how can we control access to the reports and dashboards by setting up authentication and authorization through Azure Active Directory (AD) and Azure AD B2B? can you please explain me in detail that how to embed power bi reports through azure for multiple domain mail id customers?
I am getting the answers in different web pages in different ways but not clearly understood. I am expecting step wise with images screenshots actually if possible.
You can authenticate your Azure AD users to access Power BI reports like the below:-
Adding all the users with different domains, guests, and members in a security group or using individual users and giving that security group or individual users access to your Powe BI content like below:-
Created one security group and added users and one service principal in the Azure Ad group like below, You can add your guest users in this group with different domains too:-
In your Power BI portal > visit > Settings > Admin Portal > Tenant Settings > Use Data Set across workspaces> Add your Security group or individual users in the tab like below:-
Now you can share your Power BI reports to Azure AD users in 2 ways:-
Sharing the report directly like below:-
Giving the users or security group access to Power BI dataset on with different permissions refer below:-
Go to workspaces > dataset > … three dots > Manage permissions > Assign users or group with the required permissions like below:-
You can send the dataset link for users to access or provide direct access to the dataset like below:-
Direct access with permissions like the below:-
As you have added the service principal to the security group, Even your Azure AD application can access these reports programmatically.
If your Azure AD is integrated with office 365 you can directly connect your Power BI account to the Office 365 admin center and manage users and groups. Azure AD users and groups can be managed by the office 365 admin center too. Thus, Integrating the office 365 admin center will integrate your Azure AD users and groups with your Power Bi account.
Distribute Power BI content to external guest users using Azure Active Directory B2B - Power BI | Microsoft Learn
Related
The requirement is to create a managed identity where Azure Purview will scan the metadata of PowerBI.I think, using the managed identity to grant access to the target resource (here PowerBI) However, that target resource must Support Azure AD authentication. Hence wanted to know if Microsoft PowerBI supports Azure AD authentication.
If yes, how to create a managed identity where Azure Purview will scan the metadata of PowerBI? If no, what is the other way to achieve the above-said requirement?
Note, I was referring this but was unable to figure out the right way forward.
Thanks.
Yes, Power BI uses Azure AD to authenticate users who sign in to the Power BI service.
The managed identity is created when your Microsoft Purview resource is created. In order for Purview to be able to scan Power BI, you need to set up authentication by creating a security group, adding the Purview Managed identity to the security group, and enabling the Allow service principals to use the read-only Power BI admin APIs feature switch. That permission gets inherited from the security group to the managed identity.
To run a new scan you need to have the Power BI Administrator role and need a Power BI license.
The article you linked has all of the guidelines to achieve what you described. You need to enable metadata scanning in for the organization and follow the prerequisites.
Then you need to register the Power BI tenant in Microsoft Purview, and create a security group in your Azure AD tenant. If you are using Managed Identity as authentication method, add your Microsoft Purview managed identity to the security group by selecting "Add members". Then you can associate the security group with the Power BI tenant.
See also:
Purview and Power BI
I have power platform portal, and i'am using Azure AD for registering.
Only Guest users in Azure AD may register on the portal.
I have two problems/questions:
When I create a guest user on Azure AD, I fill in his company name. But when this guest registers on portal, his company name isn't mentionned on his portal profile.
So, for the workaround, I created an automated flow to get the user data from Azure AD, But the connector did not return the company name. In other words, the company name is not on the returned attributes list.
Ideas?
Thank you for your help
The Power Apps Per app plan and user plan can retrieve Company name as Premium connectors (A connector may provide tables of data or actions) are added. If its Include only with Office, it cannot retrieve.
You must assign your guest the same license that's required for non-guests to run the app. For instance, if the app uses premium connectors, a Power Apps per app plan or a Power Apps per user plan must be assigned to the guest.
Reference Docs:
https://learn.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app-guests
https://learn.microsoft.com/en-us/powerapps/maker/canvas-apps/connections-list
I have used the free month trial offered by Azure with a personal Microsoft account in parallel with a professional account from my company. In this professional account I have limited access to certain resources (mostly VMs, storage and that), so I don't manage neither subscriptions nor Azure AD.
After several unsuccessfull login attemps in which I was asked to provided a 6 digit code when the Microsoft Authenticator gave me an 8 digit code, I've discovered that if I do the following:
Try to sign in in azure.portal.com with my personal account (fails)
Sign in with my company account.
Then, in the upper right I see my personal account as a directory, like usenamehotmail.onmicrosoft.com. However, when trying to access Azure AD to manage that directory I am shown a message that says I have no access.
My question is, why does this happen? Can I use the same credit card and create a pay as you go subscription with another personal Microsoft account?
If you using the external account to access Azure AD like outlook.com, hotmail.com and the account from other Azure AD tenant. it will cause the Access Denied(you don't have access).
There are two ways to resolve this issue
1. Log in to Azure Portal by using the account with Global Administrator Role for Azure AD. Navigate to the User settings tab, toggle the setting Guest users permissions are limited to No.
2. Log in to Azure Portal by using the account with Global Administrator Role and navigate to the Users and Groups tab, search for the external account, and change the Directory Role to Global Administrator.
I have activated Power BI Pro License in my tenant.
I have Azure AD with Same Account.
I have added following Permissions.
In the screenshot, I have added these Power BI Service Permissions which need admin access
My account has full admin privileges on Azure and Power BI.
AdminPortal from Power BI
Now, when I try to Grant Permission to Power BI API, I am getting following error.
"Could not grant admin consent. Your organization does not have a subscription (or service principal) for the following API(s): Power BI Service"
Power BI - Grant Permission Error in Azure
Please suggest me, what changes I need to do? How to check if my tenant have active Power BI Subscription or not?
Please try linking your O365 subscription with your Azure subscription. It's possible that you're trying to access certain objects from an account that is unable to gain access to them. https://learn.microsoft.com/en-ca/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Sign in using an account that:
Has an Owner role assignment for the subscription. For information about how to assign the Owner role, see Manage access to Azure resources using RBAC and the Azure portal.
Exists in both the current directory that's associated with the subscription and in the new directory that's where you want to associate the subscription going forward.
Just want to add my 2 cents.
I faced this exact same issue when i was trying to register a web api and a client app in my Azure AD b2c tenant. And this error was thrown when i was trying to grant admin consent to the client app for the permissions exposed by web api.
In my case, issue was, my user was not the global administrator. Hence, the organization was somehow not having full access to my web api. To resolve this, I asked global administrator to create the web api registration and then this error went away.
Hope this will help someone. Thanks.
Given situation
I have two Azure AD directories in one Azure portal tenant.
AD_1 - A directory that got automatically created when signed up for Azure cloud the first time
AD_2 - A directory that I have manually created for managing a different set of users.
I also have an office365 account, that got created using the same Azure account. In it first I purchased a subscription.
SUBSCRIPTION_1 - only office apps. The licenses are attached to users in AD_1
Later I purchased another subscription purely for non-office products for different set of users.
SUBSCRIPTION_2 - exchange, yammer etc apps - A new subscription.
Questions
Is it possible to associate SUBSCRIPTION_2 to only users in directory AD_2?
If above is YES, how to do?
Disclaimer: I am a noob to whole Azure AD, Office 365, for that matter Microsoft products. Please forgive my naivety.
No matter the originating subscription access to services or apps only depends on licenses. So just navigate to Office 365 Portal > Administration > Users > Active, there select a user and assign the appropriate license, no matter from which AD user comes from, in fact it is also possible to assign licenses to users created in a local AD that is synchronized to Azure AD (administration privileges are needed for this procedure)