixed identity. Option C is wrong because it's for on-premises data.

Option D is wrong because it's for web services.

106
MCQhard

A Power BI administrator receives a support ticket that users can see reports in the Power BI service but cannot access them, receiving a 'not found' error. The reports are stored in a shared workspace. What should the administrator check first?

A.Verify that the users have Power BI Pro or Premium Per User licenses assigned
B.Confirm that the report is published to the correct workspace
C.Ensure the workspace is assigned to an active capacity (Pro or Premium) and that the capacity is not paused
D.Check if row-level security (RLS) is blocking access to the underlying data
AnswerC

A paused or deleted capacity can cause 'not found' errors despite listing.

Why this answer

Option D is correct because if users are in a workspace with a different capacity, they may see reports due to caching but get 'not found' when trying to open them if the capacity is paused or deleted. Option A is wrong because license assignment is usually global. Option B is wrong because RLS would show data, not 'not found'.

Option C is wrong because the reports exist.

107
MCQmedium

A company deploys Power BI for internal reporting. The security team requires that all report data be encrypted at rest and in transit, and that access be granted only to users with verified identities. Which combination of features should the Power BI administrator use?

A.Apply row-level security (RLS) and use Microsoft Intune for conditional access
B.Leverage Azure SQL Database Transparent Data Encryption (TDE), TLS, and Microsoft Entra ID
C.Use Microsoft Purview for encryption and Microsoft Intune for identity
D.Enable Power BI encryption settings and configure SharePoint permissions
AnswerB

TDE encrypts data at rest, TLS encrypts in transit, and Entra ID provides verified identity.

Why this answer

Option C is correct because Power BI uses Azure SQL Database encryption at rest, TLS for data in transit, and integrates with Microsoft Entra ID for authentication. Option A is wrong because Microsoft Purview is for data governance, not encryption. Option B is wrong because SharePoint is not a core encryption or identity service for Power BI.

Option D is wrong because Microsoft Intune is for mobile management, not encryption.

108
MCQhard

Your organization is deploying Power BI content to multiple stages (dev, test, prod) using deployment pipelines. You need to ensure that test data is not visible to production users. What is the best approach?

A.Manually replace the dataset in the production workspace after deployment.
B.Apply row-level security to filter test data in production.
C.Create separate Power BI tenants for each stage.
D.Use deployment pipelines with separate datasets per stage and configure data source parameters to point to different databases.
AnswerD

This automates environment separation.

Why this answer

Option B is correct because deployment pipelines allow assigning different datasets to different stages. Option A is wrong because it's manual. Option C is wrong because RLS is for within a dataset, not between stages.

Option D is wrong because it's inefficient.

109
Multi-Selecthard

Which TWO of the following actions can be performed by a user who has the 'Contributor' role on a Power BI workspace?

Select 2 answers
A.Update the workspace description.
B.Create new reports and dashboards in the workspace.
C.Share a report with other users.
D.Delete the workspace.
E.Add new members to the workspace.
AnswersB, C

Contributors can create content.

Why this answer

Options B and C are correct. Contributors can create and edit content in the workspace, and they can share items (like reports) with others if sharing is enabled by the admin. Option A is wrong because only admins can update the workspace description.

Option D is wrong because only admins can add members to the workspace. Option E is wrong because only admins can delete the workspace.

110
MCQmedium

An organization uses Power BI with Microsoft Purview Information Protection. A report contains sensitive customer data. The administrator wants to ensure that when the report is exported to Excel, the sensitivity label is automatically applied. What must be configured?

A.Configure the Excel workbook to inherit the label from Power BI
B.Enable auto-labeling in the Power BI admin settings and configure the sensitivity label policy
C.Use row-level security to restrict access to sensitive data
D.Require users to manually apply a sensitivity label before exporting
AnswerB

Auto-labeling automatically applies labels based on policy.

Why this answer

Option B is correct because Power BI supports automatic sensitivity labeling based on data classification, which can propagate to exports. Option A is wrong because manual labeling is not automatic. Option C is wrong because RLS does not affect labeling.

Option D is wrong because the label is applied by Power BI, not Excel.

111
Multi-Selectmedium

Which TWO actions are required to enable Microsoft Copilot for Power BI in your tenant? (Choose two.)

Select 2 answers
A.Deploy a custom Azure OpenAI model.
B.Enable the 'Allow Copilot for Power BI' tenant setting.
C.Configure Azure OpenAI Service in your tenant.
D.Ensure your Power BI capacity is in a supported region.
E.Assign a Microsoft Copilot for Microsoft 365 license to each user.
AnswersB, D

This setting is required to activate Copilot.

Why this answer

Options A and D are correct. Copilot for Power BI requires enabling the tenant setting 'Allow Copilot for Power BI' and ensuring that the capacity is in a supported region. Option B is incorrect because a separate Copilot license is not required; it is included with premium.

Option C is incorrect because Microsoft 365 Copilot is not required. Option E is incorrect because Copilot uses Azure OpenAI, but you do not need to deploy it yourself.

112
MCQeasy

Your organization uses Microsoft Teams to collaborate on Power BI reports. You need to ensure that only members of a specific team can view a report embedded in a Teams tab. What should you do?

A.Share the report directly with the team in Microsoft Entra ID.
B.Assign the team owner as the report owner.
C.Set the report to 'Public' in the tenant settings.
D.Add the team to the workspace as a 'Member' role.
AnswerA

Direct sharing with the team group grants access.

Why this answer

Option C is correct because sharing the report with the team grants access. Option A is wrong because the report link is publicly accessible. Option B is wrong because app permissions are for workspace access.

Option D is wrong because team owners don't automatically get access.

113
MCQmedium

Refer to the exhibit. You run a PowerShell script to list workspaces and their users. You need to ensure that only members of the sales security group can access the Sales workspace. What should you do?

A.Restore the Marketing workspace and move the reports there.
B.Add the sales security group as a Contributor to the Sales workspace.
C.Change the sales security group's role to Viewer.
D.Remove the individual users (user1 and user2) from the Sales workspace.
AnswerD

Removing individual users leaves only the security group, ensuring access through group membership.

Why this answer

Option B is correct because the exhibit shows that the sales security group is already an Admin in the workspace. However, user1 and user2 are individual users with Member and Contributor roles. To restrict access to only the security group, you must remove these individual users.

Option A is wrong because the security group is already added as Admin, which is sufficient for access. Option C is wrong because the Marketing workspace is deleted and irrelevant. Option D is wrong because changing the security group role to Viewer would reduce permissions, but the core issue is the individual users.

114
MCQeasy

A Power BI report in a shared workspace needs to be embedded in a SharePoint Online page. Users accessing the page must see the report without signing in again. Which capability is required?

A.Use the 'Embed for SharePoint' option in Power BI.
B.Use the 'Embed for your organization' option.
C.Share the report directly with each user via email.
D.Publish the report to the web and embed the iframe.
AnswerA

Correct. This provides seamless authentication.

Why this answer

Option A is correct because 'Embed for SharePoint' allows seamless integration with SharePoint Online, leveraging the user's existing authentication. Option B is wrong because 'Publish to web' makes the report public. Option C is wrong because that method is for custom apps.

Option D is wrong because direct sharing requires sign-in.

115
MCQhard

You have a Power BI dataset that uses a DirectQuery connection to Azure Synapse Analytics. Users report that the report is slow. You need to improve query performance without changing the data source. What should you do?

A.Reduce the cardinality of calculated measures.
B.Disable row-level security (RLS) on the dataset.
C.Increase the scheduled refresh frequency.
D.Reduce the number of visuals on each report page.
AnswerD

Fewer visuals mean fewer queries to the source.

Why this answer

Option C is correct because reducing the number of visuals on a page reduces the number of queries sent to the data source. Option A is incorrect because increasing scheduled refresh does not affect DirectQuery. Option B is incorrect because disabling RLS would not improve performance significantly.

Option D is incorrect because reducing the cardinality of measures does not reduce the number of queries.

116
MCQeasy

A Power BI workspace contains a report that uses a shared dataset. The dataset owner leaves the company. The report still works, but the dataset cannot be refreshed. What should the administrator do to restore refresh capability?

A.Reassign the dataset ownership to another user in the workspace settings
B.Create a new dataset and link the report to it
C.Reconfigure the gateway to use a service principal
D.Take over the dataset as an administrator and update the data source credentials
AnswerD

Administrators can take over ownership and update credentials.

Why this answer

Option C is correct because taking over the dataset allows the administrator to configure credentials and refresh. Option A is wrong because reassigning ownership is not a direct feature; take over is. Option B is wrong because creating a new dataset would break the report linkage.

Option D is wrong because the data source credentials are stored in the dataset, not the gateway.

117
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You have created a Power BI app workspace and assigned users to the Viewer role. However, some viewers report that they cannot export report data to Excel. What is the most likely reason?

A.Viewers do not have a Power BI Pro license.
B.The 'Allow viewers to export data' setting is disabled in the workspace.
C.The Viewer role does not have permission to view reports.
D.Microsoft Entra ID conditional access policies block data export.
AnswerB

Correct. This setting must be enabled.

Why this answer

Option B is correct because the 'Export data' permission is controlled by the app workspace setting 'Allow viewers to export data', which is disabled by default. Option A is wrong because Viewer role can generally view reports. Option C is wrong because licensing affects creation, not basic export.

Option D is wrong because Entra ID settings do not block export at the workspace level.

118
Multi-Selectmedium

You are a Power BI administrator. Your organization wants to use Microsoft Defender XDR to monitor Power BI activity for suspicious behavior. Which two components are essential for this integration? (Choose two.)

Select 2 answers
A.Microsoft Purview data classification policies.
B.Power BI activity logs streamed to Microsoft Sentinel.
C.Microsoft Defender XDR advanced hunting.
D.Microsoft Foundry AI models.
E.Microsoft Intune device compliance policies.
AnswersB, C

Sentinel can ingest Power BI activity logs for security monitoring.

Why this answer

Option A (Power BI activity logs streamed to Microsoft Sentinel) and Option D (Microsoft Defender XDR advanced hunting) are correct. Option A provides the data source. Option D allows querying the data for anomalies.

Option B is wrong because Microsoft Intune manages devices, not Power BI. Option C is wrong because Microsoft Purview is for compliance, not threat detection. Option E is wrong because Microsoft Foundry is for AI workloads.

119
MCQeasy

You need to ensure that a Power BI report containing sensitive financial data is not accessible to users outside your organization. The report is published to a workspace in the Power BI service. What should you do?

A.Remove the report from the Power BI service and distribute it via email.
B.Apply a sensitivity label of 'Highly Confidential' to the report.
C.Disable 'Allow external sharing' in the Power BI admin portal.
D.Disable 'Publish to web' in the tenant settings.
AnswerC

This prevents any external user from accessing content.

Why this answer

Option C is correct. Disabling 'Allow external sharing' at the tenant level prevents sharing with external users. Option A is wrong because sensitivity labels classify data but do not block external access by default.

Option B is wrong because the report is already in the service. Option D is wrong because disabling 'Publish to web' prevents embedding, but external users could still be explicitly shared to.

120
MCQeasy

Refer to the exhibit. You define an RLS role in Power BI Desktop as shown. You publish the dataset and assign the user 'user@contoso.com' to the role. When the user views a report that uses this dataset, they see no data. What is the most likely cause?

A.The role name is invalid; it must not contain spaces.
B.RLS is not applied in Power BI service for tables with less than 100 rows.
C.The user is not assigned to the role correctly.
D.The Region values in the data have leading spaces or are not exactly 'North' (e.g., 'North ').
AnswerD

Exact match fails if data differs.

Why this answer

The filter expression uses a string comparison that might not match due to case sensitivity or leading/trailing spaces. Option A is correct. Option B is wrong because the role name is valid.

Option C is wrong because the user is assigned to the role. Option D is wrong because RLS works in the service.

121
MCQeasy

You are a Power BI administrator for a small business. The company uses Power BI Pro licenses for all users. You need to ensure that all data sources used in Power BI reports are documented and that sensitive data is classified. You have been asked to set up a process that automatically scans Power BI datasets for sensitive data and adds classification labels. You have the following options: A. Use Microsoft Purview to scan Power BI datasets and apply sensitivity labels. B. Use Power BI's built-in data classification feature to manually label datasets. C. Use Microsoft Sentinel to monitor data access and apply labels. D. Use Azure Policy to enforce labeling on Power BI datasets. Which option should you choose?

A.Use Microsoft Purview to scan Power BI datasets and apply sensitivity labels.
B.Use Power BI's built-in data classification feature to manually label datasets.
C.Use Azure Policy to enforce labeling on Power BI datasets.
D.Use Microsoft Sentinel to monitor data access and apply labels.
AnswerA

Purview provides automated scanning and labeling.

Why this answer

Option A is correct. Microsoft Purview can automatically scan Power BI datasets for sensitive data and apply sensitivity labels based on classification rules. Option B is wrong because manual labeling is not automatic.

Option C is wrong because Microsoft Sentinel is a SIEM, not a data classification tool. Option D is wrong because Azure Policy does not directly integrate with Power BI for labeling.

122
MCQhard

A Power BI report uses a DirectQuery dataset connected to an Azure SQL Database. Users report that the report takes over 30 seconds to load. You need to improve performance without changing the data model. What should you recommend?

A.Increase the 'Maximum connections per user' setting in the Premium capacity.
B.Enable 'Reduce cardinality by using aggregation' in the dataset settings.
C.Convert the dataset to Import mode.
D.Disable 'Cross-report data binding' in the report settings.
AnswerB

Aggregations can improve DirectQuery performance.

Why this answer

Option B is correct. Enabling 'Reduce cardinality by using aggregation' can improve DirectQuery performance by pre-aggregating data. Option A is wrong because Import mode changes the data model approach.

Option C is wrong because disabling 'Cross-report data binding' affects report interactivity but not query performance. Option D is wrong because increasing the max connections per user might help concurrency but not single query latency.

123
MCQeasy

A user reports that they cannot publish a Power BI Desktop file to the Power BI service. The error message indicates insufficient permissions. The user is a member of a workspace and has the Viewer role. What is the most likely cause?

A.The user has the Viewer role in the workspace
B.Row-level security (RLS) is preventing the user from seeing the data
C.The user does not have a Power BI Pro license
D.The .pbix file is stored on a network share that restricts write access
AnswerA

Viewers cannot publish; they need at least Contributor role.

Why this answer

Option B is correct because the Viewer role in a Power BI workspace does not allow publishing or editing. Option A is wrong because the Power BI license is required but the user has a license as a workspace member. Option C is wrong because the report may not be in a shared drive, but the core issue is role permissions.

Option D is wrong because RLS does not affect publishing permissions.

124
MCQmedium

You have a Power BI report that uses a DirectQuery dataset. You need to ensure that users see only the data relevant to their department. What should you implement?

A.Q&A features to restrict natural language queries.
B.Row-level security (RLS) with DAX filter expressions.
C.Object-level security (OLS) to hide tables.
D.Data lineage view to control access.
AnswerB

RLS filters rows based on user identity.

Why this answer

Row-level security (RLS) is the correct approach because it filters data at the query level based on the user's identity. In a DirectQuery model, RLS translates DAX filter expressions into source queries, ensuring that each user only sees rows relevant to their department without duplicating reports or datasets.

Exam trap

The trap here is that candidates confuse row-level security (RLS) with object-level security (OLS), thinking OLS can filter rows when it only hides entire objects like tables or columns.

How to eliminate wrong answers

Option A is wrong because Q&A features allow natural language queries but do not restrict data visibility; they only control how users can phrase questions. Option C is wrong because object-level security (OLS) hides entire tables or columns, not rows, so it cannot filter data by department. Option D is wrong because data lineage view is a metadata visualization tool for impact analysis, not a security mechanism to control user access to data.

125
Multi-Selecthard

A Power BI administrator needs to enforce that all datasets published to the service use certified data sources only. Which two settings should be configured? (Choose two.)

Select 2 answers
A.Use Microsoft Sentinel to audit Power BI activity logs and flag non-certified data sources.
B.Enable 'Certification' for dataflows in the Power BI tenant settings.
C.Enable 'Certification' for data sources in the Power BI tenant settings.
D.Configure row-level security (RLS) on all datasets.
E.Set up B2B guest user permissions to restrict external data sources.
AnswersA, C

Sentinel can ingest audit logs to detect and alert on use of uncertified data sources.

Why this answer

Option A (tenant setting for 'Certification' of data sources) and Option C (admin monitoring with Microsoft Sentinel) are correct. Option A directly enforces certification. Option C allows detection of non-compliant datasets via logs.

Option B (Row-level security) does not enforce data source certification. Option D (B2B guest settings) is irrelevant. Option E (dataflow certification) certifies dataflows, not datasets.

126
MCQeasy

You are a Power BI administrator. A user reports that they receive an error 'You cannot view this report because it is not shared with you' when trying to open a report in a workspace where they are a Member. What is the most likely cause?

A.The report has restricted access set at the report level, and the user is not in the allowed list.
B.The report is stored in a different workspace.
C.The user's role is Viewer, not Member.
D.The user's Power BI license is expired.
AnswerA

Report owners can restrict access to specific users even within a workspace.

Why this answer

Option A is correct because report-level permissions are separate from workspace roles; the report owner may have restricted access to specific users. Option B is wrong because Member role allows viewing all content unless restricted. Option C is wrong because the report is in the workspace.

Option D is wrong because if the user is a Member, they should be able to view unless explicitly denied.

127
MCQmedium

A company uses Power BI Premium with a capacity-based license. The capacity is frequently reaching its memory limit, causing reports to be evicted. You need to reduce memory pressure on the capacity. What should you do?

A.Enable the 'Large dataset storage format' for all datasets.
B.Move all datasets to a shared capacity.
C.Increase the scheduled refresh frequency to every hour.
D.Implement row-level security (RLS) to limit data loaded per user.
AnswerD

RLS can reduce memory footprint by loading only relevant data.

Why this answer

Option D is correct. Implementing RLS can reduce the amount of data loaded into memory for each user, thus reducing memory pressure. Option A is wrong because increasing the refresh frequency can increase memory usage.

Option B is wrong because enabling 'Large dataset storage format' increases memory usage. Option C is wrong because moving datasets to a shared capacity does not help if the problem is capacity overload.

128
Multi-Selecteasy

Which TWO Power BI components can be used to restrict access to specific rows of data for different users? (Select exactly two.)

Select 2 answers
A.Column-level security (CLS)
B.Bookmark-based filtering
C.Object-level security (OLS)
D.Row-level security (RLS)
E.Dashboard-level permissions
AnswersC, D

OLS can restrict access to entire tables or columns, limiting row access.

Why this answer

Options A and B are correct. Row-level security (RLS) is the primary method to filter data rows by user. Object-level security (OLS) can also restrict access to specific tables or columns, which indirectly restricts rows if applied to tables.

Option C is wrong because column-level security is not a Power BI feature; it's a database concept. Option D is wrong because bookmark-based filtering is not a security feature. Option E is wrong because dashboard-level security controls access to the dashboard, not rows.

129
MCQmedium

Your organization has a Power BI Premium capacity. You need to ensure that data refresh operations for a specific dataset are not interrupted during peak hours. What should you configure?

A.Disable scheduled refresh for the dataset.
B.Set the dataset to 'Refresh now' manually during off-peak hours.
C.Increase the capacity size to a higher SKU.
D.Configure a 'priority' rule in the capacity workload settings for data refresh.
AnswerD

Priority rules allocate resources to high-priority datasets.

Why this answer

Option C is correct because configuring a priority rule for the dataset ensures it gets resources over others. Option A is wrong because it doesn't guarantee resources. Option B is wrong because it prevents refresh entirely.

Option D is wrong because capacity settings affect overall performance, not prioritization.

130
MCQeasy

You need to audit which users have accessed a specific Power BI dashboard in the last 30 days. What should you use?

A.Microsoft Sentinel.
B.Power BI Activity Log (audit log) in the Microsoft 365 admin center.
C.Microsoft Purview compliance portal.
D.Power BI REST API 'Get Datasets' endpoint.
AnswerB

Activity logs track user access to dashboards.

Why this answer

Option A is correct. The Power BI Activity Log (available via the admin portal or PowerShell) records user access events. Option B is wrong because the Power BI REST API can retrieve activity logs but is not the primary tool.

Option C is wrong because Microsoft Purview compliance portal provides broader auditing but requires integration. Option D is wrong because Microsoft Sentinel is a SIEM tool that can ingest logs but is not the direct source.

131
MCQeasy

You are a Power BI administrator. A user reports that they are unable to share a dashboard with an external user from a partner organization. The external user has a Microsoft Entra ID account in their own tenant. What is the most likely reason?

A.External users cannot view Power BI content; they need a Power BI license.
B.The 'Share content with external users' tenant setting is disabled.
C.The dashboard is based on a dataset that uses RLS and the external user is not in the role.
D.External users must be added as members in the same tenant.
AnswerB

This setting must be enabled to share with external users.

Why this answer

Sharing with external users requires enabling B2B collaboration in Microsoft Entra ID and configuring Power BI tenant settings to allow sharing with external users. Option A is correct. Option B is wrong because guest user accounts are exactly for this.

Option C is wrong because Power BI guest users can view reports. Option D is wrong because licensing via viral trial is possible.

132
MCQeasy

You need to grant a user the ability to manage permissions on a Power BI workspace but not to view or edit the content. What minimum role should you assign?

A.Contributor
B.Viewer
C.Member
D.Admin
AnswerD

Admin can manage permissions without necessarily viewing content.

Why this answer

Option D is correct because the Admin role allows managing permissions and membership but does not require viewing content. Option A is incorrect because Member can edit content. Option B is incorrect because Contributor can edit content.

Option C is incorrect because Viewer can view content but cannot manage permissions.

133
Multi-Selecthard

Which THREE of the following are required to configure Microsoft Purview Information Protection sensitivity labels for Power BI? (Choose three.)

Select 3 answers
A.Each user must have a Power BI Pro license.
B.Have a Power BI Premium capacity assigned to the workspace.
C.Users must have appropriate permissions (e.g., Azure Information Protection rights) to apply labels.
D.Sensitivity labels must be published in the Microsoft 365 Compliance Center.
E.Enable sensitivity labels in the Power BI admin tenant settings.
AnswersC, D, E

Users need permissions to apply labels, usually via Azure Information Protection.

Why this answer

Options A, C, and D are correct. Sensitivity labels in Power BI require enabling in the tenant settings, having the labels published in Microsoft 365 Compliance Center, and the user must have the appropriate permissions to apply the labels. Option B is wrong because Power BI Premium is not a requirement; labels work in shared capacity too.

Option E is wrong because a Power BI Pro license is required for the user to apply labels, but it's not a configuration step.

134
MCQhard

Refer to the exhibit. You are implementing a sensitivity label policy in Microsoft Purview for Power BI. The policy shown is intended to block users in the SalesTeam group from exporting reports with the 'Confidential' label to PDF. However, users in SalesTeam can still export PDF. What is the most likely issue?

A.The sensitivity label 'Confidential' has not been applied to the reports.
B.The 'ExportReportToPDF' activity name is incorrect; it should be 'ExportToPDF'.
C.The SalesTeam group does not contain the users.
D.The 'Action' should be 'Deny' instead of 'Block'.
AnswerA

If label not applied, policy does not trigger.

Why this answer

The policy syntax is incorrect; the 'Action' should be 'Block' but the condition needs to be structured correctly. However, the likely issue is that the sensitivity label 'Confidential' is not applied to the reports, or the policy is not published. Option D is correct.

Option A is wrong because the condition is valid. Option B is wrong because 'ExportReportToPDF' is a valid activity. Option C is wrong because the group membership is not necessarily the issue.

135
Multi-Selecteasy

Which TWO methods can you use to share a Power BI report with external users who do not have a Power BI Pro license? (Choose two.)

Select 2 answers
A.Embed the report in a secure portal using 'Embed for your customers'.
B.Publish to a public website (Publish to web).
C.Export the report to PDF and share the file.
D.Share directly via Power BI using the user's email address.
E.Export the report to Excel and attach it to an email.
AnswersA, B

Allows users to view without a Pro license.

Why this answer

Options A and D are correct. You can share a report by publishing to a public website (if allowed) or by embedding it in a secure portal using the 'Embed for your customers' option (requires Premium). Option B is incorrect because sharing via email requires the recipient to have a Pro license.

Option C is incorrect because exporting to PDF does not provide interactive sharing. Option E is incorrect because exporting to Excel is not a sharing method.

136
MCQeasy

A data analyst creates a Power BI report using a dataset that contains sensitive salary information. The analyst needs to ensure that only HR managers can see salary columns. What should the analyst use?

A.Row-level security (RLS).
B.Microsoft Purview sensitivity labels.
C.Object-level security (OLS).
D.Set the dataset security to 'Restrict access'.
AnswerC

OLS hides entire columns from roles.

Why this answer

Option B is correct because object-level security (OLS) hides columns from specific roles. Option A is wrong because RLS filters rows, not columns. Option C is wrong because sensitivity labels are for classification, not access control.

Option D is wrong because the dataset's security settings do not support column-level security natively.

137
MCQeasy

You need to share a Power BI dashboard with a large group of users in your organization. The users should not be able to edit the dashboard or share it with others. What is the most efficient method?

A.Add all users as Members of the workspace.
B.Share the dashboard directly with each user's email address.
C.Publish the dashboard to the web.
D.Create a workspace app and grant the group Viewer access.
AnswerD

Correct. Scalable and read-only.

Why this answer

Option D is correct because creating a workspace app and granting Viewer access to the group is the most scalable and manageable approach. Option A is wrong because sharing via email is not scalable. Option B is wrong because publish to web is public.

Option C is wrong because granting Member role allows editing and sharing.

138
MCQhard

A Power BI administrator needs to ensure that all reports in a workspace are labeled with a sensitivity label automatically when created. The workspace is used by multiple departments. What should the administrator configure?

A.Set a default sensitivity label for the workspace in the workspace settings.
B.Configure a Microsoft Purview auto-labeling policy for the workspace.
C.Set the default sensitivity label for the entire Power BI tenant.
D.Instruct all users to manually apply the sensitivity label when creating reports.
AnswerA

Workspace-level default labels automatically apply to all new items in that workspace.

Why this answer

Option D is correct because Power BI supports automatic labeling via default labels at the workspace level, which can be set by administrators or workspace owners. Option A is wrong because manual labeling is not automatic. Option B is wrong because Microsoft Purview auto-labeling policies apply to the service as a whole, not per workspace.

Option C is wrong because the tenant default label applies to all workspaces, not a specific one.

139
MCQmedium

You need to ensure that only members of a specific security group can view a Power BI dashboard. The dashboard is in a shared workspace. What should you do?

A.Publish the dashboard as an app and set the security group as the audience.
B.Assign the security group the Viewer role on the workspace.
C.Configure row-level security on the underlying dataset to filter by user.
D.Share the dashboard directly with the security group.
AnswerA

App audiences allow restricting access to specific security groups.

Why this answer

Option C is correct because Power BI allows restricting access to a dashboard by using App permissions and audience targeting. Option A is incorrect because workspace roles grant access to all content in the workspace, not specific items. Option B is incorrect because sharing gives access to the dashboard but does not restrict to a security group automatically.

Option D is incorrect because row-level security filters data, not the dashboard visibility.

140
Multi-Selecthard

Which THREE components must be in place to enable Power BI data sensitivity labels from Microsoft Purview? (Select exactly three.)

Select 3 answers
A.Power BI admin setting to enable sensitivity labels enabled
B.Sensitivity labels published to users or groups in Microsoft Purview compliance portal
C.Power BI Premium capacity assigned to the workspace
D.Microsoft Purview Information Protection subscription (including Azure Information Protection P1/P2)
E.Power BI Pro license for all users
AnswersA, B, D

The admin must turn on the feature.

Why this answer

Options B, C, and D are correct. A Purview Information Protection subscription is required; sensitivity labels must be published to users or groups; and Power BI admin settings must enable sensitivity labels. Option A is wrong because the Power BI license is not a prerequisite; any license can use labels if the admin enables them.

Option E is wrong because a Premium capacity is not required; labels work with Pro and Premium.

141
Multi-Selectmedium

Which TWO actions are required to enable Bring Your Own Key (BYOK) encryption for Power BI datasets? (Select exactly two.)

Select 2 answers
A.Assign the workspace to a Power BI Premium capacity
B.Store the encryption key in the Power BI service admin settings
C.Upload the customer-managed key to Azure Key Vault
D.Configure the Power BI admin settings to use the key from Azure Key Vault
E.Register the encryption key in Microsoft Purview compliance portal
AnswersC, D

The key must be stored in Azure Key Vault.

Why this answer

Options B and D are correct. BYOK requires uploading the encryption key to Azure Key Vault and configuring the Power BI admin settings to use the key. Option A is wrong because the key is stored in Azure Key Vault, not Power BI.

Option C is wrong because BYOK does not require a Premium capacity; it works with Premium Per User or Premium capacity. Option E is wrong because the key is not stored in Microsoft Purview.

142
Multi-Selecthard

Which THREE features are available in Power BI Premium capacity but not in Power BI shared capacity? (Select exactly three.)

Select 3 answers
A.AI visuals and cognitive services integration.
B.Large dataset storage (up to 100 GB per dataset in Premium Gen2).
C.Incremental refresh.
D.XMLA endpoints for read/write operations.
E.Automatic page refresh.
AnswersA, B, D

Premium only.

Why this answer

Premium capacity offers larger data storage, XMLA endpoints for write operations, and AI features. Option A, B, and C are correct. Option D is wrong because incremental refresh is available in shared capacity (with limitations).

Option E is wrong because automatic page refresh is available in shared capacity for DirectQuery.

143
MCQmedium

A company is deploying Power BI for the entire organization. They need to prevent users from sharing reports with external email addresses. Which configuration should the Power BI admin use?

A.Disable 'Share content with external users' in the Power BI admin portal.
B.Configure a Conditional Access policy in Microsoft Entra ID.
C.Apply a Microsoft Purview sensitivity label.
D.Set the workspace sharing settings to 'Only existing users'.
AnswerA

This setting prevents sharing with external email addresses.

Why this answer

Option D is correct because the admin portal has a setting to control sharing with external users. Option A is wrong because tenant-level sharing settings are in the admin portal, not Microsoft Entra ID. Option B is wrong because sensitivity labels classify data but do not block sharing.

Option C is wrong because sharing settings are not in workspace settings.

144
MCQhard

You have a Power BI workspace that contains a dataset with a live connection to Azure Analysis Services. You need to configure the dataset so that when a user views a report in the Power BI service, the underlying data is queried from the Azure Analysis Services model using the user's identity. What should you configure in the Power BI dataset settings?

A.Enable single sign-on (SSO) for the dataset.
B.Set the authentication method to 'Use current user's credentials'.
C.Define row-level security (RLS) roles in Power BI Desktop.
D.Configure the 'Effective identity' settings on the dataset.
AnswerD

Effective identity passes the viewing user's identity to Azure Analysis Services for RLS.

Why this answer

Option B is correct because when using a live connection to Azure Analysis Services, the 'Effective identity' setting in Power BI allows you to pass the viewing user's identity to the source, enabling row-level security defined in Azure Analysis Services. Option A is wrong because single sign-on (SSO) is for data sources like SQL Server, not for Analysis Services live connections. Option C is wrong because the 'Use current user's credentials' is not available for live connections; it's for direct query mode.

Option D is wrong because RLS in Power BI is separate from Analysis Services RLS; for live connections, RLS is defined in Analysis Services.

145
MCQhard

Your organization uses row-level security (RLS) in Power BI. You have a table 'Sales' with a column 'Region'. You define a role 'RegionManagers' with the filter: [Region] = "North". A user named Alice is a member of this role. However, when Alice views a report that uses this dataset, she sees all regions. What is the most likely reason?

A.The dataset uses DirectQuery mode, which does not support RLS.
B.Alice is the dataset owner.
C.The filter must use USERNAME() or USERPRINCIPALNAME() function.
D.RLS is only applied in Power BI Desktop, not in the service.
AnswerB

Dataset owners bypass RLS.

Why this answer

RLS is applied only when the user accesses the dataset through a report or dashboard in the service, but if the user has the 'Build' permission or is an owner of the dataset, they can bypass RLS. Option D is correct because dataset owners see all data regardless of RLS. Option A is wrong because RLS works in both DirectQuery and Import.

Option B is wrong because RLS works in the service. Option C is wrong because you must use 'username()' or 'userprincipalname()' in DAX, but the filter as written is static and valid.

146
MCQhard

You are a Power BI administrator. Your company has a Power BI tenant with a large number of workspaces. A new regulation requires that all shared dashboards must have a data retention policy that deletes data older than 6 months. You need to implement this for all existing and future dashboards. The solution must be automated and not require manual intervention. What should you do?

A.Configure a tenant-level data retention policy in the Power BI admin portal.
B.Set a retention period on each dashboard manually in the dashboard settings.
C.Use Microsoft Purview data lifecycle management to apply retention labels.
D.Develop a PowerShell script using the Power BI REST API to regularly delete dashboards older than 6 months.
AnswerD

Automated script can enforce retention.

Why this answer

Option C is correct because Power BI does not have built-in data retention for dashboards; you must use the REST API to programmatically manage content. Option A is wrong because there is no tenant-level retention setting. Option B is wrong because Microsoft Purview does not manage Power BI data retention.

Option D is wrong because there is no dashboard-level setting.

147
MCQmedium

You have a Power BI report that uses a dataset with row-level security (RLS) roles defined. Users report that they see no data when viewing the report. Which two checks should you perform first? (Assume all other configurations are correct.)

A.Confirm that the workspace is assigned to a Premium capacity.
B.Check that the report is published to a Power BI app.
C.Verify that the dataset has the RLS roles applied and published.
D.Ensure the users are members of the appropriate RLS role.
E.Verify that the RLS role name matches exactly with the username.
AnswerC, D

RLS roles must be applied to the dataset in the service.

Why this answer

Option A is correct because RLS roles must be applied to the dataset. Option D is correct because users must be members of the RLS role. Option B is wrong because app permissions are for sharing, not RLS.

Option C is wrong because capacity is unrelated. Option E is wrong because the RLS role name is case-insensitive.

148
MCQmedium

Your organization uses Microsoft Power BI with Microsoft Purview for data governance. You have a dataset that contains customer data classified as 'Highly Confidential' under a sensitivity label. The compliance team requires that when this dataset is shared with external users, a Microsoft Purview data loss prevention (DLP) policy must block the sharing and notify the compliance team. You need to configure this. What should you do?

A.Use Microsoft Defender for Cloud Apps to create a session policy that blocks sharing.
B.Configure Microsoft Sentinel to monitor and block sharing events.
C.In the Power BI admin portal, disable sharing for workspaces containing 'Highly Confidential' content.
D.Create a DLP policy in Microsoft Purview that applies to Power BI and blocks sharing of content with the 'Highly Confidential' label.
AnswerD

DLP policies can block sharing based on sensitivity labels.

Why this answer

Option A is correct because DLP policies in Microsoft Purview can block sharing based on sensitivity labels. Option B is wrong because Microsoft Defender for Cloud Apps is for app governance, not DLP. Option C is wrong because Power BI admin settings do not provide DLP.

Option D is wrong because Microsoft Sentinel is for security monitoring, not DLP.

149
Multi-Selecthard

You manage a Power BI tenant. You need to prevent users from sharing reports with external users. Which THREE actions should you take?

Select 3 answers
A.Create a Microsoft Entra ID conditional access policy to block external users.
B.Disable 'Publish to web' in the admin portal.
C.In the Power BI admin portal, disable 'Share content with external users'.
D.Disable 'Create app workspaces' for non-admins.
E.Disable 'Export to Excel' for all reports.
AnswersA, B, C

Blocks access from external accounts.

Why this answer

Options A, B, and D are correct. Disable sharing with external users in the tenant settings, disable embed codes to prevent public sharing, and use Microsoft Entra ID conditional access to block external access. Option C is wrong because that setting controls publish to web, not sharing.

Option E is wrong because that setting controls export, not sharing.

150
MCQeasy

You have a Power BI capacity that is frequently hitting its memory limits, causing refreshes to fail. You need to reduce memory usage without increasing capacity size. What should you do?

A.Increase the eviction time for unused data.
B.Reduce the number of parallel data refresh operations.
C.Remove row-level security (RLS) from the dataset.
D.Increase the frequency of scheduled refreshes.
AnswerB

Fewer concurrent refreshes lower memory consumption.

Why this answer

Option A is correct because reducing the number of parallel data refreshes reduces memory pressure. Option B is incorrect because increasing scheduled refresh frequency increases memory usage. Option C is incorrect because removing RLS does not reduce memory usage significantly.

Option D is incorrect because increasing the eviction time keeps more data in memory, worsening the issue.

← PreviousPage 2 of 3 · 164 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage and secure Power BI questions.