Post on 03-Dec-2021
transcript
Power BI behind the scenes: security and users management
Andrea Martorana Tusa
BI Specialist
Speaker info• First name: Andrea. Last name: Martorana Tusa.
• Italian, working by Widex a danish company which manufactures hearing aids, as BI Specialist. Previously worked for 15 years as BI developer in an italian bank. Focused on database development, datawarehousing, cube development, reporting, data analysis, etc.
• Speaker at SQL Saturdays, and other community-driven events in Europe, (MS Cloud Summit, SQL Konferenz, SQL Nexus, SQL Days, …). Speaker in webinars for PASS Italian VC, DW/BI VC.
• Author for sqlservercentral.com, sqlshack.com, UGISS (User Group Italiano SQL Server).
Why this session?Fancy you work in a large Corporate and you want distribute reports and analytics made in Power BI to your users.
What do you need to know to accomplish your task? You could simply rely on collaborative features from Power BI, but usually some questions arise:
• Which is the best distribution model?
• What kind of licenses do I need?
• How can I manage users?
• How can I limit access and data visibility to users according to their organizational role?
• How can I limit access to resources and features?
• How can I be compliant to internal and external policies, regulations, etc. ?
In this session I’ll try to answer these questions, discovering how Power BI works «Behind the scenes» and what you need to know for taking full control of Power BI releases in your organization.
Agenda• Licensing model
• Power BI Premium
• Power BI Administration• Core concept: tenant
• Power BI admin portal
• Office 365 admin center
• Security• Access control
• AAD Conditional Access Policy
• Apps & Content Packs
• Row Level Security
• Securing Data Sources
• Managing users and licenses
Power BI licensing model
Power BI licensing model
Power BI Free
Personal use
Licensed by user
Self–service analysis, report authoring, etc.
Power BI Pro
Collaborative use
Licensed by user
The same as Free plus collaboration and sharing
Power BI Premium
Corporate use
Licensed by capacity
Great scale distributionand performance, delivery contents without per user
licensing
Power BI administration
The core concept: TenantA tenant is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, Power BI, or Office 365.
A tenant is made of a directory within AAD which hosts the users in a company and the information about them - their passwords, user profile data, permissions, and so on. Basically a tenant is a container that stores all the data about user’s identity & security for an app or an organization.
A Power BI tenant is created when the Power BI service is provisioned for the first time and it’s owned by the domain administrator. The first user to sign up creates a new auto-generated Power BI tenant for the organization based on the e-mail address that was used.
Power BI admin portal
Power BI’s tenant management for a company’s domain is done trough the Power BI admin portal.
To get access to the admin portal, your account must have a Global Admin role, within Office 365 or Azure Active Directory, or have been assigned the Power BI administrator role.
Office 365 admin centerOffice 365 admin center is the global management console for your domain. You can manage users, groups, domains, licenses, subscriptions, etc.
Roles and users for Power BI are managed inside Office 365 admin center. For example, it is possible for the Office 365 Global Admin, to assign other users the Power BI Service Administrator role, which grants administrative rights for Power BI features only.
Three actors in play for administration
Power BI admin portal
Manage tenant’s settings
for Power BI Service
Office 365 admin center
Manage users, groups,
licenses, etc …. for Power BI
Azure Active Directory
Directory with organization’s data for
the Power BI cloud service (tenant)
Office 365 admin centerTo be acknowledged as Global Admin, your account needs to be marked as the
“owner” of the domain.
You must have granted access to DNS management portal for your domain.
Office 365 admin center
Power BI admin role
Nominate Power BI admins
Once you are nominated Global Admin within the Office 365 Admin Center you can assign users to many roles included the Power BI Administrator role.
Alternatively, you can drive it running Powershell commands. In this case you must have the Azure Active Directory PowerShell Module installed on your machine.
Power BI admin portal
The admin portal presents five features:
• Usage metrics
• Users
• Audit logs
• Tenant settings
• Premium settings
Power BI admin portalUsage Metrics
Monitor the usage of Power BI within your organization. Summarizes the most
significant figures to give you an outlook of what’s going on. One section for users,
one for groups.
Power BI admin portal
Users
Users management is carried out on the Office 365 admin center.
More about it later in the session.
Power BI admin portal
Audit logs
Audit logs are managed in the Office 365 Security & Compliance center.
With audit log you can have evidence of who took what action on which item in
order to fullfill regulatory compliance for your organization.
Audit logs give a full and detailed history of what’s happened on Power BI Service
and «who did what»
Audit is a Pro feature
Power BI admin portalAudit logs
Once enabled, you can examine the logs in the Office 365 Security & Compliance
center
Power BI admin portal
Tenant settings
«Tenant settings» is the section where to set
up the features available for the organization.
There are several settings that can be turned
on or off according to company’s policy and
management rules.
Power BI admin portalPremium settings
Manage Power BI Premium capacity (if any).
By clicking «Purchase» you
are redirect to O365 admin
center where the purchase
take place.
Only an O365 global admin
or a Billing Admin can
purchase Power BI Premium
capacity
Power BI administration
Demo• Try to take over domain bancopopolare.it
• Nominate Power BI admins in Office 365: Office 365 > Customized administrator > Power BI service administrator for the user account
pbiservice@amtproweb.it disable and enable
• Azure Active Directory admin center
• Power BI admin portal:• Usage metrics
• Audit logs > O365 Security & Compliance > Audit log search > Activities > Power BI Activities
• Export the audit log
• Tenant settings• Disable/Enable/Enable for a subset
• Premium settings
Security
Power BI security
External security
(«house rules»)
i.e. your security
configuration
• Access control
• Profiling policies (access to
apps and content packs)
• Roles
• Row-level security
• Securing data sources
• Azure infrastructure
• Data storage
• Data at rest
• User authentication
• Data Gateway (encryption)
Internal security
(Power BI architecture)
In Power BI we can recognize basically two security frameworks:
We focus only on
external security (could
say «logic security»)
Access controlPower BI uses Azure Active Directory (AAD) for account authentication and
management. Restrictions and limitations can be set under the Azure AD
Conditional Access policies. A Conditional Access policy defines Conditions (when
the policy should apply) and Controls (the requirement expected for the policy).
Some examples for a conditional access policy:
• Limit accesses to your tenant. It can apply your policy to either all users or specific
groups
• Groups creation can be restricted only on Outlook and all group applications
• Limit accesses to a specific IP range.
• Force mobile apps users to enter a PIN code before opening. Ruled by Microsoft
Intune
• Multi domain and creating groups in specific domain
Azure Conditional Access Policy
Applies to (Conditions):
• Users/Groups
• Cloud apps
• Client app
• Device platform
• Location (IP-address)
• Sign-in risk
Controls (The action or requirement
invoked)
• Block access
• Multi-factor authentication
• Compliant device You can set conditional access policies at the device
level. You might set up a policy to only enable computers that are compliant, or mobile devices that
are enrolled in a mobile device management application, can access your organization's resources.
• Domain join device You can require the device you have used to
connect to Azure Active Directory to be a domain joined device. This policy applies to Windows
desktops, laptops, and enterprise tablets.
Conditional access works when you connect to Power BI Service or via mobile app.
Access control
Demo – Azure AD conditional access policy• Menu Azure Active Directory > Conditional access > New Policy
Access control
Access control
Giving access to Apps and Contents Packs
App and App Workspace
App Workspace is a place where you and your collegues can create and share
datasets, reports, dashboards. It has replaced Groups as collaborative feature in
Power BI Service.
Once the development is finished, the whole set can be published into an App.
Users log into an app and view and consume the reports and dashboards, with a
read-only permission.
In the previous model, Groups were a Pro feature. Now, if you subscribe Power BI
Premium, you can spread up your App to users inside your organization. Final users
don’t need to access the App Workspace, only the published App.
Giving access to Apps and Contents Packs
Permissions for an App
• Grant access to the entire organization
• Grant access to individual users
• Grant access to Office 365 mail distribution list
Giving access to Apps and Contents Packs
Content packs are “containers” that allow developers to keep
together and share all the objects inside Power BI.
You can create a dashboard with its reports and datasets, and
then publish them all as a content pack for your coworkers.
Organizational content pack, are packages created and
owned by single developers for users inside their company.
They have many similarity with Apps. The main difference is
that Content Packs allows users to make a personal copy of it
for customization.
Giving access to Apps and Contents Packs
Permissions for an Organizational Content Pack
• Grant access to the entire organization
• Grant access to Office 365 mail distribution list, security list.
Giving access to Apps and Contents PacksThis table from Prologika’s consultant Teo Latchev, summarizes security
features for Power BI in Office 365
Source: http://prologika.com/power-bi-group-security/
Giving access to Apps and Contents Packs
Demo• App
• Content pack
Row Level Security
Row Level Security filters the data in a table based on the visibility rights granted to
user. For example sales data for different countries or region, should be viewed by
sales manager each for his/her specific area.
Row-level security can be applied in two ways:
1) By manually creating security roles and assigning users or group of users those
roles
2) By creating a dynamic security role using DAX expressions to dynamically set up
visibility for the logged user
RLS is a Pro feature
Row Level Security
CEO – Visibility over the entire corporate
Sales per company
XXXXXXXXXXXX
B________________
XXXXXXXXXXXX
XXXXXXXXXXXX
Sales per company
A_____________________
B_____________________
C_____________________
D_____________________
Sales manager company B – Visibility only
over his data of the same report
Row Level Security
Demo- Manual RLS
- Mario Rossi is the Sales Manager for Europe
- Carlo Bianchi is the Sales Manager for North America
- Dynamic RLS- Mario Rossi is the Product Manager for Clothes
- Carlo Bianchi is the Product Manager for Accessories
Securing Data Sources
When you connect to an Analysis Services database by Live Connection, you have
the same Row Level Security functionality as Power BI datasets, so you can centralize
the security model by applying restrictions directly to the data source.
Analysis Services Tabular 2017 and Azure Analysis Services can also apply security to
entire tables and single columns within tables. This kind of security cannot apply
straight into Power BI.
Same when you connect to SQL Server in Direct Query mode; in this case you can use
the specific RLS feature from SQL Server (2016) to secure data source.
Profiling policies
How can you concretely manage security for users inside your organization? By using
the right mix of Apps and Row Level Security.
Figure out how you can create and delivery Apps targeted for a specific population
and limit visibility for single user based on RLS.
• Profiling by role: Apps & Content packs for VP, Executives, Managers, Auditors,
Salesforce, etc…
• Profiling by department: Apps & Content packs for HR, Retail, Corporate, Finance,
Production, Operations, etc …
• Profiling by team: Apps & Content packs specific for transverse workgroups
working on a shared project.
Profiling policies
He sees everything
Marketing App Sales App Production App
Security Role VPThey see every data
inside the app
Security Role
Manager 1
They see data for
level 1 & 2 BUs
inside the app
Security Role
Manager 2
They see data for
level 2 BUs inside
the app
Users management
Managing Users and LicensesUsers management takes place in Office 365 admin center
You can add, delete, edit, users.
You can even manage roles and licenses per
user. For example you can assign a Power BI
Pro license to a specific user or change
his/her role granting administrator rights for a
single service/application.
Or you want to keep alive a Office 365 user,
but no longer grant he/she access to Power
BI. In such case you can remove the Power BI
license for this user.
Managing Users and Licenses
Remember that mainly we deal with two kinds of users/licenses:
• Power BI Free: suitable for read-only access free features or for access to
Apps in Power BI Premium
• Power BI Pro: suitable for create and share contents in Workspace Apps,
cooperative teamwork. After editing contents are to be published into Apps.
Licenses assignement and service subscriptions are managed as well through
the Office 365 admin center.
Managing Users and Licenses
How do users join your Power BI tenant?
• Signing up in self-service mode: every single user connects to
www.powerbi.com and signs up whith his/her works e-mail. Users will be
automatically added to your tenant and Office 365 environment (if any)
• Massive centralized recording by an empowered user (for example with the role
of Power BI service administrator). The system generates a runtime password and
sends it by e-mail.
In both cases you should start with a tenant and an Office 365 subscription active.
Otherwhise a cloud read-only directory is created when first user signs up and
he/she has the chance to take over the domain as admin.
Managing Users and Licenses
Enabling/disabling users
As service administrator you can enable/disable automatic join to the tenant.
When the block is activated, new users in your organization cannot sign up for
Power BI.
You can also block existing users (i.e. already registered users) for using Power BI.
To perform this tasks, you must use the Azure Active Directory Module for
Windows Powershell.
Managing Users and Licenses
If my company owns multiple domains, can users be forced to join the same tenant?
For example, you work in a Corporate with many companies each with its own e-mail
domain, but there’s no convenience in having multiple tenants to administer.
Establish the main target tenant, and in Office 365 admin center add all the existing domains
to that tenant. Then all the users with e-mail addresses in those domains will automatically
join the target tenant when they sign up.
john.smith@cosmogroup.com
derek.brown@andromeda.com
ross.ford@zodiac.biz
tom.williams@mensa.info
cosmogroup.com
Managing Users and Licenses
DemoOffice 365 admin center Then select a user
Product licenses > Edit
Roles > Edit > Customized administrator
Office 365 admin center > Billing >
Subscriptions > Add subscriptions
Purchase services
Licenses
Managing Users and Licenses
DemoConnecting to AD through Powershell*:
1. Connect-AzureAD –Confirm
2. Get-AzureADDirectoryRole
3. Get-AzureADUser [optional: -SearchString]
4. Add-AzureADDirectoryRoleMember -objectID xxxxxxxxx –RefObjectID xxxxxxxxxx
Managing Users and Licenses
DemoVerify if the block on the tenant is active
$msolcred = get-credential
connect-msolservice -credential $msolcred
Get-MsolCompanyInformation | fl allow*
To prevent existing users from use Power BI
repeat the steps above, then
Get-MsolCompanyInformation | fl AllowAdHocSubscriptions
Set-MsolCompanySettings -AllowAdHocSubscriptions $true (/ false)
A quick recap – security and policy settings
What … How …
Define roles and assign users for RLS Power BI Desktop/Service
Define tenant settings Power BI admin portal
Manage users; create,
delete, grant licenses etc.
Control usage of specific PBI features Power BI admin portal
Azure AD
Audit Power BI activity Office 365 Security & Compliance
Office 365 admin center
Create policies for conditional access
ReferencesMicrosoft accelerates modern BI adoption with Power BI Premium
https://powerbi.microsoft.com/en-us/blog/microsoft-accelerates-modern-bi-adoption-with-power-bi-premium/
Microsoft Whitepaper: Microsoft Power BI Premium
Microsoft Whitepaper: How to plan capacity for embedded analytics with Power BI Premium
Microsoft Whitepaper: Planning a Power BI Enterprise Deployment
Secure and Audit Power BI in Your Organization
https://powerbi.microsoft.com/en-us/blog/secure-and-audit-power-bi-in-your-organization/
Power BI Admin Portal
https://powerbi.microsoft.com/en-us/documentation/powerbi-admin-portal/
Administering Power BI in your organization
https://powerbi.microsoft.com/en-us/documentation/powerbi-admin-administering-power-bi-in-your-organization/
Create an Azure Active Directory tenant
https://powerbi.microsoft.com/en-us/documentation/powerbi-developer-create-an-azure-active-directory-tenant/
Conditional Access now in the new Azure portal
https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-azure-portal/
ReferencesDifferent approach to Dynamic Row Level Security
http://community.powerbi.com/t5/Community-Blog/Different-approach-to-Dynamic-Row-Level-Security/ba-p/80108
Power BI Group Security
http://prologika.com/power-bi-group-security/
SSAS 2016 Tabular On Premise with Row-Level Security and Active Directoryhttp://hectorv.com/ssas-2016-tabular-on-premise-with-row-level-security-and-active-directory