Security Group for Power BI and Azure Analysis Service cube across domain

0
votes

My Azure Analysis Service cube sits on Azure Domain "DomainA" (for example, my username is [email protected])

My Power BI reports use another Azure Domain "DomainB" (for example, my power bi user is [email protected]).

I want to create a security group on Azure AD on DomainB so that I can add all business powerbi users into it and grant this SG permission on Power BI App.

I also need to grant these users access on Azure Analysis Service to access the cube since power bi passes credential to cube. My question is the domainA cannot recognize my above security group. How can I grant these users permission on the AAS cube?

Thanks.

1
azureazure-active-directorypowerbiazure-analysis-services

1 Answers

0
votes

This should be possible using Azure B2B. Invite your users in domainB via B2B to the domainA. You can add them to a group in domainA if you want or add their UPN manually to an Azure Analysis Services Role. Now that the users are "associated" with domainA in which your AAS authenticates via B2B the report consumers will be able to view content built on AAS.

With your Power BI reports in domainB you can use that group to control access to Power BI apps as you choose.

https://azure.microsoft.com/en-us/blog/invite-guest-users-to-your-azure-analysis-services-by-using-b2b/

Note: Power BI workspaces have an email associated with them in your domainA. I've granted workspace email's privileges to an AAS role before and when consuming reports in Power BI the users in the workspace authenticated without the need to add each individual UPN to an AAS role. I'm curious to know if you can invite the email from the workspace in domainB to domainA using B2B. Feel free to test this out and reply.