Andrea Martorana Tusa

Power BI behind the scenes:

security and users management
BIG Thanks to SQLSat Denmark sponsors
Speaker info
First name: Andrea. Last name: Martorana Tusa.
• Italian, working by Widex a danish company which manufactures hearing aids,
as BI Specialist. Previously worked for 15 years as BI developer in an italian
bank. Focused on database development, datawarehousing, cube
development, reporting, data analysis, etc.
• Speaker at SQL Saturdays, and other community-driven events in Europe, (MS
Cloud Summit, SQL Konferenz, SQL Nexus, SQL Days, …). Speaker in webinars
for PASS Italian VC, DW/BI VC.
• Author for sqlservercentral.com, sqlshack.com, UGISS (User Group Italiano SQL
Server).
Why this session?
Fancy you work in a large Corporate and you want distribute reports and analytics made
in Power BI to your users.
What do you need to know to accomplish your task? You could simply rely on
collaborative features from Power BI, but usually some questions arise:

• Which is the best distribution model?

• What kind of licenses do I need?
• How can I manage users?
• How can I limit access and data visibility to users according to their organizational
role?
• How can I limit access to resources and features?
• How can I be compliant to internal and external policies, regulations, etc. ?

In this session I’ll try to answer these questions, discovering how Power BI works «Behind
the scenes» and what you need to know for taking full control of Power BI releases in
your organization.
Agenda
• Licensing model
• Power BI Premium
• Power BI Administration
• Core concept: tenant
• Power BI admin portal
• Office 365 admin center
• Security
• Access control
• AAD Conditional Access Policy
• Apps & Content Packs
• Row Level Security
• Securing Data Sources
• Managing users and licenses
Power BI licensing model
Power BI licensing model
Power BI
Power BI Free Power BI Pro
Premium

Personal use Collaborative use Corporate use

Licensed by user Licensed by user Licensed by capacity

Great scale distribution

Self–service analysis, The same as Free plus and performance, delivery
report authoring, etc. collaboration and sharing contents without per user
licensing
Power BI administration
The core concept: Tenant
A tenant is a dedicated instance of the Azure AD service that an organization receives
and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune,
Power BI, or Office 365.

A tenant is made of a directory within AAD which hosts the users in a company and the
information about them - their passwords, user profile data, permissions, and so on.
Basically a tenant is a container that stores all the data about user’s identity & security
for an app or an organization.

A Power BI tenant is created when the Power BI service is provisioned for the first time
and it’s owned by the domain administrator. The first user to sign up creates a new
auto-generated Power BI tenant for the organization based on the e-mail address that
was used.

Source: Power BI Security Whitepaper

Power BI admin portal
Power BI’s tenant management for a company’s
domain is done trough the Power BI admin portal.

To get access to the admin portal, your account

must have a Global Admin role, within Office 365 or
Azure Active Directory, or have been assigned the
Power BI administrator role.
Office 365 admin center
Office 365 admin center is the global management
console for your domain. You can manage users, groups,
domains, licenses, subscriptions, etc.

Roles and users for Power BI are managed inside Office 365
admin center. For example, it is possible for the Office 365
Global Admin, to assign other users the Power BI Service
Administrator role, which grants administrative rights for
Power BI features only.
Three actors in play for administration

Power BI admin portal Office 365 admin center

Manage tenant’s settings Manage users, groups,
for Power BI Service licenses, etc …. for Power BI

Azure Active Directory

Directory with organization’s data for
the Power BI cloud service (tenant)
Office 365 admin center
To be acknowledged as Global Admin, your account needs to be marked as
the “owner” of the domain.
You must have granted access to DNS management portal for your domain.
Office 365 admin center
Power BI admin role
Nominate Power BI admins
Once you are nominated Global Admin within the Office
365 Admin Center you can assign users to many roles
included the Power BI Administrator role.

Alternatively, you can drive it running Powershell

commands. In this case you must have the Azure Active
Directory PowerShell Module installed on your machine.
Power BI admin portal
The admin portal presents five features:
• Usage metrics
• Users
• Audit logs
• Tenant settings
• Premium settings
Power BI admin portal
Usage Metrics
Monitor the usage of Power BI within your organization. Summarizes the
most significant numbers to give you an outlook of what’s going on. One
section for users, one for groups.
Power BI admin portal
Users
Users management is carried out on the Office 365 admin center.
More about it later in the session.
Power BI admin portal
Audit logs
Audit logs are managed in the Office 365 Security & Compliance center.
With audit log you can have evidence of who took what action on which
item in order to fullfill regulatory compliance for your organization.

Audit logs give a full and detailed history of what’s happened on Power BI
Service and «who did what»

Audit is a Pro feature

Power BI admin portal
Audit logs
Once you’ve enabled, you can examine the logs in the Office 365 Security
& Compliance center
Power BI admin portal
Tenant settings
«Tenant settings» is the section where to set
up the features available for the organization.

There are several settings that can be turned

on or off according to company’s policy and
management rules.
Power BI admin portal
Premium settings
Manage Power BI Premium capacity (if any).

By clicking «Purchase» you

are redirect to O365 admin
center where the purchase
take place.
Only an O365 global admin
or a Billing Admin can
purchase Power BI Premium
capacity
Power BI administration
Demo
• Try to take over domain bancopopolare.it
• Nominate Power BI admins in Office 365:
Office 365 > Customized administrator > Power BI service administrator for the user account
[email protected] disable and enable
• Azure Active Directory admin center
• Power BI admin portal:
• Usage metrics
• Audit logs > O365 Security & Compliance > Audit log search > Activities > Power BI Activities
• Export the audit log
• Tenant settings
• Disable/Enable/Enable for a subset
• Premium settings
Security
Power BI Security
In Power BI we can recognize basically two security frameworks:
• Azure infrastructure
• Data storage
Internal security
• Data at rest
(Power BI architecture)
• User authentication
• Data Gateway (encryption)
We focus only on
external security (could
• Access control say «logic security»
External security • Profiling policies (access to
(«house rules») apps and content packs)
i.e. your security • Roles
configuration • Row-level security
• Securing data sources
Access control
Power BI uses Azure Active Directory (AAD) for account authentication and
management. Restrictions and limitations can be set under the Azure AD
Conditional Access policies. A Conditional Access policy defines Conditions
(when the policy should apply) and Controls (the requirement expected for
the policy).

Some examples for a conditional access policy:

• Limit accesses to your tenant. It can apply your policy to either all users or
specific groups
• Limit accesses to a specific IP range.
• Force mobile apps users to enter a PIN code before opening. Ruled by
Microsoft Intune
Azure Conditional Access Policy
Conditional access works when you connect to Power BI Service or via mobile
app.

Applies to (Conditions): Controls (The action or requirement

invoked)
• Users/Groups
• Cloud apps • Block access
• Client app • Multi-factor authentication
• Device platform • Compliant device You can set conditional access policies at the device
Location (IP-address)
level. You might set up a policy to only enable computers that are compliant, or mobile devices that
• are enrolled in a mobile device management application, can access your organization's resources.

• Sign-in risk • Domain join device You can require the device you have used to
connect to Azure Active Directory to be a domain joined device. This policy applies to Windows
desktops, laptops, and enterprise tablets.
Access control

Demo – Azure AD conditional access policy

• Menu Azure Active Directory > Conditional access > New Policy
Access control
Access control
Giving access to Apps and Contents Packs
App and App Workspace
App Workspace is a place where you and your collegues can create and share
datasets, reports, dashboards. It has replaced Groups as collaborative feature
in Power BI Service.

Once the development is finished, the whole set can be published into an App.
Users log into an app and view and consume the reports and dashboards, with
a read-only permission.

In the previous model, Groups were a Pro feature. Now, if you subscribe Power
BI Premium, you can spread up your App to users inside your organization.
Final users don’t need to access the App Workspace, only the published App.
Giving access to Apps and Contents Packs
Permissions for an App

• Grant access to the entire organization

• Grant access to individual users

• Grant access to Office 365 mail distribution list

Giving access to Apps and Contents Packs
Content packs are “containers” that allow developers to keep
together and share all the objects inside Power BI.
You can create a dashboard with its reports and datasets, and
then publish them all as a content pack for your coworkers.

Organizational content pack, are packages created and

owned by single developers for users inside their company.
They have many similarity with Apps. The main difference is
that Content Packs allows users to make a personal copy of it
for customization.
Giving access to Apps and Contents Packs

Permissions for an Organizational Content Pack

• Grant access to the entire organization

• Grant access to Office 365 mail distribution list, security list.

Giving access to Apps and Contents Packs
This table from Prologika’s consultant Teo Latchev, summarizes security
features for Power BI in Office 365

Source: http://prologika.com/power-bi-group-security/
Giving access to Apps and Contents Packs

Demo
• App
• Content pack
Row Level Security
Row Level Security filters the data in a table based on the visibility rights
granted to user. For example sales data for different countries or region,
should be viewed by sales manager each for his/her specific area.

Row-level security can be applied in two ways:

1) By manually creating security roles and assigning users or group of users
those roles
2) By creating a dynamic security role using DAX expressions to dynamically
set up visibility for the logged user

RLS is a Pro feature

Row Level Security
Sales per company

A_____________________
CEO – Visibility over the entire corporate B_____________________
C_____________________
D_____________________

Sales per company

Sales manager company B – Visibility only XXXXXXXXXXXX

B________________
over his data of the same report XXXXXXXXXXXX
XXXXXXXXXXXX
Row Level Security

Demo
- Manual RLS
- Mario Rossi is the Sales Manager for Europe
- Carlo Bianchi is the Sales Manager for North America

- Dynamic RLS
- Mario Rossi is the Product Manager for Clothes
- Carlo Bianchi is the Product Manager for Accessories
Securing Data Sources
When you connect to an Analysis Services database by Live Connection, you
have the same Row Level Security functionality as Power BI datasets, so you
can centralize the security model by applying restrictions directly to the data
source.

Analysis Services Tabular 2017 and Azure Analysis Services can also apply
security to entire tables and single columns within tables. This kind of security
cannot apply straight into Power BI.

Same when you connect to SQL Server in Direct Query mode; in this case you
can use the specific RLS feature from SQL Server (2016) to secure data source.
Profiling policies
How can you concretely manage security for users inside your organization?
By using the right mix of Apps and Row Level Security.
Figure out how you can create and delivery Apps targeted for a specific
population and limit visibility for single user based on RLS.

• Profiling by role: Apps & Content packs for VP, Executives, Managers,
Auditors, Salesforce, etc…
• Profiling by department: Apps & Content packs for HR, Retail, Corporate,
Finance, Production, Operations, etc …
• Profiling by team: Apps & Content packs specific for transverse workgroups
working on a shared project.
Profiling policies
He sees everything

They see every data

Security Role VP inside the app

Security Role They see data for

Manager 1 level 1 & 2 BUs
inside the app
Security Role They see data for
Manager 2 level 2 BUs inside
the app
Marketing App Sales App Production App
User management
Managing Users and Licenses
Users management takes place in Office 365 admin center
You can add, delete, edit, users.

You can even manage roles and licenses per

user. For example you can assign a Power BI
Pro license to a specific user or change
his/her role granting administrator rights for a
single service/application.

Or you want to keep alive a Office 365 user,

but no longer grant he/she access to Power
BI. In such case you can remove the Power BI
license for this user.
Managing Users and Licenses
Remember that mainly we deal with two kinds of users/licenses:

• Power BI Free: suitable for read-only access free features or for access to
Apps in Power BI Premium

• Power BI Pro: suitable for create and share contents in Workspace Apps,
cooperative teamwork. After editing contents are to be published into Apps.

Licenses assignement and service subscriptions are managed as well through

the Office 365 admin center.
Managing Users and Licenses
How do users join your Power BI tenant?

• Signing up in self-service mode: every single user connects to

www.powerbi.com and signs up whith his/her works e-mail. Users will be
automatically added to your tenant and Office 365 environment (if any)

• Massive centralized recording by an empowered user (for example with the

role of Power BI service administrator). The system generates a runtime
password and sends it by e-mail.

In both cases you should start with a tenant and an Office 365 subscription
active. Otherwhise a cloud read-only directory is created when first user signs
up and he/she has the chance to take over the domain as admin.
Managing Users and Licenses
Enabling/disabling users
As service administrator you can enable/disable automatic join to the tenant.
When the block is activated, new users in your organization cannot sign up for
Power BI.
You can also block existing users (i.e. already registered users) for using Power
BI.

To perform this tasks, you must use the Azure Active Directory Module for
Windows Powershell.
Managing Users and Licenses
If my company owns multiple domains, can users be forced to join the same
tenant?

For example, you work in a Corporate with many companies each with its own e-mail
domain, but there’s no convenience in having multiple tenants to administer.

Establish the main target tenant, and in Office 365 admin center add all the existing
domains to that tenant. Then all the users with e-mail addresses in those domains will
automatically join the target tenant when they sign up.

[email protected]
[email protected]
cosmogroup.com
[email protected]
[email protected]
Managing Users and Licenses

Demo
Office 365 admin center
Then select a user
Product licenses > Edit
Roles > Edit > Customized administrator

Office 365 admin center > Billing >

Subscriptions > Add subscriptions
Purchase services
Licenses
Managing Users and Licenses

Demo
• Connecting to AD through Powershell*:
1. Connect-AzureAD –Confirm
2. Get-AzureADDirectoryRole
3. Get-AzureADUser [optional: -SearchString]
4. Add-AzureADDirectoryRoleMember -objectID xxxxxxxxx –RefObjectID xxxxxxxxxx

*Prerequisite: install in PowerShell the module AzureAD. Install-Module –Name AzureAD

Managing Users and Licenses

Demo
Verify if the block on the tenant is active

$msolcred = get-credential
connect-msolservice -credential $msolcred
Get-MsolCompanyInformation | fl allow*

To prevent existing users from use Power BI

repeat the steps above, then
Get-MsolCompanyInformation | fl AllowAdHocSubscriptions
Set-MsolCompanySettings -AllowAdHocSubscriptions $true (/ false)
A quick recap – security and policy settings
What … How …
Define tenant settings Power BI admin portal

Manage users; create, Office 365 admin center

delete, grant licenses etc.

Define roles and assign users for RLS Power BI Desktop/Service

Control usage of specific PBI features Power BI admin portal

Audit Power BI activity Office 365 Security & Compliance

Create policies for conditional Azure AD

access
BIG Thanks to SQLSat Denmark sponsors
References
Microsoft accelerates modern BI adoption with Power BI Premium
https://powerbi.microsoft.com/en-us/blog/microsoft-accelerates-modern-bi-adoption-with-power-bi-premium/

Microsoft Whitepaper: Microsoft Power BI Premium

Microsoft Whitepaper: How to plan capacity for embedded analytics with Power BI Premium

Microsoft Whitepaper: Planning a Power BI Enterprise Deployment

Secure and Audit Power BI in Your Organization

https://powerbi.microsoft.com/en-us/blog/secure-and-audit-power-bi-in-your-organization/

Power BI Admin Portal

https://powerbi.microsoft.com/en-us/documentation/powerbi-admin-portal/

Administering Power BI in your organization

https://powerbi.microsoft.com/en-us/documentation/powerbi-admin-administering-power-bi-in-your-organization/

Create an Azure Active Directory tenant

https://powerbi.microsoft.com/en-us/documentation/powerbi-developer-create-an-azure-active-directory-tenant/

Conditional Access now in the new Azure portal

https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-azure-portal/
References
Different approach to Dynamic Row Level Security
http://community.powerbi.com/t5/Community-Blog/Different-approach-to-Dynamic-Row-Level-Security/ba-p/80108

Power BI Group Security

http://prologika.com/power-bi-group-security/