I am trying to share a dashboard with dynamic RLS, via Premium, based on Excel, with bosses from our customers companies.
The external users have their own AD. They should use their usual AAD passwords to enter the dashboard. Thus the dashboard shall not be embedded. We are talking here about only one dashboard, no need for app.
We are facing tremendous problems. I could not find the proper answers until now.
The first version of the dashboard did not had RLS. We could share it quite smoothely with our customers.
Sharing the dashboard with RLS directly does not work!
The solution we found is first invite the user to an easy dashboard without any RLS. After the user accepted the invitation we are able to invite him to the db with RLS, and afterwards set him in the online security. Before that step, the user from the other tenant is not known and rejected by the system.
#1 AAD documentation on triggers
What should be set in our different AD and AAD so that it works?
Is there any documenation somewhere explaining what switch has to be activated in our AD and AAD and customer's AD so that the user gets directly access to the dashboard with RLS? this would skip the need of sending an invitation for an db without RLS, and in case the user was already know by our AAD, the security could be setup directly.
#2 Invitation timeout
We have the case of a test user for which the previous version of the dashboard without RLS worked. Somehow i had to re-invite him with the fake dashboard without RLS so that he could access to the same link, but with RLS...
Can it be that this user was not active for some time in our tenant or PBI and got an invisible timeout? Is there any timeout for the invitations?
#3 Automatic acceptance
We are in the B2B area. Would it be possible that the IT administrator of our external customers automatically accept our invitation for this dashboard? This would avoid for the bosses to first have to accept the invitation, then wait, then get access to the dashboard...
#4 Connection log
There are users i suspect already logged in the db long time ago. Is there a way to see who logged in and when?
#5 How to enter several users at the same time
In the screen to set the row level security, how can i enter at once several email addresses? the semi-colon ; does not work, and i cannot enter a comma. Any idea?
#6 User with multiple email addresses
We have users that have several email addresses. Normally, in the screen "Access" i should be able to see who has already access to the dashboard. But in that case i would only see several time the same name, not knowing which email address is behind
With these addresses Sam.Smith@example.com and Sam-Smith@example2.com i would see in the access area two times Sam Smith. How to distinguish them???
#1. To share a dashboard with RLS applied, we need to add the guest users in AAD ahead of time and assigning them to the security roles before sharing the content. For more information, see this whitepaper: https://aka.ms/powerbi-b2b-whitepaper
#2. This scenario is mentioned in the whitepaper shared in #1. It's recommended to use planned invites.
#3. As I tested, both planned invites and ad-hoc invites, the external users will be prompted to accept the invitation.
#4. Not sure what you mean about "db". Would you please clarify it?
#5. When we type the user in RLS role, it will prompt corresponding highlighted list for us to choose, after click on the specified user, the user is ented in the box. Then you can type another email address without any comma or semi-colon separate.
From the screenshot, I guess the email you want to add is a external email address which can't be recognized. You can add this guest user in AAD as mentioned above and add it as a member again.
#6. Based on my research, it's not supported to do it currently.