Azure Analysis Services Preview -How to add security group

The information posted originally in this blog is now out-of-date due to change in the Azure products. Please open a new support case if you need help with adding security group in Azure Analysis Services. Security group now can be added in format obj:<objid>@<tenanted>  using SSMS or AMO.

Go to the group Properties, page find the object ID.


Go to the Active Directory Properties page, find the directory ID


Then Go to SSMS, connect to the server, right click on the server, choose Properties, choose Security, click the Add button, in the Manual Add area

Type in obj:GroupID@DirectoryID like the one I have below. It should also work.


Problem: You are not able to add a security group as administrator on Azure Analysis Services Preview. The error is below

Failed to save modifications to the server. Error returned: 'The identity 'Domain\Group' has invalid identity provider ''. Only Azure Active Directory users or groups are supported. Use 'AzureAD' as the value of the identity provider.

When you manage the Azure Analysis Services database security role membership, you also get the same error when you try to add a group in the database role membership.

Cause: As of January 2017 there is a limitation on Analysis Services Preview security group management. Below are the rules

  1. Only AAD security groups with an email address can be added
  2. An email distribution list (DL) cannot be used as a security group
  3. You cannot add a security group using the domain\group name format. It needs to be an email address.


You can create a new security group in AAD using the Azure Portal, you can turn on the Enable Office Feature option. This will assign an email address for this group

You need to provide the email address of the group when you want to add this group to Azure Analysis Services server security using SSMS.

The easiest way to find out the email address of a group it to go to the Azure Portal, click on the Azure Analysis Services server, click on Analysis Services Admins, click add, then type in the name of the group. The user interface will find the email of the group for you.

In the screen shot below, the name in the rectangle box is the email for the group.

You can click the Maximize icon to expand the Add Server Administrators panel to show the full email address.

If all you need to do is to add this group as the Analysis Services administrator, then you can select the group and save the change.

Equivalently you can perform the same operation in SSMS in either server administrator or database role membership window