Power BI Security: user identity | Power BI Adoption Framework


– [Manu] Hello, and welcome
to this video series on the Power BI Adoption Framework, which is about empowering
every decision maker. I’m Manu. – [Paul] And I’m Paul. – [Manu] In this video, we’ll talk about user identity in Power BI. The first thing to note is that Power BI is a part of Microsoft cloud offerings, and the Power BI service
is hosted in Azure. Power BI uses Azure Active Directory for authentication and login. This means that if you already have an Azure Active Directory setup, which you’re using for Azure services or Office 365, then you can reuse it. If you’re already using SharePoint Online, Exchange Online, or other
Office 365 applications, then when you log in to Power BI, your user will already be set up. If you do not already have a user, then when you sign in to Power BI, we will create a user for you
in the Azure Active Directory. Any user can sign up to use Power BI, which will assign a free
license to that individual unless this has been
blocked by your IT team. If no one has yet signed up for Power BI, a new tenant will be
created on your behalf. If your IT team wants to take over and manage this tenant later, then they can do an admin
request takeover to do so. Azure Active Directory is used to secure all of your Microsoft resources with a common set of users and groups. So you will use the same
login for Dynamics 365, SharePoint Online, Flow,
and other Azure services. The benefit of using Azure
Active Directory, or AAD, is that we can use all of its components, including how it is set up. Most organizations already
have an identity structure. Some may already be using
Azure Active Directory or have managed identities or just want to sync the password. If you have federated identities, you can use Active Directory
Federation Services or third-party solutions to connect to your Azure Active Directory. The most common scenario
we see with our customers is that they already have
an on-premises directory or identity management setup, and you can then just set up
Azure Active Directory Connect so you only need to manage a user once. This means that whenever you add a user to your on-premises Active Directory, this user will automatically be created in Azure Active Directory. So the users can then sign in to Power BI using the same username and password as they use to log in to Windows. Now that we have discussed
Azure Active Directory and how a user can log in to Power BI, we can establish that we know
who is logged in to Power BI. I will now explain the steps that Power BI takes to authenticate a user. Firstly, a user needs to sign in to app.powerbi.com in a browser. In my case, if I were to log in, I would be logged in from the UK, but the Microsoft tenant
is held in the US. When I load app.powerbi.com,
I will be directed to Azure Traffic Manager,
which will figure out where I am located and
return this to the browser. This will redirect me to a web front end, which is running ASP.NET. This web front end will
be located in the nearest Azure datacenter to my location. So in my case, this will
redirect me to UK South. The web front end will then
call the Microsoft login page and prompt me to log in. This will redirect the login
to Azure Active Directory. Now the web front end knows who I am. Next, the web front end will
look in an Azure Table storage to see where my tenant is located. This table has an entry to
say that Microsoft’s tenant is in South Central US. This information will be
passed to the browser, and the browser will start
to load common content like CSS, JavaScript, images, et cetera from Azure Content Delivery Network. These are generic items used by everyone. The last step is when I will be redirected to the back-end service. This is where reports and dashboards are rendered using your data. This back-end service is
running in a single region. – [Paul] Because we are
leveraging Azure Active Directory, we can benefit from a number of features built into it to enhance your security. This means that you can use features such as multifactor authentication, forcing users to have
two-factor auth to be to log in. You need to have an Office 365 license or have Azure Active
Directory Premium to use this. You can have the second
factor be a phone call, text, or the Azure Authenticator app. If you have an on-premises
identity provider, you can use anything
that this IDP supports. Another thing that Azure Active Directory supports is user access controls. This gives admins the ability
to enforce PIN requirements on the mobile application when signing in. This is done through Intune
and can be controlled by Power BI Mobile apps on iOS or Android. You can also stop users
from downloading any apps from the standard app store
by using a company portal, which means only applications
registered in there and via Intune can be used. The last thing you can control with AAD is conditional access. This gives you the ability
to have fine-grain control over how users can access the data. You could restrict users
so they can only log in to Power BI from inside your
organization’s buildings by controlling which
IP address can connect. You could also say that
you can only connect from specific devices, maybe only allowing connecting from corporate devices. You could also restrict
so only certain users or groups of users are allowed
to connect to Power BI. You can also use any combination
of these settings as well. So for example, in Microsoft,
if I log in over VPN, I do not need to do
two-factor authentication. But if I’m not on VPN, I
need to authorize my login from the Authenticator mobile app. All of these can allow
you to lock down Power BI to meet your organization’s
specific requirements. The last set of controls
you can put in place are to configure the
Power BI admin settings. You can disable user
sign-up or disable sharing or exporting for some or all the users. For more information on the
different admin controls, please watch part three in the series where we look at these
settings in more detail. Do you want to add controls for
Power BI environment access? As we’ve discussed, you can
block non-corporate tenants, enable two-factor authentication, or disable self sign-up for Power BI. Please see the description below for links with more information and how
to implement these changes. As with all options
decided in this workshop, we recommend that you
document the decision and make everyone aware. If you’re looking for guidance on how to implement Azure
Active Directory with Power BI or want to see what solutions our partners can create for you, then please
check out the marketplace. The link is in the description below. We’ve included a link to the slides used in this presentation
in the description below. Thanks for listening, and if you have any feedback or questions, please leave a comment. See you in the next one.

Add a Comment

Your email address will not be published. Required fields are marked *