With the rapid adoption of Azure Active Directory (Azure AD) and services surrounding Azure AD, we’re seeing more and more customers interested in publishing SaaS apps as well as custom apps to employees, consultants, and business partners. One of the challenges of granting application access to users is provisioning/maintaining infrastructure, user management, and what technologies to utilize long term.
Azure Active Directory has a feature called the Access Panel. The panel accessible by employees and business partners who have accounts within Azure AD (think of this as a potential extranet replacement). Accounts in Azure AD may live in the cloud, synced from on premises identity providers (i.e. using Azure AD Connect), or by inviting users via Azure AD B2B (business-to-business).
Azure AD Access Panel
We’re also seeing rapid adoption of Microsoft Power BI. Power BI takes all that data you have and transforms it into dashboard visuals and/or reports and can be shared out via a link. For more information about Power BI please visit: https://powerbi.microsoft.com/en-us/
In this post, I’ll walk through how to publish an app that points to a Power BI report and assign external users to that app using Azure AD B2B.
- Azure Subscription with an Azure AD tenant – Free Tier
- Power BI subscription – Free Tier
- Azure B2B – is available across all tiers of Azure AD
NOTE (update September 2016): Azure AD B2B does not currently support Power BI. Please refer to the licensing information regarding the sharing of Power BI content: https://powerbi.microsoft.com/en-us/documentation/powerbi-service-share-unshare-dashboard/#licensing-requirements-for-sharing
Even though Azure AD B2B doesn’t support Power BI, for this post I take the link that I generated using the Power BI using the dashboard sharing feature (alternatively, sharing from Power BI with users accomplishes the same thing) and create an app using the same URL in Azure AD. I then invite users (whom I’ve already shared the dashboard with in Power BI) via Azure AD B2B to access the shared link. Access may vary depending on the Power BI features utilized and user licensing. Please test all scenarios before moving forward with deployment.
The approach will also work for internal users (skip B2B though) who would like to access dashboards from the Azure AD access panel if their accounts already reside in Azure AD (no B2B is required for this approach), again please refer to Power BI licensing.
More information about Azure B2B please visit: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-collaboration-overview/
Let’s get started
Stage 1 – Invite external users to Azure AD using the Azure B2B.
Once the users are added to your domain in Azure AD you’re ready to begin.
Inviting external users to Azure B2B is a quick process. For information on how to accomplish this please visit: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-collaboration-overview/
Stage 2 – Log into Power BI using credentials from the same Azure AD tenant where the B2B users reside. Find the report you’d like to share and select Share at the top.
Begin typing in the name of the external B2B users you’d like to share the report with. You’ll know they’re B2B users by the “#EXT#” in the email. Once the users are added, uncheck “send email notification to recipients” and select “Share”.
You may be asking, why don’t I just share the report and move on? You could, however what I’m demonstrating is how to publish an app in Azure AD that points to the Power BI report. Instead of relying on users to keep track of external links, they can log in to the access panel and select the report(s) published and access other applications you’ve granted them access to (e.g. SharePoint Online, Salesforce, Concur, Workday, etc.)
Note: Azure AD supports user provisioning with select applications (e.g. Workday, Salesforce, Service Now, etc.). When a user is added to Azure AD, groups can be configured to dynamically look for attributes in the user’s account (e.g. department = Finance) and automatically add them to a group. That group can be assigned to an app as well. User provisioning into SaaS apps can occur thereafter if the apps are configured to do inbound provisioning (i.e. create an account in the SaaS apps identity directory). Dynamic membership for groups cuts back on the management of accounts because account provisioning and de-provisioning happens automatically.
Stage 3 – add the application to Azure AD and assign to users
Log into the classic Azure Portal: http://manage.windowsazure.com and navigate the Active Directory on the left had side.
Select the domain where the B2B users reside and select “Applications” at the top. Now select “ADD” at the bottom.
Lastly, select “Add an application my organization is developing”
Provide a name for the application and leave “WEB APPLICATION AND/OR WEB API” selected:
Select the arrow to go to the next screen. Refer back to the Power BI report you added users to and copy the link:
Populate both boxes with the same URL and select the check mark at the bottom to add the app:
Note: For “APP ID URI” place a “/” at the end, no quotes.
The app will now be added to Azure AD Applications:
Grant users access to the new application
Select the application and select “USERS AND GROUPS”. Add users or groups that you want to have access to the application (i.e. Power BI report). For demonstration purposes, I added a B2B user.
Note: for a more automated of adding users to applications, refer to the dynamic group membership discussed in a previous note above.
Select “CONFIGURE” at the top, add a logo, all the other settings I left default, however you can determine what additional settings you’d like to turn on or off.
Stage 4 – Log in as the B2B user to http://myapps.microsoft.com
Note: The user may need to register with Azure AD if it’s their first time accessing the Access Panel.
Select the Power BI app and we’re taken to the Power BI report via a single sign-on process:
That’s it, we’ve published a Power BI report to an external user using Azure AD B2B in just a few steps.