Grant data access to an environment

This article discusses the two types of Azure Time Series Insights access policies.

Warning

Access Policies grant Azure AD Users and/or Groups Data Plane access to your Time Series Insights Environment. An Azure Active Directory is tied to a Tenant. So if you decide to move your Subscription between Tenants, make sure to follow the procedure from the section below.

Sign in to Azure Time Series Insights

  1. Sign in to the Azure portal.
  2. Locate your Azure Time Series Insights environment by entering Time Series Insights environments in the Search box. Select Time Series Insights environments in the search results.
  3. Select your Azure Time Series Insights environment from the list.

Grant data access

Follow these steps to grant data access for a user principal.

  1. Select Data Access Policies, and then select + Add.

    Select and add a Data Access Policy

  2. Choose Select user. Search for the user name or email address to locate the user you want to add. Select Select to confirm the selection.

    Select a user to add

  3. Choose Select role. Choose the appropriate access role for the user:

    • Select Contributor if you want to allow the user to change reference data and share saved queries and perspectives with other users of the environment.

    • Otherwise, select Reader to allow the user to query data in the environment and save personal, not shared, queries in the environment.

    Select OK to confirm the role choice.

    Confirm the selected role

  4. Select OK on the Select User Role page.

    Select OK on the Select User Role page

  5. Confirm that the Data Access Policies page lists the users and the roles for each user.

    Verify the correct users and roles

Provide guest access from another Azure AD tenant

The Guest role isn't a management role. It's a term used for an account that's invited from one tenant to another. After the guest account is invited into the tenant's directory, it can have the same access control applied to it like any other account. You can grant management access to an Azure Time Series Insights Environment by using the Access Control (IAM) blade. Or you can grant access to the data in the environment through the Data Access Policies blade. For more information on Azure Active Directory (Azure AD) tenant guest access, read Add Azure Active Directory B2B collaboration users in the Azure portal.

Follow these steps to grant guest access to an Azure Time Series Insights environment to an Azure AD user from another tenant.

  1. Go to Azure portal, click on Azure Active Directory, scroll down on the Overview tab and then select Guest user.

    Select Data Access Polices, then + Invite

  2. Enter the email address for the user you want to invite. This email address must be associated with Azure AD. You can optionally include a personal message with the invitation.

    Enter the email address to find the selected user

  3. Look for the confirmation bubble that appears on the screen. You can also click on Notifications to confirm that the guest user was added.

    Look for the confirmation bubble to appear

  4. Go back to your Time Series Insights environment to add the newly created guest user. Click on Data Access Policies as described under Grant data access. Select user. Search for the email address of the guest user you invited to locate the user you want to add. Then, Select to confirm the selection.

    Select the user and confirm the selection

  5. Choose Select role. Choose the appropriate access role for the guest user:

    • Select Contributor if you want to allow the user to change reference data and share saved queries and perspectives with other users of the environment.

    • Otherwise, select Reader to allow the user to query data in the environment and save personal, not shared, queries in the environment.

    Select OK to confirm the role choice.

    Confirm the role choice

  6. Select OK on the Select User Role page.

  7. Confirm that the Data Access Policies page lists the guest user and the roles for each guest user.

    Verify that users and roles are correctly assigned

  8. Now, the guest user will receive an invitation email at the email address specified above. The guest user will select Get Started to confirm their acceptance and connect to Azure Cloud.

    Guest selects Get Started to accept

  9. After selecting Get Started, the guest user will be presented with a permissions box associated with the administrator's organization. Upon granting permission by selecting Accept, they will be signed in.

    Guest reviews permissions and accepts

  10. The administrator shares the environment URL with their guest.

  11. After the guest user is signed in to the email address you used to invite them, and they accept the invitation, they will be directed to Azure portal.

  12. The guest can now access the shared environment using the environment URL provided by the administrator. They can enter that URL into their web browser for immediate access.

  13. The administrator's tenant will be displayed to the guest user after selecting their profile icon in the upper-right corner of the Time Series explorer.

    Avatar selection on insights.azure.com

    After the guest user selects the administrator's tenant, they will have the ability to select the shared Azure Time Series Insights environment.

    They now have all the capabilities associated with the role that you provided them with in step 5.

    Guest user selects your Azure tenant from drop-down

Procedure for when the Subscription is moved across Tenants

Time Series Insights Data Access Policies are backed by Azure Active Directory, which are tied to an Azure Tenant where the Subscription lives in.

The Azure AD Objects that you grant Data Access Policies to and the the Time Series Insights Environment itself should live under the same Tenant. If not, these objects will not have access to the Environment.

If you plan to move the Subscription the Environment lives in to a different Tenant, you must ensure that the Data Access Policies are updated to reflect the Azure AD Objects under the new Tenant.

To make this process smooth, follow the steps below.

Before moving a Subscription to another Tenant

  • Make sure you keep a list of the current Data Access Policies assignments from the Environment while it's still in the source Tenant.
  • Make sure the users, groups or apps you still want to have access to the Environment after the Subscription are migrated to the Active Directory in the target Tenant.
  • Make sure you will have - or you're engaged with someone who will have - at least Contributor access to the Subscription after it's moved, so the Data Access Policies can be re-applied in the Environment in the target Tenant.

After moving a Subscription to another Tenant

Having Contributor access to the Subscription in the target Tenant, you can

  • Remove all the Data Access Policies that were migrated with the Environment, since they belong to the source Tenant.
  • Re-grant Access Policies to the Environment using the steps above, now pointing to the Azure AD objects in the target Tenant.

Next steps