Power BI behind the scenes: security and users management. Andrea Martorana Tusa BI Specialist

Transcription

1

2 Power BI behind the scenes: security and users management Andrea Martorana Tusa BI Specialist

3 Speaker info First name: Andrea. Last name: Martorana Tusa. Italian, working by Widex a danish company which manufactures hearing aids, as BI Specialist. Previously worked for 15 years as BI developer in an italian bank. Focused on database development, datawarehousing, cube development, reporting, data analysis, etc. Speaker at SQL Saturdays, and other community-driven events in Europe, (MS Cloud Summit, SQL Konferenz, SQL Nexus, SQL Days, ). Speaker in webinars for PASS Italian VC, DW/BI VC. Author for sqlservercentral.com, sqlshack.com, UGISS (User Group Italiano SQL Server).

4 Why this session? Fancy you work in a large Corporate and you want distribute reports and analytics made in Power BI to your users. What do you need to know to accomplish your task? You could simply rely on collaborative features from Power BI, but usually some questions arise: Which is the best distribution model? What kind of licenses do I need? How can I manage users? How can I limit access and data visibility to users according to their organizational role? How can I limit access to resources and features? How can I be compliant to internal and external policies, regulations, etc.? In this session I ll try to answer these questions, discovering how Power BI works «Behind the scenes» and what you need to know for taking full control of Power BI releases in your organization.

5 Agenda Licensing model Power BI Premium Power BI Administration Core concept: tenant Power BI admin portal Office 365 admin center Security Access control AAD Conditional Access Policy Apps & Content Packs Row Level Security Securing Data Sources Managing users and licenses

6 Power BI licensing model

7 Power BI licensing model Power BI Free Power BI Pro Power BI Premium Personal use Licensed by user Collaborative use Licensed by user Corporate use Licensed by capacity Self service analysis, report authoring, etc. The same as Free plus collaboration and sharing Great scale distribution and performance, delivery contents without per user licensing

8 Power BI administration

9 The core concept: Tenant A tenant is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, Power BI, or Office 365. A tenant is made of a directory within AAD which hosts the users in a company and the information about them - their passwords, user profile data, permissions, and so on. Basically a tenant is a container that stores all the data about user s identity & security for an app or an organization. A Power BI tenant is created when the Power BI service is provisioned for the first time and it s owned by the domain administrator. The first user to sign up creates a new auto-generated Power BI tenant for the organization based on the address that was used.

10 Power BI admin portal Power BI s tenant management for a company s domain is done trough the Power BI admin portal. To get access to the admin portal, your account must have a Global Admin role, within Office 365 or Azure Active Directory, or have been assigned the Power BI administrator role.

11 Office 365 admin center Office 365 admin center is the global management console for your domain. You can manage users, groups, domains, licenses, subscriptions, etc. Roles and users for Power BI are managed inside Office 365 admin center. For example, it is possible for the Office 365 Global Admin, to assign other users the Power BI Service Administrator role, which grants administrative rights for Power BI features only.

12 Three actors in play for administration Power BI admin portal Manage tenant s settings for Power BI Service Office 365 admin center Manage users, groups, licenses, etc. for Power BI Azure Active Directory Directory with organization s data for the Power BI cloud service (tenant)

13 Office 365 admin center To be acknowledged as Global Admin, your account needs to be marked as the owner of the domain. You must have granted access to DNS management portal for your domain.

14 Office 365 admin center

15 Power BI admin role Nominate Power BI admins Once you are nominated Global Admin within the Office 365 Admin Center you can assign users to many roles included the Power BI Administrator role. Alternatively, you can drive it running Powershell commands. In this case you must have the Azure Active Directory PowerShell Module installed on your machine.

16 Power BI admin portal The admin portal presents five features: Usage metrics Users Audit logs Tenant settings Premium settings

17 Power BI admin portal Usage Metrics Monitor the usage of Power BI within your organization. Summarizes the most significant figures to give you an outlook of what s going on. One section for users, one for groups.

18 Power BI admin portal Users Users management is carried out on the Office 365 admin center. More about it later in the session.

19 Power BI admin portal Audit logs Audit logs are managed in the Office 365 Security & Compliance center. With audit log you can have evidence of who took what action on which item in order to fullfill regulatory compliance for your organization. Audit logs give a full and detailed history of what s happened on Power BI Service and «who did what» Audit is a Pro feature

20 Power BI admin portal Audit logs Once enabled, you can examine the logs in the Office 365 Security & Compliance center

21 Power BI admin portal Tenant settings «Tenant settings» is the section where to set up the features available for the organization. There are several settings that can be turned on or off according to company s policy and management rules.

22 Power BI admin portal Premium settings Manage Power BI Premium capacity (if any). By clicking «Purchase» you are redirect to O365 admin center where the purchase take place. Only an O365 global admin or a Billing Admin can purchase Power BI Premium capacity

23 Power BI administration Demo Try to take over domain bancopopolare.it Nominate Power BI admins in Office 365: Office 365 > Customized administrator > Power BI service administrator for the user account disable and enable Azure Active Directory admin center Power BI admin portal: Usage metrics Audit logs > O365 Security & Compliance > Audit log search > Activities > Power BI Activities Export the audit log Tenant settings Disable/Enable/Enable for a subset Premium settings

24 Security

25 Power BI security In Power BI we can recognize basically two security frameworks: Internal security (Power BI architecture) External security («house rules») i.e. your security configuration Azure infrastructure Data storage Data at rest User authentication Data Gateway (encryption) Access control Profiling policies (access to apps and content packs) Roles Row-level security Securing data sources We focus only on external security (could say «logic security»)

26 Access control Power BI uses Azure Active Directory (AAD) for account authentication and management. Restrictions and limitations can be set under the Azure AD Conditional Access policies. A Conditional Access policy defines Conditions (when the policy should apply) and Controls (the requirement expected for the policy). Some examples for a conditional access policy: Limit accesses to your tenant. It can apply your policy to either all users or specific groups Groups creation can be restricted only on Outlook and all group applications Limit accesses to a specific IP range. Force mobile apps users to enter a PIN code before opening. Ruled by Microsoft Intune Multi domain and creating groups in specific domain

27 Azure Conditional Access Policy Conditional access works when you connect to Power BI Service or via mobile app. Applies to (Conditions): Users/Groups Cloud apps Client app Device platform Location (IP-address) Sign-in risk Controls (The action or requirement invoked) Block access Multi-factor authentication Compliant device You can set conditional access policies at the device level. You might set up a policy to only enable computers that are compliant, or mobile devices that are enrolled in a mobile device management application, can access your organization's resources. Domain join device You can require the device you have used to connect to Azure Active Directory to be a domain joined device. This policy applies to Windows desktops, laptops, and enterprise tablets.

28 Access control Demo Azure AD conditional access policy Menu Azure Active Directory > Conditional access > New Policy

29 Access control

30 Access control

31 Giving access to Apps and Contents Packs App and App Workspace App Workspace is a place where you and your collegues can create and share datasets, reports, dashboards. It has replaced Groups as collaborative feature in Power BI Service. Once the development is finished, the whole set can be published into an App. Users log into an app and view and consume the reports and dashboards, with a read-only permission. In the previous model, Groups were a Pro feature. Now, if you subscribe Power BI Premium, you can spread up your App to users inside your organization. Final users don t need to access the App Workspace, only the published App.

32 Giving access to Apps and Contents Packs Permissions for an App Grant access to the entire organization Grant access to individual users Grant access to Office 365 mail distribution list

33 Giving access to Apps and Contents Packs Content packs are containers that allow developers to keep together and share all the objects inside Power BI. You can create a dashboard with its reports and datasets, and then publish them all as a content pack for your coworkers. Organizational content pack, are packages created and owned by single developers for users inside their company. They have many similarity with Apps. The main difference is that Content Packs allows users to make a personal copy of it for customization.

34 Giving access to Apps and Contents Packs Permissions for an Organizational Content Pack Grant access to the entire organization Grant access to Office 365 mail distribution list, security list.

35 Giving access to Apps and Contents Packs This table from Prologika s consultant Teo Latchev, summarizes security features for Power BI in Office 365 Source:

36 Giving access to Apps and Contents Packs Demo App Content pack

37 Row Level Security Row Level Security filters the data in a table based on the visibility rights granted to user. For example sales data for different countries or region, should be viewed by sales manager each for his/her specific area. Row-level security can be applied in two ways: 1) By manually creating security roles and assigning users or group of users those roles 2) By creating a dynamic security role using DAX expressions to dynamically set up visibility for the logged user RLS is a Pro feature

38 Row Level Security Sales per company CEO Visibility over the entire corporate A B C D Sales per company Sales manager company B Visibility only over his data of the same report XXXXXXXXXXXX B XXXXXXXXXXXX XXXXXXXXXXXX

39 Row Level Security Demo - Manual RLS - Mario Rossi is the Sales Manager for Europe - Carlo Bianchi is the Sales Manager for North America - Dynamic RLS - Mario Rossi is the Product Manager for Clothes - Carlo Bianchi is the Product Manager for Accessories

40 Securing Data Sources When you connect to an Analysis Services database by Live Connection, you have the same Row Level Security functionality as Power BI datasets, so you can centralize the security model by applying restrictions directly to the data source. Analysis Services Tabular 2017 and Azure Analysis Services can also apply security to entire tables and single columns within tables. This kind of security cannot apply straight into Power BI. Same when you connect to SQL Server in Direct Query mode; in this case you can use the specific RLS feature from SQL Server (2016) to secure data source.

41 Profiling policies How can you concretely manage security for users inside your organization? By using the right mix of Apps and Row Level Security. Figure out how you can create and delivery Apps targeted for a specific population and limit visibility for single user based on RLS. Profiling by role: Apps & Content packs for VP, Executives, Managers, Auditors, Salesforce, etc Profiling by department: Apps & Content packs for HR, Retail, Corporate, Finance, Production, Operations, etc Profiling by team: Apps & Content packs specific for transverse workgroups working on a shared project.

42 Profiling policies He sees everything Security Role VP They see every data inside the app Security Role Manager 1 Security Role Manager 2 Marketing App Sales App Production App They see data for level 1 & 2 BUs inside the app They see data for level 2 BUs inside the app

43 Users management

44 Managing Users and Licenses Users management takes place in Office 365 admin center You can add, delete, edit, users. You can even manage roles and licenses per user. For example you can assign a Power BI Pro license to a specific user or change his/her role granting administrator rights for a single service/application. Or you want to keep alive a Office 365 user, but no longer grant he/she access to Power BI. In such case you can remove the Power BI license for this user.

45 Managing Users and Licenses Remember that mainly we deal with two kinds of users/licenses: Power BI Free: suitable for read-only access free features or for access to Apps in Power BI Premium Power BI Pro: suitable for create and share contents in Workspace Apps, cooperative teamwork. After editing contents are to be published into Apps. Licenses assignement and service subscriptions are managed as well through the Office 365 admin center.

46 Managing Users and Licenses How do users join your Power BI tenant? Signing up in self-service mode: every single user connects to and signs up whith his/her works . Users will be automatically added to your tenant and Office 365 environment (if any) Massive centralized recording by an empowered user (for example with the role of Power BI service administrator). The system generates a runtime password and sends it by . In both cases you should start with a tenant and an Office 365 subscription active. Otherwhise a cloud read-only directory is created when first user signs up and he/she has the chance to take over the domain as admin.

47 Managing Users and Licenses Enabling/disabling users As service administrator you can enable/disable automatic join to the tenant. When the block is activated, new users in your organization cannot sign up for Power BI. You can also block existing users (i.e. already registered users) for using Power BI. To perform this tasks, you must use the Azure Active Directory Module for Windows Powershell.

48 Managing Users and Licenses If my company owns multiple domains, can users be forced to join the same tenant? For example, you work in a Corporate with many companies each with its own domain, but there s no convenience in having multiple tenants to administer. Establish the main target tenant, and in Office 365 admin center add all the existing domains to that tenant. Then all the users with addresses in those domains will automatically join the target tenant when they sign up. john.smith@cosmogroup.com derek.brown@andromeda.com ross.ford@zodiac.biz tom.williams@mensa.info cosmogroup.com

49 Managing Users and Licenses Demo Office 365 admin center Then select a user Product licenses > Edit Roles > Edit > Customized administrator Office 365 admin center > Billing > Subscriptions > Add subscriptions Purchase services Licenses

50 Managing Users and Licenses Demo Connecting to AD through Powershell*: 1. Connect-AzureAD Confirm 2. Get-AzureADDirectoryRole 3. Get-AzureADUser [optional: -SearchString] 4. Add-AzureADDirectoryRoleMember -objectid xxxxxxxxx RefObjectID xxxxxxxxxx

51 Managing Users and Licenses Demo Verify if the block on the tenant is active $msolcred = get-credential connect-msolservice -credential $msolcred Get-MsolCompanyInformation fl allow* To prevent existing users from use Power BI repeat the steps above, then Get-MsolCompanyInformation fl AllowAdHocSubscriptions Set-MsolCompanySettings -AllowAdHocSubscriptions $true (/ false)

52 A quick recap security and policy settings What Define tenant settings Manage users; create, delete, grant licenses etc. Define roles and assign users for RLS How Power BI admin portal Office 365 admin center Power BI Desktop/Service Control usage of specific PBI features Power BI admin portal Audit Power BI activity Office 365 Security & Compliance Create policies for conditional access Azure AD

53 References Microsoft accelerates modern BI adoption with Power BI Premium Microsoft Whitepaper: Microsoft Power BI Premium Microsoft Whitepaper: How to plan capacity for embedded analytics with Power BI Premium Microsoft Whitepaper: Planning a Power BI Enterprise Deployment Secure and Audit Power BI in Your Organization Power BI Admin Portal Administering Power BI in your organization Create an Azure Active Directory tenant Conditional Access now in the new Azure portal

54 References Different approach to Dynamic Row Level Security Power BI Group Security SSAS 2016 Tabular On Premise with Row-Level Security and Active Directory

55

56