The requirement is to create a managed identity where Azure Purview will scan the metadata of PowerBI.I think, using the managed identity to grant access to the target resource (here PowerBI) However, that target resource must Support Azure AD authentication. Hence wanted to know if Microsoft PowerBI supports Azure AD authentication.
If yes, how to create a managed identity where Azure Purview will scan the metadata of PowerBI? If no, what is the other way to achieve the above-said requirement?
Note, I was referring this but was unable to figure out the right way forward.
Thanks.
Yes, Power BI uses Azure AD to authenticate users who sign in to the Power BI service.
The managed identity is created when your Microsoft Purview resource is created. In order for Purview to be able to scan Power BI, you need to set up authentication by creating a security group, adding the Purview Managed identity to the security group, and enabling the Allow service principals to use the read-only Power BI admin APIs feature switch. That permission gets inherited from the security group to the managed identity.
To run a new scan you need to have the Power BI Administrator role and need a Power BI license.
The article you linked has all of the guidelines to achieve what you described. You need to enable metadata scanning in for the organization and follow the prerequisites.
Then you need to register the Power BI tenant in Microsoft Purview, and create a security group in your Azure AD tenant. If you are using Managed Identity as authentication method, add your Microsoft Purview managed identity to the security group by selecting "Add members". Then you can associate the security group with the Power BI tenant.
See also:
Purview and Power BI
Related
how can we control access to the reports and dashboards by setting up authentication and authorization through Azure Active Directory (AD) and Azure AD B2B? can you please explain me in detail that how to embed power bi reports through azure for multiple domain mail id customers?
I am getting the answers in different web pages in different ways but not clearly understood. I am expecting step wise with images screenshots actually if possible.
You can authenticate your Azure AD users to access Power BI reports like the below:-
Adding all the users with different domains, guests, and members in a security group or using individual users and giving that security group or individual users access to your Powe BI content like below:-
Created one security group and added users and one service principal in the Azure Ad group like below, You can add your guest users in this group with different domains too:-
In your Power BI portal > visit > Settings > Admin Portal > Tenant Settings > Use Data Set across workspaces> Add your Security group or individual users in the tab like below:-
Now you can share your Power BI reports to Azure AD users in 2 ways:-
Sharing the report directly like below:-
Giving the users or security group access to Power BI dataset on with different permissions refer below:-
Go to workspaces > dataset > … three dots > Manage permissions > Assign users or group with the required permissions like below:-
You can send the dataset link for users to access or provide direct access to the dataset like below:-
Direct access with permissions like the below:-
As you have added the service principal to the security group, Even your Azure AD application can access these reports programmatically.
If your Azure AD is integrated with office 365 you can directly connect your Power BI account to the Office 365 admin center and manage users and groups. Azure AD users and groups can be managed by the office 365 admin center too. Thus, Integrating the office 365 admin center will integrate your Azure AD users and groups with your Power Bi account.
Distribute Power BI content to external guest users using Azure Active Directory B2B - Power BI | Microsoft Learn
The requirement is that Purview scans the PowerBI to fetch a few details from Power BI. Can this is something achieved by managed identity or service principle?
Note, as per Microsoft Azure service account is an old way of doing things. So the recommendation is to use managed identity or service principle. But, didn't get any documentation to achieve this.
This is the official documentation:
Connect to and manage a Power BI tenant in Microsoft Purview (Same Tenant)
Connect to and manage a Power BI tenant in Microsoft Purview (cross-tenant)
Troubleshoot Power BI tenant scans in Microsoft Purview
Hope this help.
Consider the following case, for my application:
I have a website
The website sits on top of an azure api and gets data from cosmos DB
The data from cosmos DB is specific for different organizations
Different organizations should be able to have an "admin" appointed by me
The organization "admin" should be able to add his colleagues under the same organization
The users within a particular organization should only be able to view the data specific to their organization
Considering the above use-case, I have thought about using Azure B2C because:
Everything is already inside azure
I don't want to do security myself
However, I am unsure, if it is actually possible to achieve this with azure B2C? I can't seem to find any similar use-cases in the AD documentation. Hence why I start to think, that I'm going in a wrong direction...?
Therefore, can Azure AD B2C offer, what I want to achieve? (do I need a tenant for each Organization)
In case, Azure AD does not offer support for my use-case, what would you then recommend me to do?
As a white-label service, Azure AD B2C cannot be used as a built-in security provider for other Azure services without writing custom code to translate whatever authorization model you maintain in Azure AD B2C into access patterns for CosmosDB or other Azure services.
CosmosDB does have it's own in-built notion of users and permissions which you might map in some way (using custom code) to Azure AD B2C users. https://learn.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data#users
You could also use CosmosDB's integration with Azure AD (not B2C) for RBAC controls: https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control
Finally, Azure AD B2C does not provide any out-of-the-box administrative tooling for the kind of delegated user administration model you described. Again this would need to be a custom coded admin UI or you'd need to use a third-party solution such as Saviynt for delegated administration: https://learn.microsoft.com/en-us/azure/active-directory-b2c/partner-saviynt
Azure AD have B2B collaboration for inviting external users.
But what if i wan't to invite an external Azure service that have a MSI.
Is it possible to create an Azure AD group and add a external(another subscription/tenant in Azure) MSI which i can then use to grant access to resources?
Say I wan't to allow a B2B partners Data Factory access to SQL database of ours and I do not wan't to give them a SQL Login.
MSIs are service principals which cannot be invited to other tenants. They are always tenant-specific.
The scenario sounds like you need to give access to something connected to your tenant.
I would suggest creating an App registration (Application),
adding a key, and giving those credentials to the other service.
You can then give the application access to your Azure subscription etc.
I currently have an Office 365 tenant with around 1,400 users all licensed. We have enabled the Azure AD tenant with the same account and are now using Azure AD Dirsync to have same sign-on to Office 365.
We are now having an external Sharepoint site developed and have been offered either ADFS or Azure AD ACS as an authentication method. As we've already got an Azure AD subscription (through Office 365) I thought this would be the easiest method. However, when in my tenant on https://manage.windowsazure.com, I have access to Active Directory, can add a new directory but cannot add a new Access Control service. It's greyed out and says "not available" underneath.
I've tried talking to Office 365 support, who referred me to Azure support, who then said we don't have support so can't help. I've spoken to Azure sales and they've referred me to Azure support, who then guess what, said we don't have support.
Has anyone else managed to implement an Azure Access Control service from an Office 365 tenancy using the free Azure Active Directory subscription? I get the feeling I just need to buy a cheap Azure subscription and the option would become available, but without knowing for sure I'm a bit hesitant about taking the plunge.
Thanks.
I can imagine that you cannot use the free Azure subscription for this purpose because using the Access Control Service brings costs. The free subscription is not tied to any creditcard. When you have e.g. a pay-as-you-go subscription you should be able to create a ACS namespace. I just tried in one of my pay-as-you-go subscriptions.
You are (still) able to create a namespace but I suggest you to also take a look into the identity possibilities Azure AD itself has. Azure AD has currently only support for SAML 2.0 (and a lot of other protocols but they are not directly relevant for SharePoint). I know SharePoint (on-premises) only talks SAML 1.1 so that's where ACS comes in. You can read more about this topic here. Azure AD itself is going to support SAML 1.1. The only question is when. (see one of the comments from the source mentioned below this answer)
I also would make one remark about Azure AD ACS because this is going to be replaced by Azure AD. The only question left is when.
ACS Capabilities in Azure AD
As we've mentioned previously, we are adding ACS-like capabilities into Azure AD. In the coming months, as part of a feature preview Azure AD administrators will be able to add federation with social identity providers, and later custom identity providers to Azure AD. This will allow app developers to use Azure AD to simplify the identity implementation in their apps, similar to how developers use ACS today. We look forward to getting your feedback on the preview to improve these experiences.
Migrating ACS Customers to Azure AD
Once these new ACS capabilities of Azure AD are out of preview and generally available, we will start migrating ACS namespaces to use the new Azure AD capabilities.
Source: The future of Azure ACS is Azure Active Directory
Quick solution:
Create an Azure paid account. Add the administrator user of the paid account in the Office 365 directory, and set it as global administrator of this later directory (you can add users from other directories).
Then switch back to the paid account. The new global administrator will be able to manage the Office 365 directory and add a namespace.