Solved: Access to Azure AD B2B guest users is not stable

morozna · ‎06-22-2022

Hi!
At first, I'd describe prerequisites:
We manage user's access through Power BI App, published from premium workspace and RLS model, configured on the level of Dataset. Access on the level of Power BI App/Permissions and on the level of Dataset/Security is configured with AD security groups.
On the level of Power BI Service configured: allow AD guest users to access Power BI.
Users could be found in AD groups with type Guest. (added by Invitation)

And we've faced with the problem of access for external users. If user goes by direct link for an Power BI App, provided by publisher, his logo is grey, but he has access and could operate with App and report.
If he authenticates from scratch to https://app.powerbi.com/home , he don't see shared with him Power BI App and can't find it in list of available. But logo this time uploads the picture from MS 365.

In both cases we see user1@externaldomain.com mail under logo. And in both cases he goes through MS authentication flow.

I've read in topic, that if they use direct link to the tenant, everything works perfectly. But today I've faced that it's not such stable.
Could you please advice, what should I do, for being sure, that in case of configuration by AD security groups user would have an access? What else should be checked and configured?

Thanks!

v-luwang-msft · ‎06-26-2022

Hi @morozna ，

Pls check official articles for restrictions relating to.

Considerations and Limitations

External Azure AD B2B guests can view apps, dashboards, reports, and export data. They can't access workspaces or publish their own content. To remove these restrictions, you can use the Allow external guest users to edit and manage content in the organization feature.
To invite guest users, a Power BI Pro or Premium Per User (PPU) license is needed. Pro Trial users can't invite guest users in Power BI.
Information protection in Power BI doesn't support B2B and multi-tenant scenarios. This means that although external users may be able to see sensitivity labels in Power BI:
- They can't set labels
- Mandatory and default label polices will not be enforced for them
- While they can view a report that has a label with protection settings, if they export data from that report to a file, they may not be able to open the file, as it has the Azure Active Directory permissions of the original organization that it got due to the label on the report.
Some experiences are not available to guest users who can edit and manage content in the organization. To update or publish reports, guest users need to use the Power BI service, including Get Data, to upload Power BI Desktop files. The following experiences aren't supported:
- Direct publishing from Power BI desktop to the Power BI service
- Guest users can't use Power BI desktop to connect to service datasets in the Power BI service
- Classic workspaces tied to Microsoft 365 Groups
  - Guest users can't create or be Admins of these workspaces
  - Guest users can be members
- Sending ad hoc invites isn't supported for workspace access lists
- Power BI Publisher for Excel isn't supported for guest users
- Guest users can't install a Power BI Gateway and connect it to your organization
- Guest users can't install apps publish to the entire organization
- Guest users can't use, create, update, or install organizational content packs
- Guest users can't use Analyze in Excel
- Guest users can't be @mentioned in commenting
- Guest users can't create subscriptions
- Guest users who use this capability should have a work or school account
Guest users using social identities will experience more limitations because of sign-in restrictions.
- They can use consumption experiences in the Power BI service through a web browser
- They can't use the Power BI Mobile apps
- They won't be able to sign in where a work or school account is required
This feature isn't currently available with the Power BI SharePoint Online report web part.
There are Azure Active Directory settings that can limit what external guest users can do within your overall organization. Those settings also apply to your Power BI environment. The following documentation discusses the settings:
You can share content from a government cloud, like GCC, to an external commercial cloud user. However, the guest user can't use their own license. The content has to be in capacity assigned to Premium to enable access. Or, you can assign a Power BI Pro license to the guest account.
Sharing outside your organization isn't supported for national clouds, like the China cloud instance. Instead, create user accounts in your organization that external users can use to access the content.
If you share directly to a guest user, Power BI will send them an email with the link. To avoid sending an email, add the guest user to a security group and share to the security group.

And about Azure B2B and Guest Management Best Practices ,refer:

https://www.youtube.com/watch?v=8MWcd3dihqs

Did I answer your question? Mark my post as a solution!

Best Regards

Lucien

View solution in original post

v-luwang-msft · ‎06-26-2022

Hi @morozna ，

Pls check official articles for restrictions relating to.

Considerations and Limitations

External Azure AD B2B guests can view apps, dashboards, reports, and export data. They can't access workspaces or publish their own content. To remove these restrictions, you can use the Allow external guest users to edit and manage content in the organization feature.
To invite guest users, a Power BI Pro or Premium Per User (PPU) license is needed. Pro Trial users can't invite guest users in Power BI.
Information protection in Power BI doesn't support B2B and multi-tenant scenarios. This means that although external users may be able to see sensitivity labels in Power BI:
- They can't set labels
- Mandatory and default label polices will not be enforced for them
- While they can view a report that has a label with protection settings, if they export data from that report to a file, they may not be able to open the file, as it has the Azure Active Directory permissions of the original organization that it got due to the label on the report.
Some experiences are not available to guest users who can edit and manage content in the organization. To update or publish reports, guest users need to use the Power BI service, including Get Data, to upload Power BI Desktop files. The following experiences aren't supported:
- Direct publishing from Power BI desktop to the Power BI service
- Guest users can't use Power BI desktop to connect to service datasets in the Power BI service
- Classic workspaces tied to Microsoft 365 Groups
  - Guest users can't create or be Admins of these workspaces
  - Guest users can be members
- Sending ad hoc invites isn't supported for workspace access lists
- Power BI Publisher for Excel isn't supported for guest users
- Guest users can't install a Power BI Gateway and connect it to your organization
- Guest users can't install apps publish to the entire organization
- Guest users can't use, create, update, or install organizational content packs
- Guest users can't use Analyze in Excel
- Guest users can't be @mentioned in commenting
- Guest users can't create subscriptions
- Guest users who use this capability should have a work or school account
Guest users using social identities will experience more limitations because of sign-in restrictions.
- They can use consumption experiences in the Power BI service through a web browser
- They can't use the Power BI Mobile apps
- They won't be able to sign in where a work or school account is required
This feature isn't currently available with the Power BI SharePoint Online report web part.
There are Azure Active Directory settings that can limit what external guest users can do within your overall organization. Those settings also apply to your Power BI environment. The following documentation discusses the settings:
You can share content from a government cloud, like GCC, to an external commercial cloud user. However, the guest user can't use their own license. The content has to be in capacity assigned to Premium to enable access. Or, you can assign a Power BI Pro license to the guest account.
Sharing outside your organization isn't supported for national clouds, like the China cloud instance. Instead, create user accounts in your organization that external users can use to access the content.
If you share directly to a guest user, Power BI will send them an email with the link. To avoid sending an email, add the guest user to a security group and share to the security group.