Feature Request: Expose Effective Workspace Users (Expand Entra ID Groups in Access Results)

[AnalyticsInAction]

Feature Request: Expand Group Membership for Workspace Access Reporting

Current Behavior

Semantic Link Labs currently provides the ability to see which individual users, Entra ID groups, and service principals have access to a workspace using the list_workspace_access_details function:

import sempy_labs as labs
from sempy_labs import admin

admin.list_workspace_access_details(workspace="a_REDACTED_3")

This returns a pandas DataFrame (screenshot below) showing each principal that has access to the workspace, including:

• principalType (e.g. User, Group, ServicePrincipal)
• their role / access level in the workspace

Example output (truncated):

principalDisplayName	principalType	role	...
BI Platform Admins	Group	Admin	...
svc-refresh-prod	ServicePrincipal	Admin	...
Alice Smith	User	Member	...
Bob Jones	User	Viewer	...

Limitation

If access is granted via an Entra ID group, the DataFrame only shows the group object (e.g. principalType == "Group"). It does not list the individual users who are members of that group, or members of nested groups.

From a governance / audit / least-privilege perspective, the key question we need to answer is:

“Which human identities can actually access this workspace?”

Right now, we cannot answer that directly from Semantic Link Labs.

Current Workaround

Today, the only way (as I understand it) is to:

1. Take the group's Entra ID object ID from the DataFrame.

2. Call Microsoft Graph separately to expand that group and get all effective users:

   GET https://graph.microsoft.com/v1.0/groups/{group_id}/transitiveMembers
   

   This returns all members of the group, including indirect membership via nested groups.

3. Union:

   • all direct users from list_workspace_access_details
   • all users returned by transitiveMembers for each group

4. Dedupe by user object ID

That gives you the effective user list for the workspace, but it requires stitching Fabric admin APIs with Microsoft Graph manually.

Why This Matters

For governance, security reviews, and compliance sign-off, we typically need to report:

• “Who (which named people) can access Workspace X?”
• “How many people effectively have Admin / Member / Viewer?”

Right now, we can see groups, but groups can easily hide large numbers of people — so the true blast radius of a workspace is unclear.

Feature Request

It would be extremely useful if Semantic Link Labs could optionally return the effective user list for a workspace.

Concretely:

• Return all users who can access the workspace:
  • directly assigned as a user, or
  • indirectly via an Entra ID group
• Optionally include which group(s) granted that access, and which workspace role that path gives them

Example (conceptually):

userPrincipalName	effectiveRole	source
[email protected]	Admin	BI Platform Admins (Group)
[email protected]	Viewer	Direct Assignment
[email protected]	Admin	Direct (ServicePrincipal)

This would let us answer “Who can access this workspace?” without having to manually call Graph for each group and merge results ourselves.

Question

Is this in scope for Semantic Link Labs, or is the intention that consumers should always join Fabric access data with Graph themselves?

[m-kovalsky]

See #932. Also, the function sempy_labs.graph._group.list_group_members already exists. This should give you all the components to merge the 2 dataframes together to get the desired list.

[AnalyticsInAction]

@m-kovalsky Thanks - yes "sempy_labs.graph.list_group_members" looks like it is exactly what I wanted. Thanks for all of good work- and answering my question so quicly.

[m-kovalsky]

sempy_labs.graph.list_group_transitive_members is available in 0.12.5.

[AnalyticsInAction]

@m-kovalsky Thanks - Really appreciate this !