Separation of Internal and External users for easy management.

Benjamin Garrard 21 Reputation points
2020-06-01T21:54:24.703+00:00

Currently my team and I have a client that is using Power BI Premium.

We need to have Row Level Security enabled for both internal and external users.

We gave a recommendation to have Azure AD groups handle user management, but the client does not want to have all of there internal and external users be shown in their Azure AD. They want us to recommend another way to be able to manage internal users in Azure AD and have all external users managed in Azure AD, but completely separated from internal users, or by some other user management service that Azure provides. All the while, remaining in the same tenant since it seems the Power Bi Premium license can only be associated to one tenant and being able to have Row Level Security implemented for both internal and external users.

Is this possible? If so, how can we do it?

Thank you all for your time and help.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,465 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-06-03T08:23:04.41+00:00

    Hi @Benjamin Garrard ,

    You can create 2 Administrative Units (AUs), one for internal users and another for external users. You will have to manually assign users to Administrative Units every time a new member or guest is added to the tenant.

    You can use dynamic groups for this purpose as well, for example you can use a query if userType == Guest and userType == member for adding external and internal users to groups respectively. However, the query will be executed everytime you fetch the membership of the dynamic group to populate the list of all group members and can take time to populate the list of users if there are huge number of users.

    Administrative units can contain Users and Groups. So you can combine the usage of AUs and Dynamic groups as well.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jai Verma 461 Reputation points
    2020-06-03T04:27:03.99+00:00

    I am not sure if the goal is achievable or not, however, groups in Azure AD can be dynamic.
    So you can have a dynamic group where members are only external users and create another dynamic group, where members are only internals. Hope, this may give you some direction.