These docs are still being polished — a few sections and screenshots are on the way. Spotted something off? Let us know.

Security & access — audit who can reach what

Find out who has access to which workspaces, reports, apps, and data — across your entire Power BI tenant. Spot uncertified custom visuals, review Row Level Security, and track app audiences.

What Measure Killer covers

Measure Killer gives you four layers of security and access visibility across your Power BI tenant — each one answering a different question.

Who can access which workspaces and items?

The Access tab shows every principal (user, security group, service principal) with their role on each workspace and on individual items. AD / Entra groups are expanded so you see the actual humans behind a group assignment — not just “Finance Team has Contributor access.”

Available in full Tenant Analysis mode only (requires Fabric Admin). Two views:

User-level — start from a person, see everything they can reach
Report-level — start from an item, see everyone who can reach it

Access & permissions tracking

Who can access which apps — and what’s inside them?

Power BI apps package content for consumers. The Apps tab shows every app in the tenant (including organizational apps), with:

The audiences defined inside each app
Which users and groups belong to each audience
28-day consumption data (opens)
Contact information

This answers “which users can see which content through which app” — critical for license-compliance audits and for finding organizational apps that expose content to the entire company.

Apps & audiences

Who is governed by Row Level Security — and what are the rules?

The Row Level Security tab inventories every RLS role across every scanned semantic model: the role name, the DAX filter expression, and the users and groups assigned to each role.

Use this to verify that RLS is applied where it should be, that the filter expressions are correct, and that the right people are in the right roles. Also catches models that should have RLS but don’t.

Row Level Security

Which custom visuals could send data externally?

Custom visuals run JavaScript inside the Power BI rendering engine. Uncertified visuals have not been reviewed by Microsoft and may send data to external endpoints — a potential data exfiltration vector.

Measure Killer lists every custom visual across the tenant with its certification status, which reports use it, and how many users consume reports containing it. Use this for security audits (find uncertified visuals), license compliance (per-user counts vs. entitlements), and standardization (approved-visual policies).

Custom visual consumption

Common security workflows

Quarterly access review. Export the Access tab and compare against HR records. Flag principals who have left the organization or changed teams but still have workspace access.
App audience audit. Review organizational apps — they’re visible to the entire organization by default. Check whether the content they expose is still appropriate.
RLS completeness check. Cross-reference the RLS tab with the Access tab. Models with sensitive data that lack RLS roles are gaps. Models with RLS roles but no assigned members are wasted effort.
Custom visual risk assessment. Filter for uncertified visuals. For each one, check which reports use it and how many users are exposed. Decide whether to replace with a certified alternative or accept the risk.

Run a tenant-wide scan — the scan that populates all security and access views
Tenant summary — the high-level inventory that puts the security data in context
Exports overview — export access, RLS, apps, and custom visuals as JSON