Measure Killer Measure Killer

Access & permissions tracking

Audit who has access to every workspace and item across your Power BI / Fabric tenant — and find the leaks.

What you get

For every workspace and item across your tenant, the Access view lists who has what permission — Admins, Members, Contributors, Viewers, and any service principals with workspace or item-level grants. You can filter to a single user to see every workspace and item they can reach, or filter to a single item to see everyone who can reach it.

The view is the answer to the questions most governance teams cannot answer out of the box:

  • Which workspaces does this person have access to?
  • Who can see this particular report?
  • Are there service principals with workspace permissions we don’t recognise?
  • Which workspaces have personal accounts as Admins?

Why it requires Fabric Admin

Most Measure Killer features work in Limited tenant analysis mode, which needs only Power BI workspace membership. The Access view is the exception: it has to enumerate workspace role assignments and per-item permission scopes across the entire tenant, which is information only a Fabric Administrator (formerly Power BI Service Administrator) can see.

If your current account is not a Fabric Admin, the Access tab will load empty and Measure Killer will show a permission warning at the top of the pane. Have a Fabric Admin run the tool, or request the role for the account that runs Measure Killer.

A known blind spot — group membership

Measure Killer can see which security groups, Azure AD groups, or Entra groups have access to a workspace or item — but it cannot resolve who is inside those groups. Group membership lives in Entra ID and is not exposed through the Power BI / Fabric admin APIs that the Access view reads.

In practice this means: if a workspace is shared with BI-Analysts-Global, you will see that group on the access list, but you will not see the individual people inside it. To get effective per-user access, combine the MK Access export with a group-membership export from Entra ID.

Run the analysis

  1. Open Measure Killer desktop and sign in with a Fabric Admin account (or trigger the run via your MK Automation Notebook).
  2. Open Tenant analysis and start any tenant operation — a full scan, a workspace-level scan, or just browsing the tenant inventory all populate the Access view.
  3. Switch to the Access tab.
  4. Use the filter row at the top to narrow by user, group, workspace, or item.

Common workflows

Audit a leaving employee. Filter the Access view to the person’s email. You get a single screen listing every workspace and item they can reach, with the permission level for each. Hand that to IT for offboarding.

Find over-shared reports. Sort items by the number of distinct users with access. Anything in the top of the list that is meant to be internal-only is a candidate for a permission review.

Spot unexpected service principals. Filter the Access view to Service principal as the principal type. Anything that you don’t have a provisioning record for is worth investigating.

What to do with the findings

Inside the app, you can sort, filter, and visually inspect the Access view for free. To take the data to another tool — Excel, a SIEM, an access-review workflow — you need to export, which requires a paid licence (see the trial note above).

  • TODO: link to “Run a tenant scan” once that doc is fleshed out.
  • TODO: link to “Apps & audiences — who has access” once written.