question

BenjaminGarrard-6195 avatar image
0 Votes"
BenjaminGarrard-6195 asked ·

Separation of Internal and External users for easy management.


Currently my team and I have a client that is using Power BI Premium.

We need to have Row Level Security enabled for both internal and external users.

We gave a recommendation to have Azure AD groups handle user management, but the client does not want to have all of there internal and external users be shown in their Azure AD. They want us to recommend another way to be able to manage internal users in Azure AD and have all external users managed in Azure AD, but completely separated from internal users, or by some other user management service that Azure provides. All the while, remaining in the same tenant since it seems the Power Bi Premium license can only be associated to one tenant and being able to have Row Level Security implemented for both internal and external users.

Is this possible? If so, how can we do it?

Thank you all for your time and help.

azure-active-directoryazure-ad-domain-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

Hi @BenjaminGarrard-6195,

You can create 2 Administrative Units (AUs), one for internal users and another for external users. You will have to manually assign users to Administrative Units every time a new member or guest is added to the tenant.

You can use dynamic groups for this purpose as well, for example you can use a query if userType == Guest and userType == member for adding external and internal users to groups respectively. However, the query will be executed everytime you fetch the membership of the dynamic group to populate the list of all group members and can take time to populate the list of users if there are huge number of users.

Administrative units can contain Users and Groups. So you can combine the usage of AUs and Dynamic groups as well.


Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.



· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is good thanks! I am not very familiar with AUs or Dynamic groups. But with Dynamic groups, can we limit a specific internal user to only be able to manage guest users? Lets say for example that an IT department wants to manage internal users, but what a client support team to handle any client related issues. Since the clients will be guests in the AAD, can client support be given user manage permissions strictly for guest users?

0 Votes 0 · ·

@BenjaminGarrard-6195 In that case, I would suggest you to go with Administrative Units because that way you can define administrative roles with a scope limited to one or more administrative units (AUs) for more granular administrative control. Below are the roles available for this purpose:

  • Authentication Administrator

  • Groups Administrator

  • Helpdesk Administrator

  • License Administrator

  • Password Administrator

  • User Administrator

Refer to https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-admin-units-assign-roles for more details.


Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

0 Votes 0 · ·
JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered ·

I am not sure if the goal is achievable or not, however, groups in Azure AD can be dynamic.
So you can have a dynamic group where members are only external users and create another dynamic group, where members are only internals. Hope, this may give you some direction.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This though would still create a massive list inside of AAD when viewing the users right? I believe that might be okay then, however we need to limit a subset of the internal users to be able to manage guest users and have no permissions to manage the internal users. Is that possible using Dynamic Groups?

0 Votes 0 · ·