Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
pmdci
Advocate V
Advocate V

Sending external users as effective user ID

‎01-02-2018 11:10 AM

Hello,

 

I have noticed that a while ago, Microsoft has added the ability to add external users (that is, non-Windows accounts) into roles in SSAS tabular models, as per the screenshot below:

 

Image result for ssas roles "external user"

Source: http://byobi.com/2017/02/managing-user-access-to-azure-analysis-services-databases/

 

 

We have an on-prem SQL Server 2016 (latest SP) with a tabular model that we access via the on-prem data gateway. As a test for row-based level security, we are trying to send an external user as the effective user ID, but that does not seem to work. Basiclly I added a user (e.g. joe@blogs.com) and sending that user as the effective user id returns an access denied error. If we pass an existing Windows account (i.e. an Active Directory user) then it works as expected.

 

I wonder if Power BI would ever work with external users specified in an SSAS tabular model?

 

Regards,

P.

Labels:
Message 1 of 7
3,757 Views
0
1 ACCEPTED SOLUTION
pmdci
Advocate V
Advocate V
In response to pmdci

‎01-04-2018 02:22 AM

I got it working!!! But I must I had to create a mapping in PowerBI.com. Here is what I did.

 

  1. Created a john_example.com#EXT#@mydomain.com account in my on-prem Active Directory. This would be the shadow account for user john@example.com
  2. In PowerBI.com I went to the data source in settings, and clicked on map user names in the users settings. I then aded a replacement rule to replace @example.com with the shadow account string.

Boom! it worked 🙂

 

Bottom line is that SSAS -- at least on-prem, does NOT support external user IDs. I had to create a shadow account in my Active Directory to which the user gets mapped into.

View solution in original post

Message 5 of 7
4,170 Views
6 REPLIES 6
v-ljerr-msft
Employee
Employee

‎01-02-2018 11:28 PM

Hi @pmdci,

 

Is the test user(external) a B2B collaboration user in your organization? According to this documentation, the external users can be added with this feature should be B2B collaboration users that have been added to your organization. 

In this sample, a B2B external user and a group are added to the Analyst role with Read permissions for the SalesBI database. Both the external user and group must be in same tenant Azure AD.

Reference:

https://docs.microsoft.com/en-us/azure/analysis-services/analysis-services-database-users

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b

 

In addition, have you tried the solution in this article to get Power BI RLS(SSAS Live) to work with external users? Smiley Happy

 

Regards

Message 2 of 7
3,737 Views
0
pmdci
Advocate V
Advocate V
In response to v-ljerr-msft

‎01-03-2018 03:43 PM

Here is a tought. Perhaps a little far fetched...

 

I wonder if the Power BI gteway automatically forwards external users in the taxonomy of their correspondent shadow account in the AD -- even if not the AD in Azure (that is, an AD on prem). So for example if I log-in as john@example.com, it effectively forwards john_example.com#EXT#@mydomain.com. So I have created this account in my local AD and I have added it into a role in a test tabular model. I'll revert back on my tests later on.

 

If it does not, then we'll develop a solution around shadow accounts.

Message 4 of 7
3,722 Views
0
pmdci
Advocate V
Advocate V
In response to pmdci

‎01-04-2018 02:22 AM

I got it working!!! But I must I had to create a mapping in PowerBI.com. Here is what I did.

 

  1. Created a john_example.com#EXT#@mydomain.com account in my on-prem Active Directory. This would be the shadow account for user john@example.com
  2. In PowerBI.com I went to the data source in settings, and clicked on map user names in the users settings. I then aded a replacement rule to replace @example.com with the shadow account string.

Boom! it worked 🙂

 

Bottom line is that SSAS -- at least on-prem, does NOT support external user IDs. I had to create a shadow account in my Active Directory to which the user gets mapped into.

Message 5 of 7
4,171 Views
NirH_at_BITeam
Frequent Visitor
In response to pmdci

‎06-24-2019 03:46 AM

Hi,

 

Where is this mapping users reside. Can't seem to find it.

Can you pls. be more specific on where to define this mapping.

 

Thansk!

NH

 

Message 7 of 7
2,644 Views
0
Anonymous
Not applicable
In response to pmdci

‎04-11-2019 08:37 AM

Hi - does this only work for Analysis Services? Or can we map external users to SQL Server on-prem, too?

Message 6 of 7
2,880 Views
0
pmdci
Advocate V
Advocate V
In response to v-ljerr-msft

‎01-03-2018 12:54 PM

Hi!

 

Thank you so much for providing us with this additional documentation.

 

No, the user is not B2B. But I am not sure if that would work either because having an external user in our Azure AD does not mean that that user would exist in our on-prem AD. Bear in mind that, as per my original post, this is an on-prem implementation of SSAS which authenticate users within our on-prem Active Directory.

Message 3 of 7
3,731 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All