Power BI Data Analyst · 20% of the exam

Manage and secure Power BI: free practice questions

5 sample questions from our 50-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Microsoft exam.

1. An enterprise at Relecloud has configured RLS in a Power BI semantic model. The security team wants to validate that a specific user ('ana@relecloud.com') sees only data for the 'West' region as intended. Ana has a Viewer role in the workspace. Which THREE steps correctly describe the process to test Ana's RLS experience in the Power BI service? (Select THREE.)

  • A. Navigate to the semantic model in the workspace, select 'More options (…)' > 'Security', then use the 'Test as role' feature and enter ana@relecloud.com.✓ Correct
  • B. Open the report, go to the View ribbon in Power BI Desktop, and select 'View as' to simulate Ana's role.
  • C. In the semantic model Security settings, select the RLS role assigned to Ana (e.g., 'West Region'), then enter Ana's email in the 'Test as role' input box.
  • D. Verify that the filtered data shown in the 'Test as role' view matches only West region records.✓ Correct
  • E. Assign Ana the Contributor role temporarily to allow the test to run, then revert back to Viewer.
  • F. Confirm that Ana's email is listed as a member of the appropriate RLS role in the semantic model Security settings.✓ Correct
Explanation

The correct three-step process is: (1) Access the semantic model's Security settings via 'More options > Security' in the workspace — this is the correct service-side entry point for RLS testing. (2) In the RLS test interface, enter Ana's UPN to simulate her view and verify the data returned matches only West region records. (3) Confirm that Ana's UPN is actually a member of the correct RLS role, since the test will only work correctly if her membership is properly configured. Option B describes Power BI Desktop's 'View as' feature, which is for design-time testing and cannot test with a specific user's UPN in the service. Option C conflates two steps inaccurately — you select the role AND enter the user; entering only the user (via 'Test as role') in the service will impersonate them and automatically apply their assigned roles. Option E is incorrect and unnecessary; you do not need to change Ana's workspace role to test RLS — in fact, testing RLS is done by the semantic model owner/admin, not by Ana herself.

2. A senior BI developer at Fabrikam is setting up a deployment pipeline for a critical financial report. After deploying from the Development stage to the Test stage, the developer notices that the data source connection string in the semantic model still points to the development database instead of the test database. What is the correct way to handle this without manually editing the connection after every deployment?

  • A. Create a deployment rule in the pipeline that maps the development data source to the test data source✓ Correct
  • B. Use a Power BI parameter in the semantic model and update the parameter value directly in the pipeline settings after each deployment
  • C. Publish a separate, duplicate semantic model for each stage with hard-coded connection strings
  • D. Enable the 'Automatic deployment' option in the pipeline, which automatically resolves data source differences between stages
Explanation

Deployment rules in Power BI deployment pipelines allow administrators to define stage-specific overrides for data source connection strings and parameters, so that when content is deployed to a different stage, the correct data source is automatically applied. This is the designed solution for this exact problem. Using a Power BI parameter and updating it manually after each deployment would work but is a manual step that defeats the automation purpose, and the question asks how to do it 'without manually editing after every deployment.' Maintaining duplicate semantic models per stage creates management overhead and is an anti-pattern. There is no 'Automatic deployment' option that resolves data source differences — that is not a real Power BI feature.

3. A Power BI developer at Alpine Ski House publishes a new app from a workspace containing five reports. After the app is published, end users report they can see all five reports in the app, but the developer only wants the Sales team to see the 'Revenue Summary' report and the 'Pipeline Forecast' report, while all other users should only see the 'Company Overview' report. What should the developer do to achieve this?

  • A. Create two separate apps from the workspace — one for the Sales team and one for all other users — each containing only the relevant reports.
  • B. Configure multiple audiences in the app: create a 'Sales' audience with the Revenue Summary and Pipeline Forecast reports, and a default audience with only the Company Overview report.✓ Correct
  • C. Assign workspace roles so that the Sales team members have the Member role and all other users have the Viewer role, then republish the app.
  • D. Apply row-level security (RLS) on each report so that the Sales team can only see the relevant data, and restrict the other reports using report-level permissions.
Explanation

Power BI apps support multiple audiences, which allows a single app to present different sets of content to different groups of users. The developer should create a 'Sales' audience that includes the Revenue Summary and Pipeline Forecast reports, and a default audience that contains only the Company Overview report — this is the correct and most efficient approach. Option A is incorrect because you cannot publish two separate apps from the same workspace; each workspace can only publish one app at a time. Option C is incorrect because workspace roles control access to the workspace itself, not what content appears in the published app; all app users would still see all reports included in the app. Option D is incorrect because RLS restricts data rows, not which reports are visible in the app; it does not hide report tabs or control app navigation.

4. Woodgrove Bank uses row-level security (RLS) in a Power BI semantic model to restrict branch managers to data for their own branch. A Power BI developer needs to verify that the 'Branch Manager' RLS role is working correctly for a specific user, Maria Garcia, before publishing to production. How should the developer test Maria's RLS experience in the Power BI service?

  • A. Share the report directly with Maria and ask her to confirm the data is correct.
  • B. Use the 'Test as role' feature in Power BI Desktop, entering Maria's email address in the 'Other user' field.
  • C. In the Power BI service, navigate to the semantic model's Security settings, select the 'Branch Manager' role, and use 'Test as role' with Maria's UPN to preview her view.✓ Correct
  • D. Create a duplicate semantic model with only Maria's branch data and compare report outputs.
Explanation

The Power BI service provides a 'Test as role' capability in the semantic model Security settings, where an admin or model owner can select a role and optionally specify a user's UPN to simulate exactly what that user would see—including dynamic RLS based on USERNAME() or USERPRINCIPALNAME(). Option C is correct. Option A (sharing with Maria) is not a testing mechanism—it exposes production data and doesn't isolate the RLS validation. Option B partially correct in concept (Power BI Desktop does have 'View as' with a specific user option), but the Power BI service method is the appropriate place to test published RLS, and the question specifies 'before publishing to production' already implies the model is in the service. Actually, re-evaluating: the question says 'before publishing to production' but also says 'in the Power BI service'—Option C is the service-side validation method which is still valid in a pre-production workspace. Options B and C both reference valid tools but C is the complete, service-side answer that includes specifying Maria's UPN. Option D wastes significant effort and doesn't test RLS logic.

5. A Power BI developer at Tailwind Traders has configured static row-level security (RLS) in a semantic model published to a Premium workspace. The developer is assigned the Admin role in the workspace. After publishing, the developer wants to verify that a specific RLS role named 'RegionEast' correctly limits data to the Eastern region records only. What is the correct way to test this RLS role directly in the Power BI service?

  • A. Open the report in the Power BI service, then select 'View as' from the report toolbar and choose the 'RegionEast' role.
  • B. Navigate to the semantic model in the workspace, select 'Security' from the ellipsis menu, and use the 'Test as role' feature by entering the 'RegionEast' role name.✓ Correct
  • C. Add a test user who is a member of the 'RegionEast' RLS role to the workspace as a Viewer, then sign in as that user to verify the data.
  • D. In Power BI Desktop, select Modeling > View as Roles, choose 'RegionEast', and verify the filtered data before republishing.
  • E. Use the semantic model's REST API endpoint with an effective identity payload specifying the 'RegionEast' role to query the data.
Explanation

In the Power BI service, workspace admins and semantic model owners can test RLS roles directly by navigating to the semantic model, clicking the ellipsis (…) menu, selecting 'Security', and then using the 'Test as role' feature. This allows them to preview the data as seen by any defined RLS role (e.g., 'RegionEast') without needing to sign in as a different user. Option A is incorrect because the 'View as' option on the report toolbar in the Power BI service is not a standard built-in RLS testing feature; the RLS testing interface is accessed through the semantic model security settings, not the report toolbar. Option C is incorrect because adding a test user and signing in as them is a valid workaround but is not the purpose-built, efficient method for testing RLS roles — it also requires additional licensing and account management overhead. Option D is incorrect because 'View as Roles' in Power BI Desktop is valid for testing during development, but the question asks specifically about testing in the Power BI service after publishing. Option E is incorrect because using the REST API with effective identity is a developer/programmatic approach and is not the recommended straightforward method for an admin to validate RLS in the service.

45 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free