0

Currently my team and I have a client that is using Power BI Premium.

We need to have Row Level Security enabled for both internal and external users.

We gave a recommendation to have Azure AD groups handle user management, but the client does not want to have all of there internal and external users be shown in their Azure AD. They believe it will be unmanageable for them. They want us to recommend another way to be able to manage internal users in Azure AD and have all external users managed in Azure AD, but completely separated from internal users, or by some other user management service that Azure provides. All the while, remaining in the same tenant since it seems the Power Bi Premium license can only be associated to one tenant and being able to have Row Level Security implemented for both internal and external users.

Is this possible? If so, how can we do it?

Thank you all for your time and help.

Scrubster
  • 32
  • 9

1 Answers1

1

as per microsoft, https://learn.microsoft.com/en-us/power-bi/admin/service-admin-azure-ad-b2b as far as I'm aware, the ideal way to share power bi with external users like that is this is to through azure b2b. which means you will have them as a guest user in your azure tenant. the second they are a guest in your tenant, that means they are on the list in your azure ad Users. which has advantages, their activity is trackable, reportable etc.

Our organizations has 10s of thousands of user accounts in our azure ad tenant, it doesn't make it any less manageable. just use the search bar or the filters, I'm not sure what the issue would be that makes it unmanageable. if the requirement is secured power bi sharing, you're better off trying to understand why your client thinks its unmanageable and help relieve their fears.

the only other option that I can see is, if you don't want to see external users, then you could use power BI embedded to embed power bi reports in a different web app that you create, and allow access to the webapp. but then you will have to deal with all the user level management stuff in code. here's an article: https://medium.com/bi-helper/power-bi-embedded-report-distribution-to-external-users-1cf46fe1303b

hope this helps a bit.

alphaz18
  • 2,610
  • 1
  • 5
  • 5
  • Thanks! I appreciate the answer. I was thinking that was going to be the case. I dunno why they believe it to be unmanageable. I am not a part of the client engagement at the moment. Can't use embedded either, it is out of our scope. However, I thought of a workaround. They have an on premises AD and synced up using AD connect. I think our next recommendation will be to handle internal users with their on premises and external in Azure AD. Thanks again for the help! – Scrubster Jun 02 '20 at 04:54
  • 1
    that makes sense. if the domain is aad connect from on-prem, they are most likely managing their users from on-prem anyway, there won't be much writing to the azure ad for internal users, as users and attributes and groups are most likely synced from on prem anyway. and they will all be in azure ad portal/graph api etc. another reason why its a non issue.. so unless they can come up with some really compelling reason, I don't really agree with "unmanageable". – alphaz18 Jun 02 '20 at 05:05