Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
trevorgermain
Advocate I
Advocate I

Embedding with Multi-Tenant data warehouse security concerns

‎07-20-2017 06:52 PM

We connect our Power BI reports to a mult-tenant data warehouse, and embed it in a Saas application. The current architecture proposed for the Power BI Service is to:

  • Create a "master" user in the O365 tenant
  • Create an "app workspace" in the "master" user workspace
  • Create an Azure AD app registration
  • Connect to the Power BI Service via the REST interface, as the "master" user

 

A major security concern we have is that if the "master" user's username and password were compromised, a malicious user would have access to all data for all of our customers by simply logging into the Power BI Service and looking at the reports.

  1. Is there a way to enable multi-factor authentication for the "master" application, except from the Azure App Service hosting the application?
  2. Are there any white papers / guidance on handling multi-tenant data warehouse scenarios, or alternative architectures we should look at?
Labels:
Message 1 of 5
1,001 Views
0
4 REPLIES 4
v-jiascu-msft
Employee
Employee

‎07-24-2017 05:06 AM

Hi @trevorgermain,

 

1. There is multi-factor authentication indeed. You can active it for use "master". Could you please tell me if this could work?

Reference: multi-factor-authenticationmulti-factor-authentication-how-it-worksmulti-factor-authentication-get-started-cloud

 

Embedding with Multi-Tenant data warehouse security concerns .jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2. What data warehouse it is? About the security of Power BI, please reference here and download the white paper: powerbi-admin-power-bi-security/

 

Best Regards!

Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 5
969 Views
0
trevorgermain
Advocate I
Advocate I
In response to v-jiascu-msft

‎07-24-2017 08:15 AM

1. The Multi Factor Authentication may work for me. I was attempting to use the conditional access feature in the Azure Portal, but wan't having much luck getting it to work. This MFA feature seems to work ok. I can restrict portal log in to the service, but programmatic access via ADAL still works.

 

2. The data warehouse is an On Premise SQL database that we will access via the data gateway.

Message 3 of 5
963 Views
0
v-jiascu-msft
Employee
Employee
In response to trevorgermain

‎07-24-2017 11:45 PM

Hi @trevorgermain,

 

1. Programmatic access restriction might influence the normal access. I think. Maybe this could help: powerbi-admin-auditing

2. About Data Gateway security. Please reference:

powerbi-admin-power-bi-security (The link of the whitebook is in the first paragraph.)

powerbi-gateway-onprem-indepth

 

Best Regards!

Dale

Community Support Team _ Dale
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 4 of 5
954 Views
0
trevorgermain
Advocate I
Advocate I
In response to v-jiascu-msft

‎07-26-2017 07:26 AM

The following links all show that using Resource Owner Password flow is a bad idea. In fact, the latest version of the ADAL library for .Net Core has removed the UsernamePasswordCredential entirely.

 

https://github.com/Microsoft/PowerBI-CSharp/issues/30

https://github.com/Microsoft/PowerBI-CSharp/issues/95

https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/issues/482

http://stackoverflow.com/a/29110987

http://stackoverflow.com/a/28597758

http://stackoverflow.com/a/26795582

http://stackoverflow.com/a/39250380

 

I can only assume that the idea of application permissions will be coming to the Power BI service in the very near future, or the team has completely dropped the ball on the embedding security story.

 

When can developers expect a proper embedding authentication scenario?

Message 5 of 5
947 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All