Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
PAPutzback2
Helper II
Helper II

Apps shared to security groups aren't visible to a user unless that app is shared to the user first

‎02-04-2020 01:48 PM

I'll do the best I can to describe my issues since I only have access to the AAD that authenticates users and another person manages the AAD that authorizes users for Power BI. 

So what I gather that we have some sort of B2B setup. We develop a Power BI app from a Premium workspace and then we create a Member type user account in AAD Company.com. This user is also added to AAD ParentCompany.com and added to a security role with other users sec_CompanyC_Finance. 

So now I publish an app and grant access to sec_CompanyC_Finance and then send a link to the user Barney.Five@CompanyC.com. When they log in it says they don't have authorization to see anything. If I go back to the app and grant that user access directly, and remove the security group, then they are able to get into the app.

Now that the user has accesses the app once, if I go back and add the security group again and remove the user, the user can still get to the app. It is like the user has to login to the app once while they are specifically assigned access and it remembers they had access so when the app is published to the security group the system knows to interrogate the group for that user account. 
It is like I have to run some sort of GPUPDATE /force on the app to have it get all the users cached in it for them to have access.

Labels:
Message 1 of 9
2,384 Views
0
1 ACCEPTED SOLUTION
nickyvv
Community Champion
Community Champion
In response to GilbertQ

‎02-06-2020 03:52 PM

Regarding the removal of the user in the App: this doesn't remove the (fairly new) Build permission. 

The documentation says the following: 

You see a message explaining that you need to go to Manage permissions to remove Build permission for users with existing access.

image.png

So when updating the App's permissions after removing the user, they still have build access to the dataset.

Follow the steps on the link above to remove the access rights of the user properly. 

 

Did this help you or did I answer your question?
Then please give kudos or mark my post as a solution!
My blog: nickyvv.com
Twitter: @NickyvV



Did I answer your question? Mark my post as a solution!

Blog: nickyvv.com | @NickyvV


View solution in original post

Message 8 of 9
2,291 Views
8 REPLIES 8
v-alq-msft
Community Support
Community Support

‎02-04-2020 11:04 PM

Hi, @PAPutzback2 

 

It is strange that 'Apps shared to security groups aren't visible to a user unless that app is shared to the user first'. Premium enables widespread distribution of content by Pro users without requiring Pro licenses for recipients who view the content. Pro licenses are required for content creators. Creators connect to data sources, model data, and create reports and dashboards that are packaged as workspace apps. User without a Pro license can still access a workspace that's in Power BI Premium capacity, as long as they have a Viewer role. I'd like to suggest logging a support ticket,too. It may help.

 

Best Regards

Allan

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 3 of 9
2,342 Views
0
PAPutzback2
Helper II
Helper II
In response to v-alq-msft

‎02-05-2020 10:33 AM

I wonder if it has to do with the fact that we don't grant anyone access to the workspace other than the admins. Access to the App is granted to the security group when going through the publishing steps. 
What we want to do is send a user an Invite from our AD, they login with the temporary password and get the prompt to change their password. After they do that, they should go directly to the app. But they get an error that they don't have access to anything unless we give them access via their email address directly. If this is a support ticket and not a well known issue I'll have to pass this info along to our AD admin.

Message 4 of 9
2,330 Views
0
GilbertQ
Super User
Super User
In response to PAPutzback2

‎02-05-2020 03:13 PM
Hi there

What I will confirm is that the free user DOES NOT have to be in the Viewer Role for the App Workspace.

I think the challenge here is that the user who is in the Security Group does not have access to the App after it is created.

I would suggest not getting them to change their password on the first login in.

It would appear from your message if you are only creating the user, how could that user be in the Security Group if they have never logged in?




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 5 of 9
2,317 Views
0
PAPutzback2
Helper II
Helper II
In response to GilbertQ

‎02-06-2020 06:09 AM

I can't confirm that the user DOES NOT have to be a viewer in the workspace. We are only assiging access to the pbulished app.

 

You are correct that the user in the security group does not have access. Not until they have been added by their username, logged in once, and then removed. At that point, the app seems to be aware that the user is also in the security group.

 

They have to change their password when they login. The login pages takes them straight to a page that asks for their current password and a new password.

 

When CompanyC says they want to add a user to APPXXXXX, we add the user to AD and also to the security group that is assigned access to the APP. Not the workspace, the APP. 


 

Message 6 of 9
2,295 Views
0
GilbertQ
Super User
Super User
In response to PAPutzback2

‎02-06-2020 03:42 PM
That is really interesting I am about to test this out where I am consulting. I will let you know how I go.




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 7 of 9
2,292 Views
0
nickyvv
Community Champion
Community Champion
In response to GilbertQ

‎02-06-2020 03:52 PM

Regarding the removal of the user in the App: this doesn't remove the (fairly new) Build permission. 

The documentation says the following: 

You see a message explaining that you need to go to Manage permissions to remove Build permission for users with existing access.

image.png

So when updating the App's permissions after removing the user, they still have build access to the dataset.

Follow the steps on the link above to remove the access rights of the user properly. 

 

Did this help you or did I answer your question?
Then please give kudos or mark my post as a solution!
My blog: nickyvv.com
Twitter: @NickyvV



Did I answer your question? Mark my post as a solution!

Blog: nickyvv.com | @NickyvV


Message 8 of 9
2,292 Views
PAPutzback2
Helper II
Helper II
In response to nickyvv

‎02-07-2020 09:19 AM

Thanks nickyvv! This fixed our problem. But I don't recall seeing that message you posted in the screenshot. IT will probably show up today since we discussed it.

 

Thanks Again,

Phil

 

 

Message 9 of 9
2,258 Views
GilbertQ
Super User
Super User

‎02-04-2020 05:25 PM
I would probably suggest logging a support ticket, this is a very specific scenario and easily solved by the support engineers?




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 2 of 9
2,357 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All