Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
rossnruthie
Resolver I
Resolver I

Dynamic RLS with External User (Azure B2B) help

‎04-09-2019 08:47 AM

I am working on setting up external sharing of a report and running into a problem.

 

Scenario:

  • Create a report that uses dynamic RLS based on external email
  • Share a PBI report with an external user username@yahoo.com
  • verify that RLS filters data specific to username@yahoo.com

 

I've invited and the user username@yahoo.com has accepted the invitation.  I've added them to a role that i've set up:

 

The username@yahoo.com maps to the dealerGroupUser.UserEmail which then filters to a dealer group.

role.pngimage.png

 

I deployed the report, added the external user to the Dealer Group role and shared the report.  When the external user opens the report it's blank.  

 

I created a calculated measure to display the user name and found that USERPRINCIPALNAME() which i would expect to return 'username@yahoo.com' is actually returning 'live.com#username@yahoo.com'.  For some reason it is appending 'live.com#'.  I'm assuming it's because it's an external account and that AAD is creating a microsoft live account behind the scenes as denoted in the guest user properties:

 

image.png

 

I couldn't find anything in the documentation about this.  Does this always append live.com#?  What if I invite someone from another AAD tenant, will it append something else or nothing at all?  This makes it difficult to map the guest email to the userEmail value in my dynamic RLS table.

 

Can someone help me out?

 

Thanks!

Labels:
Message 1 of 6
3,699 Views
0
1 ACCEPTED SOLUTION
rossnruthie
Resolver I
Resolver I
In response to GilbertQ

‎04-15-2019 06:18 AM

I actually found an MSDN post where apparently under the hood AAD appends that value to the user name for external B2B customers and there is no way to prevent it.  So in my case in order to get RLS to map to an external account (with the appended value) to the email address stored in the db table i changed the DAX to remove the "live#" value and everything worked fine after that.

 

I should note that the external users in this case do not map to another tenant.  They were plain email address like gmail.com.  This may explain why the B2B tenant to tenant worked without modification in your case but not with me.

View solution in original post

Message 3 of 6
2,929 Views
0
5 REPLIES 5
GilbertQ
Super User
Super User

‎04-09-2019 06:03 PM
Hi there

What I would suggest first doing, is if you change the email address to match with the "#Live" does it then work?

When I have done it in the past it always worked with simply putting in the User's email address that was external.

When going to another tenant it also makes changes for the UPN, but I still use the actual email address and it works.




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 2 of 6
3,688 Views
0
rossnruthie
Resolver I
Resolver I
In response to GilbertQ

‎04-15-2019 06:18 AM

I actually found an MSDN post where apparently under the hood AAD appends that value to the user name for external B2B customers and there is no way to prevent it.  So in my case in order to get RLS to map to an external account (with the appended value) to the email address stored in the db table i changed the DAX to remove the "live#" value and everything worked fine after that.

 

I should note that the external users in this case do not map to another tenant.  They were plain email address like gmail.com.  This may explain why the B2B tenant to tenant worked without modification in your case but not with me.

Message 3 of 6
2,930 Views
0
Anonymous
Not applicable
In response to rossnruthie

‎06-24-2019 09:07 AM

@rossnruthie : i have the same case . can you please share the dax formula to remove live.com# .

 

Is  live.com# is constant across all other emails ? or will it change based on domains?

Message 4 of 6
2,862 Views
0
rossnruthie
Resolver I
Resolver I
In response to Anonymous

‎06-24-2019 10:23 AM

Hi @Anonymous 

 

I used the SUBSTITUTE function in the DAX filter in the Role to replace the unwanted text with a blank space "".  

 

Substitute Function - DAX

 

We have two types of external customers; those with generic external emails such as gmail/yahoo, etc and those with their own Azure Active Directory with O365.  I found that only the external customers with generic accounts have the "live.com#" appended and the Azure Active directory accounts remained unchanged.  This makes sense because when sending invites to generic email accounts users create a microsoft guest account the first time they attempt to access power bi via an invite while the AAD accounts don't have to as they already exist in a different tenant.

Message 5 of 6
2,854 Views
0
Anonymous
Not applicable
In response to rossnruthie

‎06-24-2019 10:28 AM

@rossnruthie : Thanks for your reply

TRIM(SUBSTITUTE(USERPRINCIPALNAME(),"live.com#",""))  is the formuala i used and without trim it was not not working intially . After adding trim it was working fine . It's the same with you as well?

Message 6 of 6
2,852 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All