Power BI Governance & users management

Andrea Martorana Tusa

Andrea Martorana TusaBI Team LeaderWürth Phoenix

•Microsoft MVP Data Platform

•Team Leader for Business Intelligence in Würth-Phoenix

(Bozen, Italy)

•Previously worked by Widex a danish company which

manufactures hearing aids, as BI Specialist, and

as BI Developer in an italian bank

•Speaker at SQL Saturdays, and other community-

driven events in Europe, (MS Cloud Summit, SQL Konferenz,

SQL Nexus, SQL Days, Dataminds Connect ...). Speaker

in webinars for PASS Italian VC, DW/BI VC

•Author for sqlservercentral.com, sqlshack.com, UGISS (User

Group Italiano SQL Server)

Why this session?Fancy you work in a large Corporate and you want distribute reports and analytics made in PowerBI to your users.

What do you need to know to accomplish your task? You could simply rely on collaborative features from Power BI, but usually some questions arise:

• What is the best distribution model?

• What kind of licenses do I need?

• How can I manage users?

• How can I limit access and data visibility to users according to their organizational role?

• How can I limit access to resources and features?

• How can I be compliant to internal and external policies, regulations, etc. ?

In one simple word «Governance».

In this session I’ll try to answer these questions, discovering how Power BI works «Behind the scenes» and what you need to know for taking full control of Power BI releases in yourorganization.

Agenda• Licensing model• Power BI Administration

• Core concept: tenant

• Power BI admin portal

• Office 365 admin center

• Workspaces management• Security

• Access control

• AAD Conditional Access Policy

• Apps & Content Packs

• Row Level Security

• Securing Data Sources• Managing users and licenses

Power BI licensing model

Power BI licensing model

Power BI Free

Personal use

Licensed by user

Self–service analysis, report authoring, etc.

Power BI Pro

Collaborative use

Licensed by user

The same as Free plus collaboration and sharing

Power BI Premium

Corporate use

Licensed by capacity

Great scale distributionand performance, delivery contents without per user

licensing

Power BI administration

The core concept: TenantA tenant is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, Power BI, or Office 365.

A tenant is made of a directory within AAD which hosts the users in a company and the information about them - their passwords, user profile data, permissions, and so on. Basically a tenant is a container that stores all the data about user’s identity & security for an app or an organization.

A Power BI tenant is created when the Power BI service is provisioned for the first time and it’s owned by the domain administrator. The first user to sign up creates a new auto-generated Power BI tenant for the organization based on the e-mail address that was used.

Power BI admin portalPower BI’s tenant management for a company’s domain is done trough the Power BI admin portal.

To get access to the admin portal, your account must have a Global Admin role, within Office 365 or Azure Active Directory, or have been assigned the Power BI administrator role.

Office 365 admin center

Office 365 admin center is the global management console for your domain. You can manage users, groups, domains, licenses, subscriptions, etc.

Roles and users for Power BI are managed inside Office 365 admin center. For example, it is possible for the Office 365 Global Admin, to assign other users the Power BI Service Administrator role, which grants administrative rights for Power BI features only.

Three actors in play for administration

Power BI admin portal

Manage tenant’s

settings for Power BI

Service

Office 365 admin center

Manage users, groups,

licenses, etc …. for Power BI

Azure Active Directory

Directory with organization’s

data for the Power BI cloud

service (tenant)

Office 365 Admin CenterTo be acknowledged as Global Admin, your account needs to be marked as the “owner” of the domain.

You must have granted access to DNS management portal for your domain.

Office 365 Admin Center

Power BI Admin RoleNominate Power BI admins

Once you are nominated Global Admin within the Office 365 Admin Center you can assign users to many roles included the Power BI Administrator role.

Alternatively, you can drive it runningPowershell commands. In this case you must have the Azure Active Directory PowerShell Module installed on your machine.

Power BI Admin Portal The admin portal presents following features:

• Usage metrics

• Users

• Audit logs

• Tenant settings

• Capacity settings

• Embed Codes

• Organization visuals

• Dataflow settings

• Workspaces

Power BI admin portal

Usage Metrics

Monitor the usage of Power BI

within your organization.

Summarizes the most significant

figures to give you an outlook of

what’s going on. One section for

users, one for groups.

Power BI admin portal

Users

Users management is carried out on the Office 365 admin center.

More about it later in the session.

Power BI admin portal

Audit logs

Audit logs are managed in the Office 365 Security & Compliance center.

With audit log you can have evidence of who took what action on which item in order

to fullfill regulatory compliance for your organization.

Audit logs give a full and detailed history of what’s happened on Power BI Service

and «who did what»

Power BI admin portal

Audit logs

Once enabled, you can examine the logs in the Office 365 Security & Compliance

center

Power BI admin portal

Tenant settings

«Tenant settings» is the section where to set

up the features available for the organization.

There are several settings that can be turned

on or off according to company’s policy and

management rules.

Power BI admin portalWorkspaces

The page lists all the workspaces in a tenant giving some properties

Power BI admin portalCapacity settings

Manage Power BI Premium capacity and/or Power BI Embedded (if any).

By clicking «Purchase» you

are redirect to O365 admin

center where the purchase

take place.

Only an O365 global admin

or a Billing Admin can

purchase Power BI Premium

capacity

Power BI admin portal

Embed codes

Manage your published report (if any).

Power BI admin portal

Organization visuals

Manage your custom visuals (if any).

Power BI administration

Demo• Aruba domain control panel > Gestione DNS e Name Server

• Nominate Power BI admins in Office 365: Office 365 > Customized administrator > Power BI service administrator for the user account

pbiservice@amtproweb.it disable and enable

• Azure Active Directory admin center (portal.azure.com > Azure Active Directory)

• Power BI admin portal:• Usage metrics

• Audit logs > O365 Security & Compliance > Audit log search > Activities > Power BI Activities

• Export the audit log

• Tenant settings• Disable/Enable/Enable for a subset

• Premium settings

Security

Power BI security

External security

(«house rules»)

i.e. your security

configuration

• Access control

• Profiling policies (access to

apps and content packs)

• Roles

• Row-level security

• Securing data sources

• Azure infrastructure

• Data storage

• Data at rest

• User authentication

• Data Gateway (encryption)

Internal security

(Power BI architecture)

In Power BI we can recognize basically two security frameworks:

We focus only on

external security (could

say «logic security»)

Access controlPower BI uses Azure Active Directory (AAD) for account authentication and

management. Restrictions and limitations can be set under the Azure AD Conditional

Access policies. A Conditional Access policy defines Conditions (when the policy

should apply) and Controls (the requirement expected for the policy).

Some examples for a conditional access policy:

• Limit accesses to your tenant. It can apply your policy to either all users or specific

groups

• Groups creation can be restricted only on Outlook and all group applications

• Limit accesses to a specific IP range.

• Force mobile apps users to enter a PIN code before opening. Ruled by Microsoft

Intune

• Multi domain and creating groups in specific domain

Azure Conditional Access Policy

Applies to (Conditions):

• Users/Groups

• Cloud apps

• Client app

• Device platform

• Location (IP-address)

• Sign-in risk

Controls (The action or requirement

invoked)

• Block access

• Multi-factor authentication

• Compliant device You can set conditional access policies at the device

level. You might set up a policy to only enable computers that are compliant, or mobile devices that

are enrolled in a mobile device management application, can access your organization's resources.

• Domain join device You can require the device you have used to

connect to Azure Active Directory to be a domain joined device. This policy applies to Windows

desktops, laptops, and enterprise tablets.

Conditional access works when you connect to Power BI Service or via mobile app.

Access control

Demo – Azure AD conditional access policy• Menu Azure Active Directory > Conditional access > New Policy

Access control

Access control

Giving access to workspaces and appsApp and App Workspace

App Workspace is a place where you and your collegues can create and share

datasets, reports, dashboards.

Once the development is finished, the whole set can be published into an App.

Users log into an app and view and consume the reports and dashboards, with a

read-only permission.

Workspace is a Pro feature. Otherwise, if you subscribe Power BI Premium, you can

spread up your App to users inside your organization. Final users don’t need to

access the App Workspace, only the published App.

Giving access to workspaces and apps

Permissions for a workspace

Giving access to workspaces and apps

Permissions for an App

• Grant access to the entire organization

• Grant access to individual users

• Grant access to Office 365 mail distribution list

Giving access to workspaces and apps

Demo• App

• Content pack

Row Level Security

Row Level Security filters the data in a table based on the visibility rights granted to

user. For example sales data for different countries or region, should be viewed by

sales manager each for his/her specific area.

Row-level security can be applied in two ways:

1) By manually creating security roles and assigning users or group of users those roles

2) By creating a dynamic security role using DAX expressions to dynamically set up

visibility for the logged user

RLS is a Pro feature

Row Level Security

CEO – Visibility over the entire corporate

Sales per company

XXXXXXXXXXXX

B________________

XXXXXXXXXXXX

XXXXXXXXXXXX

Sales per company

A_____________________

B_____________________

C_____________________

D_____________________

Sales manager company B – Visibility only

over his data of the same report

Row Level Security

Demo- Manual RLS

- Mario Rossi is the Sales Manager for Europe

- Carlo Bianchi is the Sales Manager for North America

- Dynamic RLS- Mario Rossi is the Product Manager for Clothes

- Carlo Bianchi is the Product Manager for Accessories

Securing Data Sources

When you connect to an Analysis Services database by Live Connection, you have

the same Row Level Security functionality as Power BI datasets, so you can centralize

the security model by applying restrictions directly to the data source.

Analysis Services Tabular 2017 and Azure Analysis Services can also apply security to

entire tables and single columns within tables. This kind of security cannot apply

straight into Power BI.

Same when you connect to SQL Server in Direct Query mode; in this case you can use

the specific RLS feature from SQL Server (2016) to secure data source.

Profiling policies

How can you concretely manage security for users inside your organization? By using

the right mix of Apps and Row Level Security.

Figure out how you can create and delivery Apps targeted for a specific population

and limit visibility for single user based on RLS.

• Profiling by role: Apps & Content packs for VP, Executives, Managers, Auditors,

Salesforce, etc…

• Profiling by department: Apps & Content packs for HR, Retail, Corporate, Finance,

Production, Operations, etc …

• Profiling by team: Apps & Content packs specific for transverse workgroups

working on a shared project.

Profiling policies

He sees everything

Marketing App Sales App Production App

Security Role VPThey see every

data inside the app

Security Role

Manager 1

They see data for

level 1 & 2 BUs

inside the app

Security Role

Manager 2

They see data for

level 2 BUs inside

the app

Users management

Managing Users and LicensesUsers management takes place in Office 365 admin center

You can add, delete, edit, users.

You can even manage roles and licenses per user.

For example you can assign a Power BI Pro

license to a specific user or change his/her role

granting administrator rights for a single

service/application.

Or you want to keep alive a Office 365 user, but

no longer grant he/she access to Power BI. In

such case you can remove the Power BI license

for this user.

Managing Users and Licenses

Remember that mainly we deal with two kinds of users/licenses:

• Power BI Free: suitable for read-only access free features or for access to

Apps in Power BI Premium

• Power BI Pro: suitable for create and share contents in Workspace Apps,

cooperative teamwork. After editing contents are to be published into Apps.

Licenses assignement and service subscriptions are managed as well through

the Office 365 admin center.

Managing Users and Licenses

How do users join your Power BI tenant?

• Signing up in self-service mode: every single user connects to

www.powerbi.com and signs up whith his/her works e-mail. Users will be

automatically added to your tenant and Office 365 environment (if any)

• Massive centralized recording by an empowered user (for example with the role

of Power BI service administrator). The system generates a runtime password and

sends it by e-mail.

In both cases you should start with a tenant and an Office 365 subscription active.

Otherwhise a cloud read-only directory is created when first user signs up and

he/she has the chance to take over the domain as admin.

Managing Users and Licenses

Enabling/disabling users

As service administrator you can enable/disable automatic join to the tenant.

When the block is activated, new users in your organization cannot sign up for

Power BI.

You can also block existing users (i.e. already registered users) for using Power BI.

To perform this tasks, you must use the Azure Active Directory Module for

Windows Powershell.

Managing Users and Licenses

If my company owns multiple domains, can users be forced to join the same tenant?

For example, you work in a Corporate with many companies each with its own e-mail

domain, but there’s no convenience in having multiple tenants to administer.

Establish the main target tenant, and in Office 365 admin center add all the existing domains

to that tenant. Then all the users with e-mail addresses in those domains will automatically

join the target tenant when they sign up.

john.smith@cosmogroup.com

derek.brown@andromeda.com

ross.ford@zodiac.biz

tom.williams@mensa.info

cosmogroup.com

Managing Users and Licenses

DemoOffice 365 admin center Then select a user

Product licenses > Edit

Roles > Edit > Customized administrator

Office 365 admin center > Billing >

Subscriptions > Add subscriptions

Purchase services

Licenses

Managing Users and Licenses

DemoConnecting to AD through Powershell*:

1. Connect-AzureAD –Confirm

2. Get-AzureADDirectoryRole

3. Get-AzureADUser [optional: -SearchString]

4. Add-AzureADDirectoryRoleMember -objectID xxxxxxxxx –RefObjectID xxxxxxxxxx

Managing Users and Licenses

DemoVerify if the block on the tenant is active

$msolcred = get-credential

connect-msolservice -credential $msolcred

Get-MsolCompanyInformation | fl allow*

To prevent existing users from use Power BI

repeat the steps above, then

Get-MsolCompanyInformation | fl AllowAdHocSubscriptions

Set-MsolCompanySettings -AllowAdHocSubscriptions $true (/ false)

A quick recap – security and policy settingsTask Tool

Define roles and assign users for RLS Power BI Desktop/Service

Define tenant settings Power BI admin portal

Manage users; create,

delete, grant licenses etc.

Control usage of specific PBI features Power BI admin portal

Azure AD

Audit Power BI activity Office 365 Security & Compliance

Office 365 admin center

Create policies for conditional access

ReferencesMicrosoft accelerates modern BI adoption with Power BI Premium

https://powerbi.microsoft.com/en-us/blog/microsoft-accelerates-modern-bi-adoption-with-power-bi-premium/

Microsoft Whitepaper: Microsoft Power BI Premium

Microsoft Whitepaper: How to plan capacity for embedded analytics with Power BI Premium

Microsoft Whitepaper: Planning a Power BI Enterprise Deployment

Secure and Audit Power BI in Your Organization

https://powerbi.microsoft.com/en-us/blog/secure-and-audit-power-bi-in-your-organization/

Power BI Admin Portal

https://powerbi.microsoft.com/en-us/documentation/powerbi-admin-portal/

Administering Power BI in your organization

https://powerbi.microsoft.com/en-us/documentation/powerbi-admin-administering-power-bi-in-your-organization/

Create an Azure Active Directory tenant

https://powerbi.microsoft.com/en-us/documentation/powerbi-developer-create-an-azure-active-directory-tenant/

Conditional Access now in the new Azure portal

https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-azure-portal/

ReferencesDifferent approach to Dynamic Row Level Security

http://community.powerbi.com/t5/Community-Blog/Different-approach-to-Dynamic-Row-Level-Security/ba-p/80108

Power BI Group Security

http://prologika.com/power-bi-group-security/

SSAS 2016 Tabular On Premise with Row-Level Security and Active Directoryhttp://hectorv.com/ssas-2016-tabular-on-premise-with-row-level-security-and-active-directory

POWAD12 - Power BI Governance and Administration

Friday 29th, 13.00 – 14.00

Text layout (no bullets)

Main topic 1: size 36ptSize 20pt for the subtopics

Size 20pt for the subtopics

Main topic 2: size 36ptSize 20pt for the subtopics

Size 20pt for the subtopics

Text layout (no bullets)

Main topic 1: size 36ptSize 20pt for the subtopics

Size 20pt for the subtopics

Main topic 2: size 36ptSize 20pt for the subtopics

Size 20pt for the subtopics

Bullet Points Layout with Subtitle

• Example of a bulleted slide with a subhead• Set the slide title to “Sentence case”

• Set subheads to “Sentence case”

Subheadline option goes here.

• Example of a bulleted slide with a subhead• Set the slide title to “Sentence case”

• Set subheads to “Sentence case”

• Hyperlink stylewww.website.com

Subheadline option goes here.

Example headline with photo.

Example text point.

Software code slideThis slide layout uses Consolas, a monotype font which is ideal for showing software code.

Lots of data? Minimalize and plan

OT

HER

OT

HER

OT

HE

ROT

HER

OT

HER

Gray is used to de-emphasize data that is less

important. Use cool gray 3 or cool gray 7. See slide 7

for color formulas.

All elements have the same

interior margins as text

blocks.

When a chart or graphic, has more elements than can easily be aligned to the grid, align the outer edges of the group, top, bottom, left and right edges to the grid.

It is preferable to keep the group aligned to the left border.

Chart example

0

1

2

3

4

5

6

7

8

1 2 3 4

Series5

Series4

Series3

Series2

Series1

Pie chart 2Sample Chart title can be added here

1st Qtr

2nd Qtr

3rd Qtr

4th Qtr

5th Qtr

© 2019 Dynamic Communities. All rights reserved.

TITLE/HEADLINE OPTIONSubheadline text

TITLE HEADLINE SECTION

Simple supporting Text Goes Here