使用 Azure Active Directory B2B 将 Power BI 内容分发给外部来宾用户Distribute Power BI content to external guest users using Azure Active Directory B2B

摘要: 这是一项技术白皮书, 其中概述了如何使用 Azure Active Directory 企业到企业 (Azure AD B2B) 的集成, 将内容分发给组织外部的用户。Summary: This is a technical whitepaper outlining how to distribute content to users outside the organization using the integration of Azure Active Directory Business-to-business (Azure AD B2B).

Lukasz Pawlowski, Kasper de JongeWriters: Lukasz Pawlowski, Kasper de Jonge

技术评审人员: Adam Wilson、Sheng Liu、Qian Liang、Sergei Gundorov、Jacob Grimm、Adam Saxton、Maya Shenhav、Nimrod Shalit、Elisabeth OlsonTechnical Reviewers: Adam Wilson, Sheng Liu, Qian Liang, Sergei Gundorov, Jacob Grimm, Adam Saxton, Maya Shenhav, Nimrod Shalit, Elisabeth Olson

备注

可以从浏览器中选择“打印”,然后选择“另存为 PDF”文件,以保存或打印此白皮书。You can save or print this whitepaper by selecting Print from your browser, then selecting Save as PDF.

简介Introduction

Power BI 为组织提供了360度的业务视图, 并使这些组织中的每个人都可以使用数据做出明智的决策。Power BI gives organizations a 360-degree view of their business and empowers everyone in these organizations to make intelligent decisions using data. 其中的许多组织都具有与外部合作伙伴、客户和承包商的强大信任关系。Many of these organizations have strong and trusted relationships with external partners, clients, and contractors. 这些组织需要提供对这些外部合作伙伴中的用户 Power BI 的仪表板和报表的安全访问。These organizations need to provide secure access to Power BI dashboards and reports to users in these external partners.

Power BI 与Azure Active Directory 企业到企业 (AZURE AD B2B)集成, 以允许将 Power BI 内容安全地分发给组织外的来宾用户-同时仍保持控制和控制对内部数据的访问。Power BI integrates with Azure Active Directory Business-to-business (Azure AD B2B) to allow secure distribution of Power BI content to guest users outside the organization – while still maintaining control and governing access to internal data.

本白皮书介绍 Power BI 与 Azure Active Directory B2B 集成所需的所有详细信息。This white paper covers the all the details you need to understand Power BI's integration with Azure Active Directory B2B. 我们涵盖了最常见的用例、设置、许可和行级别安全性。We cover its most common use case, setup, licensing, and row level security.

备注

在此白皮书中, 我们将 Azure Active Directory 称为 Azure AD 并 Azure Active Directory 企业 Azure AD B2B。Throughout this white paper, we refer to Azure Active Directory as Azure AD and Azure Active Directory Business to Business as Azure AD B2B.

方案Scenarios

Contoso 是一家汽车制造商, 可与许多不同的供应商合作, 为其提供运行其生产操作所需的所有组件、材料和服务。Contoso is an automotive manufacturer and works with many diverse suppliers who provide it with all the components, materials, and services necessary to run its manufacturing operations. Contoso 想要简化其供应链物流, 并计划使用 Power BI 来监视其供应链的关键性能指标。Contoso wants to streamline its supply chain logistics and plans to use Power BI to monitor key performance metrics of its supply chain. Contoso 想要以一种安全且可管理的方式与外部供应链合作伙伴分析共享。Contoso wants to share with external supply chain partners analytics in a secure and manageable way.

Contoso 可以使用 Power BI 和 Azure AD B2B 为外部用户启用以下体验。Contoso can enable the following experiences for external users using Power BI and Azure AD B2B.

每项共享临时Ad hoc per item sharing

Contoso 与为 Contoso 汽车构建 radiators 的供应商合作。Contoso works with a supplier who builds radiators for Contoso's cars. 通常, 他们需要使用 Contoso 的所有汽车中的数据来优化 radiators 的可靠性。Often, they need to optimize the reliability of the radiators using data from all of Contoso's cars. Contoso 的分析师使用 Power BI 与供应商的工程师共享 radiator 可靠性报告。An analyst at Contoso uses Power BI to share a radiator reliability report with an Engineer at the supplier. 工程师会收到一封电子邮件, 其中包含用于查看报告的链接。The Engineer receives an email with a link to view the report.

如上所述, 此即席共享由业务用户根据需要进行。As described above, this ad-hoc sharing is performed by business users on an as needed basis. Power BI 发送给外部用户的链接是一个 Azure AD B2B 邀请 "链接。The link sent by Power BI to the external user is an Azure AD B2B invite link. 当外部用户打开该链接时, 系统会要求他们将 Contoso 的 Azure AD 组织加入为来宾用户。When the external user opens the link, they are asked to join Contoso's Azure AD organization as a Guest user. 接受邀请后, 该链接将打开特定的报表或仪表板。After the invite is accepted, the link opens the specific report or dashboard. Azure Active Directory 管理员会将邀请外部用户的权限委派给组织, 并选择用户接受邀请后可以执行的操作, 如本文档的 "管理" 部分所述。The Azure Active Directory admin delegates permission to invite external users to the organization and chooses what those users can do once they accept the invite as described in the Governance section of this document. Contoso 分析员只能邀请 Guest 用户, 因为 Azure AD 管理员允许该操作和 Power BI 管理员允许用户邀请来宾查看 Power BI 租户设置中的内容。The Contoso analyst can invite the Guest user only because the Azure AD administrator allowed that action and the Power BI administrator allowed users to invite guests to view content in Power BI's tenant settings.

使用 AAD 邀请来宾 Power BI

  1. 该过程从 Contoso 内部用户开始, 该用户与外部用户共享仪表板或报表。The process starts with a Contoso internal user sharing a dashboard or a report with an external user. 如果外部用户在 Contoso 的 Azure AD 中还不是来宾, 则会被邀请。If the external user is not already a guest in Contoso's Azure AD, they are invited. 电子邮件将发送到其电子邮件地址, 其中包含 Contoso Azure AD 的邀请An email is sent to their email address that includes an invite to Contoso's Azure AD
  2. 接收方接受邀请到 Contoso 的 Azure AD, 并在 Contoso 的 Azure AD 中添加为来宾用户。The recipient accepts the invite to Contoso's Azure AD and is added as a Guest user in Contoso's Azure AD.
  3. 然后, 将接收方重定向到用户的只读 Power BI 仪表板、报表或应用。The recipient is then redirected to the Power BI dashboard, report, or app, which are read-only for the user.

此过程被视为是临时的, 因为 Contoso 中的业务用户需要执行邀请操作以实现其业务目的。The process is considered ad-hoc since business users in Contoso perform the invite action as needed for their business purposes. 共享的每个项都是一个链接, 外部用户可以访问它来查看内容。Each item shared is a single link the external user can access to view the content.

邀请外部用户访问 Contoso 资源后, 可能会在 Contoso Azure AD 中为其创建阴影帐户, 而无需再次邀请他们。Once the external user has been invited to access Contoso resources, a shadow account may be created for them in Contoso Azure AD and they do not need to be invited again. 当他们第一次尝试访问 Contoso 资源 (如 Power BI 仪表板) 时, 他们将经历许可过程, 兑换邀请。The first time they try to access a Contoso resource like a Power BI dashboard, they go through a consent process, which redeems the invitation. 如果他们没有完成同意, 他们将无法访问 Contoso 的任何内容。If they do not complete the consent, they cannot access any of Contoso's content. 如果他们通过提供的原始链接兑换其邀请时出现问题, Azure AD 管理员可以为其重新发送特定邀请链接进行兑换。If they have trouble redeeming their invitation via the original link provided, an Azure AD administrator can resent a specific invitation link for them to redeem.

每项共享计划Planned per item sharing

Contoso 与转包商合作来执行 radiators 的可靠性分析。Contoso works with a subcontractor to perform reliability analysis of radiators. 转包商团队有10名用户需要访问 Contoso Power BI 环境中的数据。The subcontractor has a team of 10 people who need access to data in Contoso's Power BI environment. Contoso Azure AD 管理员参与邀请所有用户, 并在转包商发生变化时处理任何添加/更改。The Contoso Azure AD administrator is involved to invite all the users and to handle any additions/changes as personnel at the subcontractor change. Azure AD 管理员为转包商的所有员工创建安全组。The Azure AD administrator creates a security group for all the employees at the subcontractor. Contoso 的员工可以使用安全组来轻松管理对报表的访问权限, 并确保所有必需的转包人员均可访问所有必需的报表、仪表板和 Power BI 应用。Using the security group, Contoso's employees can easily manage access to reports and ensure all required subcontractor personnel have access to all the required reports, dashboards, and Power BI apps. Azure AD 管理员还可以通过选择将邀请权限委托给 Contoso 或转包商的受信任员工, 来避免邀请过程中涉及邀请, 以确保及时进行人员管理。The Azure AD administrator can also avoid being involved in the invitation process altogether by choosing to delegate invitation rights to a trusted employee at Contoso or at the subcontractor to ensure timely personnel management.

某些组织需要更好地控制何时添加外部用户、邀请外部组织中的许多用户或许多外部组织。Some organizations require more control over when external users are added, are inviting many users in an external organization, or many external organizations. 在这些情况下, 计划共享可用于管理共享规模、强制实施组织策略, 甚至还可以委派受信任人员邀请和管理外部用户的权限。In these cases, planned sharing can be used to manage the scale of sharing, to enforce organizational policies, and even to delegate rights to trusted individuals to invite and manage external users. Azure AD B2B 支持计划的邀请由 IT 管理员直接从 Azure 门户发送, 或通过使用邀请管理器 API (其中一组用户可在一个操作中受邀请) 通过 PowerShell 进行发送。Azure AD B2B supports planned invites to be sent directly from the Azure portal by an IT administrator, or through PowerShell using the invitation manager API where a set of users can be invited in one action. 使用计划的邀请方法, 组织可以控制谁可以邀请用户和实施审批流程。Using the planned invites approach, the organization can control who can invite users and implement approval processes. 像动态组这样的高级 Azure AD 功能可以轻松地自动维护安全组成员身份。Advanced Azure AD capabilities like dynamic groups can make it easy to maintain security group membership automatically.

控制哪些来宾可以查看内容

  1. IT 管理员可以通过手动或通过 Azure Active Directory 提供的 API 来邀请来宾用户的过程星The process stars with an IT administrator inviting the guest user either manually or through the API provided by Azure Active Directory
  2. 用户接受邀请到组织。The user accepts the invite to the organization.
  3. 用户接受邀请后, Power BI 中的用户可以与外部用户或其所在的安全组共享报表或仪表板。Once the user has accepted the invitation, a user in Power BI can share a report or dashboard with the external user, or a security group they are in. 与中的常规共享一样 Power BI 外部用户会收到一封电子邮件, 其中包含指向该项目的链接。Just like with regular sharing in Power BI the external user receives an email with the link to the item.
  4. 当外部用户访问该链接时, 其目录中的身份验证将传递给 Contoso 的 Azure AD, 并用于获取 Power BI 内容的访问权限。When the external user accesses the link, their authentication in their directory is passed to Contoso's Azure AD and used to gain access to the Power BI content.

Power BI 应用的临时或计划内共享Ad hoc or planned sharing of Power BI Apps

Contoso 有一组报表和仪表板需要与一个或多个供应商共享。Contoso has a set of reports and dashboards they need to share with one or more Suppliers. 为了确保所有必需的外部用户都可以访问此内容, 将其打包为 Power BI 应用。To ensure all required external users have access to this content, it is packaged as a Power BI app. 外部用户可以直接添加到应用访问列表中, 也可以通过安全组添加。The external users are either added directly to the app access list or through security groups. Contoso 的某人然后将应用 URL 发送给所有外部用户, 例如, 在电子邮件中。Someone at Contoso then sends the app URL to all the external users, for example in an email. 当外部用户打开该链接时, 他们将看到一个易于导航的内容。When the external users open the link, they see all the content in a single easy to navigate experience.

使用 Power BI 应用, Contoso 可以轻松地为其供应商构建 BI 门户。Using a Power BI app makes it easy for Contoso to build a BI Portal for its suppliers. 单个访问列表控制对所需的所有内容的访问, 从而减少检查和设置项目级别权限所需的时间。A single access list controls access to all the required content reducing wasted time checking and setting item level permissions. Azure AD B2B 使用供应商的本机标识维护安全访问权限, 因此用户无需额外的登录凭据。Azure AD B2B maintains security access using the Supplier's native identity so users don't need additional login credentials. 如果将计划的邀请与安全组结合使用, 则会简化对应用进行的访问管理。If using planned invites with security groups, access management to the app as personnel rotate into or out of the project is simplified. 安全组中的成员身份手动或通过使用动态组, 使来自供应商的所有外部用户自动添加到相应的安全组。Membership in security groups manually or by using dynamic groups, so that all external users from a supplier are automatically added to the appropriate security group.

用 AAD 控制内容

  1. 此过程由用户通过 Azure 门户或 PowerShell 邀请到 Contoso Azure AD 组织The process starts by the user being invited to Contoso's Azure AD organization through the Azure portal or PowerShell
  2. 用户可以添加到 Azure AD 中的用户组。The user can be added to a user group in Azure AD. 可以使用静态或动态用户组, 但动态组可帮助减少手动工作。A static or dynamic user group can be used, but dynamic groups help reduce manual work.
  3. 通过用户组向外部用户授予对 Power BI 应用的访问权限。The external users are given access to the Power BI App through the user group. 应用 URL 应直接发送到外部用户, 或放置在他们有权访问的站点上。The app URL should be sent directly to the external user or placed on a site they have access to. Power BI 尽力将包含应用链接的电子邮件发送到外部用户, 但在使用成员身份可能更改的用户组时, Power BI 不能发送到通过用户组管理的所有外部用户。Power BI makes a best effort to send an email with the app link to external users but when using user groups whose membership can change, Power BI is not able to send to all external users managed through user groups.
  4. 当外部用户访问 Power BI 应用 URL 时, 会通过 Contoso 的 Azure AD 对其进行身份验证, 为用户安装应用, 并且用户可以在应用中查看所有包含的报告和仪表板。When the external user accesses the Power BI app URL, they are authenticated by Contoso's Azure AD, the app is installed for the user, and the user can see all the contained reports and dashboards within the app.

应用还具有独特的功能, 该功能允许应用作者自动为用户安装应用程序, 因此在用户登录时可用。Apps also have a unique feature that allows app authors to install the application automatically for the user, so it is available when the user logs in. 此功能仅自动安装在发布或更新应用程序时已成为 Contoso 组织一部分的外部用户。This feature only installs automatically for external users who are already part of Contoso's organization at the time the application is published or updated. 因此, 最好与计划的邀请方法一起使用, 并且依赖于用户添加到 Contoso 的 Azure AD 后要发布或更新的应用程序。Thus, it is best used with the planned invites approach, and depends on the app being published or updated after the users are added to Contoso's Azure AD. 外部用户始终可以使用应用程序链接安装应用程序。External users can always install the app using the app link.

在组织中注释和订阅内容Commenting and subscribing to content across organizations

由于 Contoso 继续与分包商或供应商合作, 外部工程师需要与 Contoso 的分析师密切合作。As Contoso continues to work with its subcontractors or suppliers, the external Engineers need to work closely with Contoso's analysts. Power BI 提供了几种协作功能, 可帮助用户传达他们可使用的内容。Power BI provides several collaboration features that help users communicate about content they can consume. "仪表板" 注释 (并且不久报告注释) 允许用户讨论他们看到的数据点, 并与报表作者联系以提出问题。Dashboard commenting (and soon Report commenting) allows users to discuss data points they see and communicate with report authors to ask questions.

目前, 外部来宾用户可以通过留言并阅读回复来参与注释。Currently, external guest users can participate in comments by leaving comments and reading the replies. 但是, 与内部用户不同, 来宾用户不@mentioned能为, 也不会收到收到评论的通知。However, unlike internal users, guest users cannot be @mentioned and do not receive notifications that they've received a comment. 在撰写本文时, 来宾用户不能使用 Power BI 中的订阅功能。Guest users cannot use the subscriptions feature within Power BI at the time of writing. 在即将发布的版本中, 将会提升这些限制, 并且来宾用户在收到电子邮件时@mentions将收到一封电子邮件, 或者将订阅发送到其电子邮件, 其中包含指向 Power BI 内容的链接。In an upcoming release, those restrictions will be lifted and the Guest user will receive an email when a comment @mentions them, or when a subscription is delivered to their email that contains a link to the content in Power BI.

访问 Power BI 移动应用中的内容Access content in the Power BI mobile apps

在即将发布的版本中, 当 Contoso 的用户与其外部来宾共享报表或仪表板时, Power BI 将发送一封电子邮件通知来宾。In an upcoming release, when Contoso's users share reports or dashboards with their external Guest counterparts, Power BI will send an email notifying the Guest. 当来宾用户在其移动设备上打开指向报表或仪表板的链接时, 如果安装了这些内容, 内容将在其设备上的本机 Power BI 移动应用中打开。When the guest user opens the link to the report or dashboard on their mobile device, the content will open in the native Power BI mobile apps on their device, if they're installed. 然后, 来宾用户可以在外部租户中与他们共享的内容之间导航, 然后在其主租户中导航回来的内容。The guest user will then be able to navigate between content shared with them in the external tenant, and back to their own content from their home tenant.

备注

来宾用户无法打开 Power BI 移动应用并立即导航到外部租户, 它们必须以指向外部租户中的项的链接开头。The guest user cannot open the Power BI mobile app and immediately navigate to the external tenant, they must start with a link to an item in the external tenant. 本文档后面的 "将链接链接到父组织的 Power BI 中的内容" 一节中介绍了常见的解决方法。Common workarounds are described in the Distributing links to content in the Parent organization's Power BI section later in this document.

跨组织编辑和管理 Power BI 内容Cross-organization editing and management of Power BI content

Contoso 及其供应商和分包商在一起合作。Contoso and its Suppliers and subcontractors work increasingly closely together. 通常, 转包商需要将其他指标或数据可视化效果添加到 Contoso 与他们共享的报表中。Often an analyst at the subcontractor needs additional metrics or data visualizations to be added to a report Contoso has shared with them. 数据应驻留在 Contoso 的 Power BI 租户中, 但外部用户应该能够对其进行编辑、创建新内容, 甚至可以将其分发给适当的个人。The data should reside in Contoso's Power BI tenant, but external users should be able to edit it, create new content, and even distribute it to appropriate individuals.

Power BI 提供了一个选项, 使外部来宾用户可以编辑和管理组织中的内容。Power BI provides an option that enables External guest users can edit and manage content in the organization. 默认情况下, 外部用户具有只读的面向消费的体验。By default, external users have a read-only consumption-oriented experience. 但是, 这种新设置允许 Power BI 管理员选择哪些外部用户可以在其自己的组织中编辑和管理内容。However, this new setting allows the Power BI admin to choose which external users can edit and manage content within their own organization. 允许外部用户在工作区中编辑报表、仪表板、发布或更新应用, 并连接到他们有权使用的数据。Once allowed, the external user can edit reports, dashboards, publish or update apps, work in workspaces, and connect to data they have permission to use.

此方案将在本文档后面的 "使外部用户在 Power BI 中编辑和管理内容" 一节中详细描述。This scenario is described in detail in the section Enabling external users to edit and manage content within Power BI later in this document.

使用 Power BI 和 Azure AD B2B 的组织关系Organizational relationships using Power BI and Azure AD B2B

如果 Power BI 的所有用户都是组织内部的, 则无需使用 Azure AD B2B。When all the users of Power BI are internal to the organization, there is no need to use Azure AD B2B. 但是, 一旦两个或更多的组织想要对数据和见解进行协作, Power BI 对 Azure AD B2B 的支持可让你轻松、经济高效地执行此操作。However, once two or more organizations want to collaborate on data and insights, Power BI's support for Azure AD B2B makes it easy and cost effective to do so.

下面通常会遇到组织结构, 它们非常适合于 Power BI 中的 Azure AD B2B 样式跨组织协作。Below are typically encountered organizational structures that are well suited for Azure AD B2B style cross-organization collaboration in Power BI. Azure AD B2B 在大多数情况下都很好, 但在某些情况下, 我们可以考虑使用本文档末尾介绍的常见替代方法。Azure AD B2B works well in most cases, but in some situations the Common alternative approaches covered at the end of this document are worth considering.

案例 1:组织间的直接协作Case 1: Direct collaboration between organizations

Contoso 与 radiator 供应商的关系是组织之间直接协作的一个示例。Contoso's relationship with its radiator supplier is an example of direct collaboration between organizations. 由于 Contoso 及其供应商相对较少的用户需要访问 radiator 的可靠性信息, 因此, 使用基于 Azure AD B2B 的外部共享是理想之选。Since there are relatively few users at Contoso and its supplier who need access to radiator reliability information, using Azure AD B2B based external sharing is ideal. 它易于使用, 并且易于管理。It is easy to use and simple to administer. 这也是咨询服务中的一种常见模式, 顾问可能需要为组织生成内容。This is also a common pattern in consulting services where a consultant may need to build content for an organization.

组织间共享

通常, 此共享最初使用即席每项共享进行。Typically, this sharing occurs initially using Ad hoc per item sharing. 但是, 随着团队增长或关系加深, 计划的每项共享方法将成为降低管理开销的首选方法。However, as teams grow or relationships deepen, the Planned per item sharing approach becomes the preferred method to reduce management overhead. 此外, Power BI 应用的即席共享或计划内共享、注释和订阅跨组织的内容、对移动应用中的内容的访问权限也会成为一项工作, 并跨组织编辑和管理 Power BI 内容。Additionally, the Ad hoc or planned sharing of Power BI Apps, Commenting and subscribing to content across organizations, access to content in mobile apps can come into play as well, and cross-organization editing and management of Power BI content. 重要的是, 如果两个组织的用户在各自的组织中都有 Power BI Pro 许可证, 则他们可以在彼此的 Power BI 环境中使用这些 Pro 许可证。Importantly, if both organizations' users have Power BI Pro licenses in their respective organizations, they can use those Pro licenses in each other's Power BI environments. 这提供了有益的许可, 因为邀请的组织可能不需要为外部用户支付 Power BI Pro 许可证。This provides advantageous licensing since the inviting organization may not need to pay for a Power BI Pro license for the external users. 本文档后面的 "许可" 部分将对此进行更详细的讨论。This is discussed in more detail in the Licensing section later in this document.

案例 2:父节点及其子公司或子公司Case 2: Parent and its subsidiaries or affiliates

某些组织结构更复杂, 包括部分或全部拥有的子公司、附属公司或托管服务提供商关系。Some organization structures are more complex, including partially or wholly owned subsidiaries, affiliated companies, or managed service provider relationships. 这些组织拥有一个父组织 (例如控股公司), 但底层组织在半自治的情况下运行, 有时会受到不同地区的要求。These organizations have a parent organization such as a holding company, but the underlying organizations operate semi-autonomously, sometimes under different regional requirements. 这会导致每个组织都有其自己的 Azure AD 环境和单独的 Power BI 租户。This leads to each organization having its own Azure AD environment and separate Power BI tenants.

使用子公司

在此结构中, 父组织通常需要将标准化见解分发到其子公司。In this structure, the parent organization typically needs to distribute standardized insights to its subsidiaries. 通常, 此共享按照下图所示的 Power BI 应用程序的临时或计划内共享进行, 因为它允许将标准化的权威内容分发给广大受众。Typically, this sharing occurs using the Ad hoc or planned sharing of Power BI Apps approach as illustrated in the following image, since it allows distribution of standardized authoritative content to broad audiences. 在实践中, 将使用本文档前面提到的所有方案的组合。In practice a combination of all the Scenarios mentioned earlier in this document is used.

组合方案

这将遵循以下过程:This follows the following process:

  1. 每个子公司的用户受邀加入 Contoso 的 Azure ADUsers from each Subsidiary are invited to Contoso's Azure AD
  2. 然后, 会发布 Power BI 应用, 以使这些用户能够访问所需的数据Then the Power BI app is published to give these users access to the required data
  3. 最后, 用户通过提供的链接打开应用程序以查看报表Finally, the users open the app through a link they've been given to see the reports

此结构中的组织面临几项重要挑战:Several important challenges are faced by organizations in this structure:

  • 如何将链接分发到父组织的 Power BI 中的内容How to distribute links to content in the Parent organization's Power BI
  • 如何允许子公司用户访问父组织托管的数据源How to allow subsidiary users to access data source hosted by the parent organization

通常使用三种方法来分发内容链接。Three approaches are commonly used to distribute links to the content. 第一个也是最基本的方法是将应用程序的链接发送给所需的用户或将其放在可从中打开它的 SharePoint Online 站点中。The first and most basic is to send the link to the app to the required users or to place it in a SharePoint Online site from which it can be opened. 然后, 用户可以在浏览器中为链接添加书签, 以便更快地访问所需的数据。Users can then bookmark the link in their browsers for faster access to the data they need.

第二种方法依赖于跨组织编辑和管理 Power BI 内容功能。The second approach relies on the cross-organization editing and management of Power BI content capability. 父组织允许子公司的用户访问其 Power BI, 并控制他们可通过权限访问的内容。The Parent organization allows users from the subsidiaries to access its Power BI and controls what they can access through permission. 这将提供对 Power BI Home 的访问权限, 其中, 来自于子公司的用户在父组织的租户中看到与他们共享的内容的完整列表。This gives access to Power BI Home where the user from the subsidiary sees a comprehensive list of content shared to them in the Parent organization's tenant. 然后, 将向子公司的用户提供父组织的 Power BI 环境的 URL。Then the URL to the Parent organizations' Power BI environment is given to the users at the subsidiaries.

最终方法使用在每个子公司 Power BI 租户中创建的 Power BI 应用。The final approach uses a Power BI app created within the Power BI tenant for each subsidiary. Power BI 应用包含一个仪表板, 其中包含使用external link 选项配置的磁贴The Power BI app includes a dashboard with tiles configured with the external link option. 用户按下磁贴时, 它们将被转到父组织的 Power BI 中的相应报表、仪表板或应用。When the user presses the tile, they are taken to the appropriate report, dashboard, or app in the parent organization's Power BI. 此方法的优点是, 可以为子公司中的所有用户自动安装应用程序, 并在用户登录到自己的 Power BI 环境时对其可用。This approach has the added advantage that the app can be installed automatically for all users in the subsidiary and is available to them whenever they sign in to their own Power BI environment. 此方法的一个优点是它与可在本地打开链接的 Power BI 移动应用程序很好地配合工作。An added advantage of this approach is that it works well with the Power BI mobile apps that can open the link natively. 你还可以将其与第二种方法结合使用, 以便在 Power BI 环境之间更轻松地进行切换。You can also combine this with the second approach to enable easier switching between Power BI environments.

允许子公司用户访问父组织托管的数据源Allowing subsidiary users to access data sources hosted by the parent organization

通常, 分支机构中的分析人员需要使用父组织提供的数据来创建自己的分析。Often analysts at a subsidiary need to create their own analytics using data supplied by the parent organization. 在这种情况下, 通常使用云数据源来解决该问题。In this case, commonly cloud data sources are used to address the challenge.

第一种方法是利用Azure Analysis Services来构建一个企业级数据仓库, 该数据仓库满足整个家长及其子公司的分析人员需求, 如下图所示。The first approach leverages Azure Analysis Services to build an enterprise grade data warehouse that serves the needs of Analysts across the parent and its subsidiaries as shown the following image. Contoso 可以托管数据并使用行级别安全性等功能, 以确保每个子公司的用户只能访问其数据。Contoso can host the data and use capabilities like row level security to ensure users in each subsidiary can access only their data. 每个组织的分析师可以通过 Power BI Desktop 访问数据仓库, 并将所得到的分析发布到各自 Power BI 租户。Analysts at each organization can access the data warehouse through Power BI Desktop and publish resulting analytics to their respective Power BI tenants.

如何与 Power BI 租户进行共享

第二种方法利用AZURE SQL 数据库来构建关系数据仓库, 以提供对数据的访问。The second approach leverages Azure SQL Database to build a relational data warehouse to provide access to data. 这与 Azure Analysis Services 方法的工作方式相同, 但某些功能 (例如行级别安全性) 可能更难跨子公司进行部署和维护。This works similarly to the Azure Analysis Services approach, though some capabilities like row level security may be harder to deploy and maintain across subsidiaries.

此外, 还可以使用更复杂的方法, 但这是最常见的方法。More sophisticated approaches are also possible, however the above are by far the most common.

案例 3:跨伙伴共享环境Case 3: Shared environment across partners

Contoso 可能进入与竞争对手的合作关系, 以在共享的程序集线上共同构建汽车, 但要在不同品牌或不同区域中分布汽车。Contoso may enter into a partnership with a competitor to jointly build a car on a shared assembly line, but to distribute the vehicle under different brands or in different regions. 这需要跨组织的数据、智能和分析的广泛协作和共同拥有权。This requires extensive collaboration and co-ownership of data, intelligence, and analytics across organizations. 此结构在咨询服务行业中也很常见, 其中一组顾问可以对客户端执行基于项目的分析。This structure is also common in the consulting services industry where a team of consultants may do project-based analytics for a client.

跨伙伴共享环境

在实践中, 这些结构是复杂的, 如下图所示, 需要维护人员。In practice, these structures are complex as shown in the following image, and require staff to maintain. 为有效, 此结构依赖于跨组织编辑和管理 Power BI 内容功能, 因为它允许组织重用为各自 Power BI 租户购买的 Power BI Pro 许可证。To be effective this structure relies on the cross-organization editing and management of Power BI content capability since it allows organizations to reuse Power BI Pro licenses purchased for their respective Power BI tenants.

许可证和共享组织内容

若要建立共享 Power BI 租户, 需要创建一个 Azure Active Directory 并且需要为该 Active Directory 中的用户购买至少一个 Power BI Pro 用户帐户。To establish a shared Power BI tenant, an Azure Active Directory needs to be created and at least one Power BI Pro user account needs to be purchased for a user in that active directory. 此用户邀请所需的用户到共享组织。This user invites the required users to the shared organization. 重要的是, 在此方案中, Contoso 的用户在共享组织的 Power BI 内操作时, 会被视为外部用户。Importantly, in this scenario, Contoso's users are treated as external users when they operate within the Shared Organization's Power BI.

此过程如下所示:The process is as follows:

  1. 共享组织建立为新 Azure Active Directory, 并在新组织中创建至少一个用户帐户。The Shared Organization is established as a new Azure Active Directory and at least one user account is created in the new organization. 应为该用户分配 Power BI Pro 许可证。That user should have a Power BI Pro license assigned to them.
  2. 然后, 此用户建立 Power BI 租户, 并邀请 Contoso 和合作伙伴组织所需的用户。This user then establishes a Power BI tenant and invites the required users from Contoso and the Partner organization. 用户还建立任何共享数据资产, 如 Azure Analysis Services。The user also establishes any shared data assets like Azure Analysis Services. Contoso 和合作伙伴的用户可以作为来宾用户访问共享组织的 Power BI。Contoso and the Partner's users can access the shared organization's Power BI as guest users. 如果允许编辑和管理中的内容 Power BI 外部用户可以使用 Power BI home、使用工作区、上传或编辑内容和共享报表。If allowed to edit and manage content in Power BI the external users can use Power BI home, use workspaces, upload, or edit content and share reports. 通常, 所有共享资产都是从共享组织存储和访问的。Typically, all shared assets are stored and accessed from the shared organization.
  3. 根据各方同意协作的方式, 每个组织都可以使用共享数据仓库资产开发自己的专用数据和分析。Depending on how the parties agree to collaborate, it is possible for each organization to develop their own proprietary data and analytics using shared data warehouse assets. 他们可以使用内部 Power BI 租户将这些用户分配给各自的内部用户。They can distribute those to their respective internal users using their internal Power BI tenants.

情况 4:分布到数百或数千个外部合作伙伴Case 4: Distribution to hundreds or thousands of external partners

尽管 Contoso 为一个供应商创建了 radiator 可靠性报表, 但现在 Contoso 希望为数百个供应商创建一组标准化报表。While Contoso created a radiator reliability report for one Supplier, now Contoso desires to create a set of standardized reports for hundreds of Suppliers. 这允许 Contoso 确保所有供应商具有进行改进或修复制造缺陷所需的分析。This allows Contoso to ensure all suppliers have the analytics they need to make improvements or to fix manufacturing defects.

向多个合作伙伴分发

当组织需要将标准化数据和见解分发给许多外部用户/组织时, 他们可以使用 Power BI 应用方案的即席或计划内共享来快速构建 BI 门户, 而不会产生大量的开发成本。When an organization needs to distribute standardized data and insights to many external users/organizations, they can use the Ad hoc or planned sharing of Power BI Apps scenario to build a BI Portal quickly and without extensive development costs. 案例研究中介绍了使用 Power BI 应用构建此类门户的过程:使用 Power BI + Azure AD B2B –本文档后面的分步说明构建 BI 门户。The process to build such a portal using a Power BI app is covered in the Case Study: Building a BI Portal using Power BI + Azure AD B2B – Step-by-Step instructions later in this document.

这种情况的一个常见变体是, 当组织正在尝试与使用者共享见解时, 尤其是在想要将 Azure B2C 与 Power BI 一起使用时。A common variant of this case is when an organization is attempting to share insights with consumers, especially when looking to use Azure B2C with Power BI. Power BI 不能以本机方式支持 Azure B2C。Power BI does not natively support Azure B2C. 如果正在评估此情况的选项, 请考虑在本文档后面的 "常见备用方法" 部分中使用替代选项2。If you're evaluating options for this case, consider using Alternative Option 2 in the Common alternative approaches the section later in this document.

案例研究:使用 Power BI + Azure AD B2B –分步说明构建 BI 门户Case Study: Building a BI Portal using Power BI + Azure AD B2B – Step-by-Step instructions

Power BI 与 Azure AD B2B 的集成为 Contoso 提供一种无缝且无障碍的方式为来宾用户提供对其 BI 门户的安全访问。Power BI's integration with Azure AD B2B gives Contoso a seamless, hassle-free way to provide guest users with secure access to its BI portal. Contoso 可以通过三个步骤进行此设置:Contoso can set this up with three steps:

构建门户

  1. 在 Power BI 中创建 BI 门户Create BI portal in Power BI

    Contoso 的第一个任务是在 Power BI 中创建其 BI 门户。The first task for Contoso is to create their BI portal in Power BI. Contoso 的 BI 门户将包含一系列专门构建的仪表板和报表, 这些仪表板和报表将提供给许多内部用户和来宾用户。Contoso's BI portal will consist of a collection of purpose-built dashboards and reports that will be made available to many internal and guest users. 在 Power BI 中执行此操作的建议方法是生成 Power BI 应用。The recommended way for doing this in Power BI is to build a Power BI app. 详细了解Power BI 中的应用Learn more about apps in Power BI.

  • Contoso 的 BI 团队在 Power BI 中创建了一个应用工作区Contoso's BI team creates an App workspace in Power BI

    应用工作区

  • 其他作者已添加到工作区Other authors are added to the workspace

    添加作者

  • 内容在工作区中创建Content is created inside the workspace

    在工作区中创建内容

    现在, 内容已在应用工作区中创建, Contoso 已准备好邀请合作伙伴组织中的来宾用户使用此内容。Now that the content is created in an app workspace, Contoso is ready to invite guest users in partner organizations to consume this content.

  1. 邀请来宾用户Invite Guest Users

    Contoso 可以通过两种方式将来宾用户邀请到 Power BI 中的 BI 门户:There are two ways for Contoso to invite guest users to its BI portal in Power BI:

    • 计划的邀请Planned Invites
    • 即席邀请Ad hoc Invites

    计划的邀请Planned Invites

    在此方法中, Contoso 提前邀请来宾用户的 Azure AD, 然后将 Power BI 内容分发给他们。In this approach, Contoso invites the guest users to its Azure AD ahead of time and then distributes Power BI content to them. Contoso 可以从 Azure 门户或使用 PowerShell 邀请来宾用户。Contoso can invite guest users from the Azure portal or using PowerShell. 下面是从 Azure 门户邀请来宾用户的步骤:Here are the steps to invite guest users from the Azure portal:

    • Contoso 的 Azure AD 管理员导航到Azure 门户 > Azure Active Directory > 用户和组 > 所有用户 > 新的来宾用户Contoso's Azure AD administrator navigates to Azure portal > Azure Active Directory > Users and groups > All users > New guest user

    来宾用户

    • 添加来宾用户的邀请消息, 并单击 "邀请"Add an invitation message for the guest users and click Invite

    添加邀请

    备注

    若要从 Azure 门户邀请来宾用户, 你需要拥有租户 Azure Active Directory 的管理员。To invite guest users from the Azure portal, you need to an administrator for the Azure Active Directory of your tenant.

    如果 Contoso 想邀请多个来宾用户, 可以使用 PowerShell 来完成。If Contoso wants to invite many guest users, they can do so using PowerShell. Contoso 的 Azure AD 管理员在 CSV 文件中存储所有来宾用户的电子邮件地址。Contoso's Azure AD administrator stores the email addresses of all the guest users in a CSV file. 下面是AZURE ACTIVE DIRECTORY B2B 协作代码和 PowerShell 示例和说明。Here are Azure Active Directory B2B collaboration code and PowerShell samples and instructions.

    邀请后, 来宾用户将收到一封包含邀请链接的电子邮件。After the invitation, guest users receive an email with the invitation link.

    邀请链接

    来宾用户单击该链接后, 即可访问 Contoso Azure AD 租户中的内容。Once the guest users click the link, they can access content in the Contoso Azure AD tenant.

    备注

    可以使用此处所述的 Azure AD 品牌功能更改邀请电子邮件的布局。It is possible to change the layout of the invitation email using the Azure AD branding feature as described here.

    即席邀请Ad hoc Invites

    如果 Contoso 不知道自己想要邀请的所有来宾用户该怎么办?What if Contoso does not know all the guest users it wants to invite ahead of time? 或者, 如果 Contoso 中创建 BI 门户的分析人员想要亲自向来宾用户分发内容, 该怎么办?Or, what if the analyst in Contoso who created the BI portal wants to distribute content to guest users herself? 我们还在与即席邀请 Power BI 中支持此方案。We also support this scenario in Power BI with ad-hoc invites.

    分析师在发布应用程序时, 只需将其添加到应用的访问列表。The analyst can just add the external users to the access list of the app when they are publishing it. 来宾用户收到邀请, 一旦接受邀请, 会自动将其重定向到 Power BI 内容。The guest users gets an invite and once they accept it, they are automatically redirected to the Power BI content.

    添加外部用户

    备注

    只有在第一次将外部用户邀请到你的组织时, 才需要邀请。Invites are needed only the first time an external user is invited to your organization.

  2. 分发内容Distribute Content

    由于 Contoso 的 BI 团队已创建 BI 门户和邀请的来宾用户, 因此他们可以通过向来宾用户授予对应用程序的访问权限并将其发布, 来将其门户分发给最终用户。Now that Contoso's BI team has created the BI portal and invited guest users, they can distribute their portal to their end users by giving guest users access to the app and publishing it. Power BI 以前添加到 Contoso 租户的来宾用户的自动完成名称。Power BI auto-completes names of guest users who have been previously added to the Contoso tenant. 此时还可添加其他来宾用户的即席邀请。Adhoc invitations to other guest users can also be added at this point.

    备注

    如果使用安全组来管理外部用户对应用的访问, 请使用计划的邀请方法, 并直接与必须访问的每个外部用户共享应用链接。If using Security groups to manage access to the app for external users, use the Planned Invites approach and share the app link directly with each external user who must access it. 否则, 外部用户可能无法从应用程序中安装或查看内容。Otherwise, the external user may not be able to install or view content from within the app._

    来宾用户会收到一封电子邮件, 其中包含指向应用的链接。Guest users get an email with a link to the app.

    电子邮件邀请链接

    单击此链接时, 系统将要求来宾用户通过其组织的标识进行身份验证。On clicking this link, guest users are asked to authenticate with their own organization's identity.

    登录页

    成功通过身份验证后, 它们将被重定向到 Contoso 的 BI 应用。Once they are successfully authenticated, they are redirected to Contoso's BI app.

    查看共享内容

    然后, 来宾用户可以通过单击电子邮件中的链接或书签链接来访问 Contoso 的应用。Guest users can subsequently get to Contoso's app by clicking the link in the email or bookmarking the link. Contoso 还可以通过将此链接添加到来宾用户已使用的任何现有 extranet 门户来使来宾用户更容易。Contoso can also make it easier for guest users by adding this link to any existing extranet portal that the guest users already use.

  3. 后续步骤Next steps

    Contoso 可以使用 Power BI 应用和 Azure AD B2B, 以无代码方式为其供应商快速创建 BI 门户。Using a Power BI app and Azure AD B2B, Contoso was able to quickly create a BI Portal for its suppliers in a no-code way. 这极大地简化了将标准化分析分发给需要它的所有供应商。This greatly simplified distributing standardized analytics to all the suppliers who needed it.

    尽管此示例演示了如何在供应商之间分布单个常见报告, Power BI 可以进一步进一步。While the example showed how a single common report could be distributed among suppliers, Power BI can go much further. 若要确保每个伙伴只看到与其自身相关的数据, 可以轻松地将行级别安全性添加到报表和数据模型。To ensure each partner sees only data relevant to themselves, Row Level Security can be added easily to the report and data model. 本文档后面的 "外部合作伙伴的数据安全" 部分详细介绍了此过程。The Data security for external partners section later in this document describes this process in details.

    通常, 需要将单个报表和仪表板嵌入到现有门户。Often individual reports and dashboards need to be embedded into an existing portal. 这还可以使用示例中所示的许多方法来实现。This can also be accomplished reusing many of the techniques shown in the example. 但是, 在这种情况下, 直接从工作区嵌入报表或仪表板可能会更容易。However, in those situations it may be easier to embed reports or dashboards directly from a workspace. 邀请用户的安全权限并将其分配给需要用户的过程保持不变。The process for inviting and assigning security permission to the require users remain the same.

在后台:Supplier1 的 Lucy 如何从 Contoso 的租户访问 Power BI 内容?Under the hood: How is Lucy from Supplier1 able to access Power BI content from Contoso's tenant?

现在, 我们已经了解了 Contoso 如何才能向合作伙伴组织中的来宾用户无缝分发 Power BI 内容, 接下来我们来看看这是如何工作的。Now that we have seen how Contoso is able to seamlessly distribute Power BI content to guest users in partner organizations, let's look at how this works under the hood.

当 Contoso 邀请lucy@supplier1.com到其目录时, Azure AD 会在和Lucy@supplier1.com Contoso Azure AD 租户之间创建链接。When Contoso invited lucy@supplier1.com to its directory, Azure AD creates a link between Lucy@supplier1.com and the Contoso Azure AD tenant. 此链接允许 Azure AD 知道Lucy@supplier1.com可以访问 Contoso 租户中的内容。This link lets Azure AD know that Lucy@supplier1.com can access content in the Contoso tenant.

当 Lucy 尝试访问 Contoso 的 Power BI 应用程序时, Azure AD 会验证 Lucy 是否可以访问 Contoso 租户, 然后提供 Power BI 令牌, 该令牌指示 Lucy 通过身份验证访问 Contoso 租户中的内容。When Lucy tries to access Contoso's Power BI app, Azure AD verifies that Lucy can access the Contoso tenant and then provides Power BI a token that indicates that Lucy is authenticated to access content in the Contoso tenant. Power BI 使用此令牌授权, 并确保 Lucy 有权访问 Contoso 的 Power BI 应用。Power BI uses this token to authorize and ensure that Lucy has access to Contoso's Power BI app.

验证和授权

Power BI 与 Azure AD B2B 的集成适用于所有业务电子邮件地址。Power BI's integration with Azure AD B2B works with all business email addresses. 如果用户没有 Azure AD 标识, 系统可能会提示他们创建一个标识。If the user does not have an Azure AD identity, they may be prompted to create one. 下图显示了详细的流:The following image shows the detailed flow:

集成流程图

务必认识到将在外部方的 Azure AD 中使用或创建 Azure AD 帐户, 这将使 Lucy 可以使用其自己的用户名和密码, 并在每次当公司的组织也使用 Azure AD 时, Lucy 离开了公司。It is important to recognize that the Azure AD account will be used or created in the external party's Azure AD, this will make it possible for Lucy to use their own username and password and their credentials will automatically stop working in other tenants whenever Lucy leaves the company when their organization also uses Azure AD.

许可Licensing

Contoso 可以选择以下三种方法之一, 让来宾用户从其供应商和合作伙伴组织那里获得 Power BI 内容的访问权限。Contoso can choose one of three approaches to license guest users from its suppliers and partner organizations to have access to Power BI content.

备注

Azure AD B2B's 免费层足以与 Azure AD B2B 一起使用 Power BI。某些高级 Azure AD B2B 功能 (如动态组) 需要额外的许可。有关其他信息, 请参阅 Azure AD B2B 文档: https://docs.microsoft.com/azure/active-directory/b2b/licensing-guidance The Azure AD B2B's free tier is enough to use Power BI with Azure AD B2B. Some advanced Azure AD B2B features like dynamic groups require additional licensing. Please refer to the Azure AD B2B documentation for additional information: https://docs.microsoft.com/azure/active-directory/b2b/licensing-guidance

方法 1:Contoso 使用 Power BI PremiumApproach 1: Contoso uses Power BI Premium

通过此方法, Contoso 购买 Power BI Premium 容量, 并将其 BI 门户内容分配给此容量。With this approach, Contoso purchases Power BI Premium capacity and assigns its BI portal content to this capacity. 这允许合作伙伴组织中的来宾用户访问 Contoso 的 Power BI 应用, 而无需任何 Power BI 许可证。This allows guest users from partner organizations to access Contoso's Power BI app without any Power BI license.

当使用 Power BI Premium 中的内容时, 外部用户还受 Power BI 中的 "免费" 用户的使用情况。External users are also subject to the consumption only experiences offered to "Free" users in Power BI when consuming content within Power BI Premium.

Contoso 还可以利用对其应用的其他 Power BI 高级功能, 如提高刷新率、专用容量和大型模型大小。Contoso can also take advantage of other Power BI premium capabilities for its apps like increased refresh rates, dedicated capacity, and large model sizes.

其他功能

方法 2:Contoso 向来宾用户分配 Power BI Pro 许可证Approach 2: Contoso assigns Power BI Pro licenses to guest users

通过这种方法, Contoso 将 pro 许可证分配给合作伙伴组织中的来宾用户-可以从 Contoso Microsoft 365 管理中心完成此操作。With this approach, Contoso assigns pro licenses to guest users from partner organizations – this can be done from Contoso's Microsoft 365 admin center. 这允许合作伙伴组织中的来宾用户访问 Contoso 的 Power BI 应用, 而无需购买许可证。This allows guest users from partner organizations to access Contoso's Power BI app without purchasing a license themselves. 这可能适合与组织尚未采用 Power BI 的外部用户共享。This can be appropriate for sharing with external users whose organization has not adopted Power BI yet.

备注

仅当来宾用户访问 Contoso 租户中的内容时, Contoso 的 pro 许可证才适用。Pro 许可证允许访问不在 Power BI Premium 容量的内容。但是, 默认情况下, 具有 Pro 许可证的外部用户将被限制为仅消耗体验。这可以通过使用 本文档后面_的 "在_Power BI 中启用外部用户来编辑和管理内容" 部分中所述的方法更改。Contoso's pro license applies to guest users only when they access content in the Contoso tenant. Pro licenses enable access to content that is not in a Power BI Premium capacity. However, external users with a Pro license are restricted by default to a consumption only experience. This can be change by using the approach described in the Enabling external users to edit and manage content within Power BI section later in this document.

许可证信息

方法 3:来宾用户自带 Power BI Pro 许可证Approach 3: Guest users bring their own Power BI Pro license

使用此方法时, 供应商1将 Power BI Pro 许可证分配给 Lucy。With this approach, Supplier 1 assigns a Power BI Pro license to Lucy. 然后, 他们可以使用此许可证访问 Contoso 的 Power BI 应用。They can then access Contoso's Power BI app with this license. 由于在访问外部 Power BI 环境时, Lucy 可以使用其自己的组织中的 Pro 许可证, 因此此方法有时称为_自带许可证_(BYOL)。Since Lucy can use their Pro license from their own organization when accessing an external Power BI environment, this approach is sometimes referred to as bring your own license (BYOL). 如果两个组织都在使用 Power BI, 则这将为整体分析解决方案提供有利的许可, 并将向外部用户分配许可证的开销降到最低。If both organizations are using Power BI, this offers advantageous licensing for the overall analytics solution and minimizes overhead of assigning licenses to external users.

备注

向 Lucy 提供的由供应商1提供的 pro 许可证适用于任何 Power BI 租户, 其中 Lucy 是来宾用户。Pro 许可证允许访问不在 Power BI Premium 容量的内容。但是, 默认情况下, 具有 Pro 许可证的外部用户将被限制为仅消耗体验。这可以通过使用 本文档后面_的 "在_Power BI 中启用外部用户来编辑和管理内容" 部分中所述的方法更改。The pro license given to Lucy by Supplier 1 applies to any Power BI tenant where Lucy is a guest user. Pro licenses enable access to content that is not in a Power BI Premium capacity. However, external users with a Pro license are restricted by default to a consumption only experience. This can be change by using the approach described in the Enabling external users to edit and manage content within Power BI section later in this document.

Pro 许可证要求

外部合作伙伴的数据安全性Data security for external partners

通常, 当与多个外部供应商合作时, Contoso 需要确保每个供应商只看到自己的产品数据。Commonly when working with multiple external suppliers, Contoso needs to ensure that each supplier sees data only about its own products. 基于用户的安全和动态行级别安全性使其能够在 Power BI 中轻松完成。User-based security and dynamic row level security make this easy to accomplish with Power BI.

基于用户的安全性User-based security

行级别安全性 Power BI 最强大的功能之一。One of the most powerful features of Power BI is Row Level Security. 此功能允许 Contoso 创建单个报表和数据集, 但仍对每个用户应用不同的安全规则。This feature allows Contoso to create a single report and dataset but still apply different security rules for each user. 有关详细说明, 请参阅行级安全性 (RLS)For an in-depth explanation, see Row-level security (RLS).

Power BI 与 Azure AD B2B 的集成, Contoso 可以在将客户邀请到 Contoso 租户后立即将行级别安全性规则分配给来宾用户。Power BI's integration with Azure AD B2B allows Contoso to assign Row Level Security rules to guest users as soon as they are invited to the Contoso tenant. 如前所述, Contoso 可以通过计划或即席邀请添加来宾用户。As we have seen before, Contoso can add guest users through either planned or ad-hoc invites. 如果 Contoso 希望强制执行行级别安全性, 则强烈建议使用计划的邀请提前添加来宾用户, 并将其分配到安全角色, 然后再共享内容。If Contoso wants to enforce row level security, it is strongly recommended to use planned invites to add the guest users ahead of time and assigning them to the security roles before sharing the content. 如果 Contoso 改为使用即席邀请, 则可能会有一小段时间, 来宾用户将无法查看任何数据。If Contoso instead uses ad-hoc invites, there might be a short period of time where the guest users will not be able to see any data.

备注

使用即席邀请时访问受 RLS 保护的数据的这一延迟可能会导致对你的 IT 团队发出支持请求, 因为当在他们收到的电子邮件中打开共享链接时, 用户将看到空白或已损坏的报表/仪表板。This delay in accessing data protected by RLS when using ad-hoc invites can lead to support requests to your IT team because users will see either blank or broken looking reports/dashboards when opening a sharing link in the email they receive. 因此, 在这种情况下, 强烈建议使用计划的邀请。 * *Therefore, it is strongly recommended to use planned invites in this scenario.**

让我们看一个示例。Let's walk through this with an example.

如前所述, Contoso 拥有全球各地的供应商, 他们想要确保其供应商组织的用户从其区域的数据中获得见解。As mentioned before, Contoso has suppliers around the globe, and they want to make sure that the users from their supplier organizations get insights from data from just their territory. 但 Contoso 的用户可以访问所有数据。But users from Contoso can access all the data. Contoso 不创建多个不同的报表, 而是创建一个报表, 并基于用户查看数据对其进行筛选。Instead of creating several different reports, Contoso creates a single report and filters the data based the user viewing it.

共享内容

若要确保 Contoso 可以基于谁正在连接来筛选数据, 请在 Power BI 桌面中创建两个角色。To make sure Contoso can filter data based on who is connecting, two roles are created in Power BI desktop. 一个用于筛选 SalesTerritory "欧洲" 中的所有数据, 另一个用于 "北美"。One to filter all the data from the SalesTerritory "Europe" and another for "North America".

管理角色

当在报表中定义角色时, 必须为用户分配特定角色才能访问任何数据。Whenever roles are defined in the report, a user must be assigned to a specific role for them to get access to any data. 角色分配发生在 Power BI 服务内 (数据集 > 安全性)The assignment of roles happens inside the Power BI service ( Datasets > Security )

设置安全性

这会打开一个页面, 在该页面中, Contoso 的 BI 团队可以查看他们所创建的两个角色。This opens a page where Contoso's BI team can see the two roles they created. Contoso 的 BI 团队现在可以将用户分配到角色。Now Contoso's BI team can assign users to the roles.

行级别安全性

在本示例中, Contoso 将电子邮件地址为 "adam@themeasuredproduct.com" 的合作伙伴组织中的用户添加到欧洲角色:In the example Contoso is adding a user in a partner organization with email address "adam@themeasuredproduct.com" to the Europe role:

行级安全设置

Azure AD 解决此情况后, Contoso 可以看到该名称显示在 "准备添加" 窗口中:When this gets resolved by Azure AD, Contoso can see the name show up in the window ready to be added:

显示角色

现在, 当此用户打开与之共享的应用时, 他们将只看到包含欧洲数据的报表:Now when this user opens the app that was shared with them, they only see a report with data from Europe:

查看内容

动态行级别安全性Dynamic row level security

另一个有趣的主题是了解动态行级别安全性 (RLS) 如何与 Azure AD B2B 一起工作。Another interesting topic is to see how dynamic row level security (RLS) work with Azure AD B2B.

简而言之, 动态行级别安全性的工作方式是根据连接到 Power BI 的用户的用户名筛选模型中的数据。In short, Dynamic row level security works by filtering data in the model based on the username of the person connecting to Power BI. 您可以在模型中定义用户, 而不是为用户组添加多个角色。Instead of adding multiple roles for groups of users, you define the users in the model. 本文不会详细介绍此模式。We won't describe the pattern in detail here. Kasper de Jong 提供Power BI Desktop 动态安全备忘单和此白皮书中的所有行级别安全性的风格的详细信息。Kasper de Jong offers a detailed write up on all the flavors of row level security in Power BI Desktop Dynamic security cheat sheet, and in this whitepaper .

我们来看一个小示例-Contoso 提供了一个关于按组销售的简单报表:Let's look at a small example - Contoso has a simple report on sales by groups:

示例内容

现在, 此报表需要与两个来宾用户和内部用户共享-内部用户可以看到所有内容, 但来宾用户只能看到他们有权访问的组。Now this report needs to be shared with two guest users and an internal user - the internal user can see everything, but the guest users can only see the groups they have access to. 这意味着我们必须仅为来宾用户筛选数据。This means we must filter the data only for the guest users. 为了适当地筛选数据, Contoso 使用白皮书和博客文章中所述的动态 RLS 模式。To filter the data appropriately, Contoso uses the Dynamic RLS pattern as described in the whitepaper and blog post. 也就是说, Contoso 将用户名添加到数据本身:This means, Contoso adds the usernames to the data itself:

查看 RLS 用户到数据本身

然后, Contoso 会创建适当的数据模型, 以适当的关系筛选数据:Then, Contoso creates the right data model that filters the data appropriately with the right relationships:

显示适当的数据

若要基于登录用户自动筛选数据, Contoso 需要创建一个在连接的用户中传递的角色。To filter the data automatically based on who is logged in, Contoso needs to create a role that passes in the user who is connecting. 在这种情况下, Contoso 会创建两个角色–第一个是 "securityrole", 它使用登录到 Power BI 的用户的当前用户名对用户表进行筛选 (这甚至适用于 Azure AD B2B 来宾用户)。In this case, Contoso creates two roles – the first is the "securityrole" that filters the Users table with the current username of the user logged in to Power BI (this works even for Azure AD B2B guest users).

管理角色

Contoso 还会为可查看所有内容的内部用户创建另一个 "AllRole" –此角色没有任何安全谓词。Contoso also creates another "AllRole" for its internal users who can see everything – this role does not have any security predicate.

将 Power BI 桌面文件上传到服务后, Contoso 可以将来宾用户分配给 "SecurityRole", 将内部用户分配给 "AllRole"After uploading the Power BI desktop file to the service, Contoso can assign guest users to the "SecurityRole" and internal users to the "AllRole"

现在, 当来宾用户打开该报表时, 他们只能查看组 A 中的 sales:Now, when the guest users open the report, they only see sales from group A:

仅在组 A 中

在右侧的矩阵中, 可以看到 USERNAME () 和 USERPRINCIPALNAME () 函数的结果都返回来宾用户电子邮件地址。In the matrix to the right you can see the result of the USERNAME() and USERPRINCIPALNAME() function both return the guest users email address.

现在, 内部用户可查看所有数据:Now the internal user gets to see all the data:

显示的所有数据

如您所见, 动态 RLS 适用于内部用户或来宾用户。As you can see, Dynamic RLS works with both internal or guest users.

备注

此方案还适用于在 Azure Analysis Services 中使用模型。This scenario also works when using a model in Azure Analysis Services. 通常, 你的 Azure Analysis Service 连接到与你的 Power BI 相同的 Azure AD-在这种情况下, Azure Analysis Services 还知道通过 Azure AD B2B 邀请的来宾用户。Usually your Azure Analysis Service is connected to the same Azure AD as your Power BI - in that case, Azure Analysis Services also knows the guest users invited through Azure AD B2B.

连接到本地数据源Connecting to on premises data sources

Power BI 为 Contoso 提供SQL Server Analysis ServicesSQL Server的本地数据源 (如本地数据网关)的功能。Power BI offers the capability for Contoso to leverage on premises data sources like SQL Server Analysis Services or SQL Server directly thanks to the On-Premises data gateway. 甚至可以使用与 Power BI 一起使用的相同凭据登录到这些数据源。It is even possible to sign on to those data sources with the same credentials as used with Power BI.

备注

在安装网关以连接到 Power BI 租户时, 必须使用在租户中创建的用户。When installing a gateway to connect to your Power BI tenant, you must use a user created within your tenant. 外部用户无法安装网关并将其连接到你的租户. External users cannot install a gateway and connect it to your tenant.

对于外部用户, 这可能更复杂, 因为外部用户通常对本地 AD 是未知的。For external users, this might be more complicated as the external users are usually not known to the on-premises AD. Power BI 提供了一种解决方法, 允许 Contoso 管理员将外部用户名映射到内部用户名, 如管理数据源-Analysis Services中所述。Power BI offers a workaround for this by allowing Contoso administrators to map the external usernames to internal usernames as described in Manage your data source - Analysis Services. 例如, lucy@supplier1.com可以映射到lucy_supplier1_comEXT@contoso.com#For example, lucy@supplier1.com can be mapped to lucy_supplier1_com#EXT@contoso.com.

映射用户名称

如果 Contoso 仅有少量用户或 Contoso 可以将所有外部用户映射到单个内部帐户, 则此方法很合适。This method is fine if Contoso only has a handful of users or if Contoso can map all the external users to a single internal account. 对于更复杂的方案, 其中每个用户都需要自己的凭据, 还有一种更高级的方法, 它使用自定义 AD 特性来完成映射, 如管理数据源-Analysis Services中所述。For more complex scenarios where each user needs their own credentials, there is a more advanced approach that uses custom AD attributes to do the mapping as described in Manage your data source - Analysis Services. 这将允许 Contoso 管理员为 Azure AD 中的每个用户 (也是外部 B2B 用户) 定义一个映射。This would allow the Contoso administrator to define a mapping for every user in your Azure AD (also external B2B users). 这些属性可以通过使用脚本或代码的 AD 对象模型进行设置, 因此 Contoso 可以完全自动完成邀请或计划节奏上的映射。These attributes can be set through the AD object model using scripts or code so Contoso can fully automate the mapping on invite or on a scheduled cadence.

使外部用户能够编辑和管理 Power BI 中的内容Enabling external users to edit and manage content within Power BI

Contoso 可允许外部用户在组织内提供内容, 如前文所组织编辑和管理 Power BI 内容 "部分中所述。Contoso can allow external users to contribute content within the organization as described earlier in the cross-organization editing and management of Power BI content section.

备注

若要编辑和管理组织的 Power BI 中的内容, 用户必须在工作区之外的工作区中具有 Power BI Pro 许可证。To edit and manage content within your organization's Power BI, the user must have a Power BI Pro license in a workspace other than My workspace. 用户可以获取_本文档的 The_ Licensing__section_中介绍的 Pro 许可证。Users can obtain Pro licenses as covered in the_ Licensing__section of this document.

Power BI 管理门户在租户设置中的 "组织" 设置中提供 "允许外部来宾用户编辑和管理内容"。The Power BI Admin Portal provides the allow external guest users to edit and manage content in the organization setting in Tenant settings. 默认情况下, 此设置设置为 "已禁用", 表示外部用户默认情况下会获得受限制的只读体验。By default, the setting is set to disabled, meaning external users get a constrained read-only experience by default. 此设置适用于在 Azure AD 中将 UserType 设置为 Guest 的用户。The setting applies to users with UserType set to Guest in Azure AD. 下表描述了用户体验的行为, 具体取决于用户的 UserType 和配置设置的方式。The table below describes the behaviors users experience depending on their UserType and how the settings are configured.

Azure AD 中的用户类型User Type in Azure AD 允许外部来宾用户编辑和管理内容设置Allow external guest users to edit and manage content setting 操作Behavior
来宾Guest 为用户禁用 (默认值)Disabled for the user (Default) 按项仅消耗视图。Per item consumption only view. 通过发送给来宾用户的 URL 查看报表、仪表板和应用时, 允许对报表、仪表板和应用进行只读访问。Allows read-only access to reports, dashboards, and apps when viewed through a URL sent to the Guest user. Power BI 移动版应用为来宾用户提供只读视图。Power BI Mobile apps provide a read-only view to the guest user.
来宾Guest 已为用户启用Enabled for the user 外部用户可以访问完整的 Power BI 体验, 不过某些功能不可用于这些功能。The external user gets access to the full Power BI experience, though some features are not available to them. 外部用户必须使用包含租户信息的 Power BI 服务 URL 登录到 Power BI。The external user must log in to Power BI using the Power BI Service URL with the tenant information included. 用户获取家庭体验、"我的工作区", 并根据权限来浏览、查看和创建内容。The user gets the Home experience, a My Workspace, and based on permissions can browse, view, and create content.
Power BI 移动版应用为来宾用户提供只读视图。Power BI Mobile apps provide a read-only view to the guest user.

备注

Azure AD 中的外部用户也可以设置为 UserType 成员。External users in Azure AD can also be set to UserType Member. Power BI 当前不支持此项。This is not currently supported in Power BI.

在 Power BI 管理门户中, 下图显示了该设置。In the Power BI Admin portal, the setting is shown in the following image.

管理员设置

来宾用户获得只读默认体验, 可以编辑和管理内容。Guest users get the read-only default experience and which can edit and manage content. 默认值为 "禁用", 表示所有来宾用户都具有只读体验。The default is Disabled, meaning all Guest users have the read-only experience. Power BI 管理员可以为组织中的所有来宾用户或 Azure AD 中定义的特定安全组启用设置。The Power BI Admin can either enable the setting for all Guest users in the organization or for specific security groups defined in Azure AD. 在下图中, Contoso Power BI 管理员在 Azure AD 中创建了一个安全组, 以管理可在 Contoso 租户中编辑和管理内容的外部用户。In the following image, the Contoso Power BI Admin created a security group in Azure AD to manage which external users can edit and manage content in the Contoso tenant.

若要帮助这些用户登录到 Power BI, 请为他们提供租户 URL。To help these users to log in to Power BI, provide them with the Tenant URL. 要查找租户 URL,请执行以下步骤。To find the tenant URL, follow these steps.

  1. 在 Power BI 服务的顶部菜单中, 选择 "帮助" ( In the Power BI service, in the top menu, select help ( ? ), 然后就 Power BI) then About Power BI.

  2. 查找 "租户 URL" 旁边的值。Look for the value next to Tenant URL. 这是你可以与来宾用户共享的租户 URL。This is the tenant URL you can share with your guest users.

    租户 URL

当使用 "允许外部来宾用户编辑和管理组织中的内容" 时, 指定的来宾用户可以访问你的组织的 Power BI 并查看他们有权访问的任何内容。When using the Allow external guest users to edit and manage content in the organization, the specified guest users get access to your organization's Power BI and see any content to which they have permission. 他们可以访问主页、浏览内容并向工作区提供内容、在访问列表中安装应用, 以及创建我的工作区。They can access Home, browse and contribute content to workspaces, install apps where they are on the access list, and have a My workspace. 还可以创建或成为使用新工作区体验的工作区管理员。They can create or be an Admin of workspaces that use the new workspace experience.

备注

使用此选项时, 请务必查看此文档的监管部分, 因为默认情况下 Azure AD 设置阻止来宾用户使用某些功能, 如人员选取器, 这可能会导致精简体验。 * *When using this option make sure to review the governance section of this document since default Azure AD settings prevent Guest users to use certain features like people pickers which can lead to a reduced experience.**

对于通过 "组织租户" 设置中的 "允许外部来宾用户编辑和管理内容" 启用的来宾用户, 一些经验不适用于他们。For guest users enabled through the Allow external guest users to edit and manage content in the organization tenant setting, some experiences are not available to them. 若要更新或发布报表, 来宾用户需要使用 Power BI 服务 web UI, 包括获取数据以上传 Power BI Desktop 文件。To update or publish reports, guest users need to use the Power BI service web UI, including Get Data to upload Power BI Desktop files. 不支持以下体验:The following experiences are not supported:

  • 从 Power BI Desktop 直接向 Power BI 服务发布Direct publishing from Power BI desktop to the Power BI service
  • 来宾用户不能使用 Power BI Desktop 连接 Power BI 服务中的服务数据集Guest users cannot use Power BI desktop to connect to service datasets in the Power BI service
  • 绑定到 Office 365 组的经典工作区:来宾用户无法创建或成为这些工作区的管理员。Classic workspaces tied to Office 365 Groups: Guest user cannot create or be Admins of these workspaces. 可以是成员。They can be members.
  • 对于工作区访问列表,不支持发送临时邀请Sending ad-hoc invites is not supported for workspace access lists
  • 不支持来宾用户使用 Power BI Publisher for ExcelPower BI Publisher for Excel is not supported for guest users
  • 来宾用户不能安装 Power BI Gateway,也不能将它连接到组织Guest users cannot install a Power BI Gateway and connect it to your organization
  • 来宾用户不能安装发布到整个组织的应用Guest users cannot install apps publish to the entire organization
  • 来宾用户不能使用、创建、更新或安装组织内容包Guest users cannot use, create, update, or install organizational content packs
  • 来宾用户不能使用“在 Excel 中分析”Guest users cannot use Analyze in Excel
  • 来宾用户不能@mentioned进行注释 (此功能将在即将发布的版本中添加)Guest users cannot be @mentioned in commenting ( this functionality will be added in an upcoming release )
  • 来宾用户不能使用订阅 (此功能将在即将发布的版本中添加)Guest users cannot use subscriptions ( this functionality will be added in an upcoming release )
  • 使用此功能的来宾用户应具有工作或学校帐户。Guest users who use this capability should have a work or school account. 由于登录限制, 使用个人帐户的来宾用户会遇到更多的限制。Guest users using Personal accounts experience more limitations due to sign-in restrictions.

管理Governance

当使用 Azure AD B2B 共享时, Azure Active Directory 管理员控制外部用户体验的各个方面。When using Azure AD B2B sharing, the Azure Active Directory administrator controls aspects of the external user's experience. 这些设置是在租户 Azure Active Directory 设置内的 "外部协作设置" 页上控制的。These are controlled on the External collaboration settings page within the Azure Active Directory settings for your Tenant.

有关设置的详细信息, 请参阅:Details on the settings are available here:

https://docs.microsoft.com/azure/active-directory/b2b/delegate-invitations

备注

默认情况下, "来宾用户权限受限" 选项设置为 "是", 因此, Power BI 中的 "来宾用户" 具有有限体验, 特别是在用户选取器 Ui 对于这些用户而言不起作用的地方。By default, the Guest users permissions are limited option is set to Yes, so Guest users within Power BI have limited experiences especially surround sharing where people picker UIs do not work for those users. 与 Azure AD 管理员一起将其设置为 "否" 很重要, 如下所示, 以确保获得良好的体验。 * *It is important to work with your Azure AD administrator to set it to No, as shown below to ensure a good experience.**

外部协作设置

控制来宾邀请Control guest invites

Power BI 管理员可以通过访问 Power BI 管理门户来仅控制 Power BI 的外部共享。Power BI administrators can control external sharing just for Power BI by visiting the Power BI admin portal. 但租户管理员还可以通过各种 Azure AD 策略来控制外部共享。But tenant administrators can also control external sharing with various Azure AD policies. 这些策略允许租户管理员These policies allow tenant administrators to

  • 关闭最终用户的邀请Turn off invitations by end users
  • 只有来宾邀请者角色中的管理员和用户可以邀请Only admins and users in the Guest Inviter role can invite
  • 管理员、来宾邀请者角色和成员可以邀请Admins, the Guest Inviter role, and members can invite
  • 所有用户 (包括来宾) 都可以邀请All users, including guests, can invite

有关这些策略的详细信息, 请参阅AZURE ACTIVE DIRECTORY B2B 协作的委托邀请You can read more about these policies in Delegate invitations for Azure Active Directory B2B collaboration.

外部用户的所有 Power BI 操作也在我们的审核门户中进行了审核。All Power BI actions by external users are also audited in our auditing portal.

来宾用户的条件性访问策略Conditional Access policies for guest users

Contoso 可以为访问 Contoso 租户内容的来宾用户强制实施条件性访问策略。Contoso can enforce conditional access policies for guest users who access content from the Contoso tenant. 可在B2B 协作用户的条件访问中找到详细说明。You can find detailed instructions in Conditional access for B2B collaboration users.

常见备选方法Common alternative approaches

虽然 Azure AD B2B 使你可以轻松地跨组织共享数据和报告, 但在某些情况下, 也可以使用多种其他方法。While Azure AD B2B makes it easy to share data and reports across organizations, there are several other approaches that are commonly used and may be superior in certain cases.

替代选项 1:为合作伙伴用户创建重复标识Alternative Option 1: Create duplicate identities for partner users

如果选择此选项, Contoso 必须为 Contoso 租户中的每个合作伙伴用户手动创建重复标识, 如下图所示。With this option, Contoso had to manually create duplicate identities for each partner user in the Contoso Tenant, as shown in the following image. 然后, 在 Power BI 中, Contoso 可以在适当的报告、仪表板或应用中共享到分配的标识。Then within Power BI, Contoso can share to the assigned identities the appropriate reports, dashboards, or apps.

设置适当的映射和名称

选择此替代项的原因:Reasons to choose this alternative:

  • 由于用户的标识由您的组织控制, 因此任何相关服务 (如电子邮件、SharePoint 等) 也在您的组织控制范围内。Since the user's identity is controlled by your organization, any related service such as email, SharePoint, etc. are also within the control of your organization. 你的 IT 管理员可以重置密码、禁止对帐户的访问或审核这些服务中的活动。Your IT Administrators can reset passwords, disable access to accounts, or audit activities in these services.
  • 通常, 为其业务使用个人帐户的用户不能访问某些服务, 因此可能需要组织帐户。Users who use personal accounts for their business often are restricted from accessing certain services so may need an organizational account.
  • 某些服务仅适用于组织的用户。Some services only work over your organization's users. 例如, 可能无法使用 Intune 来管理外部用户使用 Azure B2B 的个人/移动设备上的内容。For example, using Intune to manage content on the personal/mobile devices of external users using Azure B2B may not be possible.

不选择这种替代方法的原因:Reasons not to choose this alternative:

  • 合作伙伴组织中的用户必须记住两组凭据–一个用于访问自己组织的内容, 另一个用于从 Contoso 访问内容。Users from partner organizations must remember two sets of credentials– one to access content from their own organization and the other to access content from Contoso. 这对于这些来宾用户非常麻烦, 并且很多来宾用户会感到困惑。This is a hassle for these guest users and many guest users are confused by this experience.
  • Contoso 必须购买并将每用户许可证分配给这些用户。Contoso must purchase and assign per-user licenses to these users. 如果用户需要接收电子邮件或使用 office 应用程序, 则他们需要相应的许可证, 包括 Power BI Pro 在 Power BI 中编辑和共享内容。If a user needs to receive email or use office applications, they need the appropriate licenses, including Power BI Pro to edit and share content in Power BI.
  • Contoso 可能想要与内部用户相比, 为外部用户强制实施更严格的授权和管理策略。Contoso might want to enforce more stringent authorization and governance policies for external users compared to internal users. 为实现此目的, Contoso 需要为外部用户创建内部命名法, 并且需要为所有 Contoso 用户提供有关此命名法的教育。To achieve this, Contoso needs to create an in-house nomenclature for external users and all Contoso users need to be educated about this nomenclature.
  • 当用户离开组织时, 他们可以继续访问 Contoso 的资源, 直到 Contoso 管理员手动删除其帐户When the user leaves their organization, they continue to have access to Contoso's resources until the Contoso admin manually deletes their account
  • Contoso 管理员必须管理来宾的身份, 包括创建、重置密码等。Contoso admins have to manage the identity for the guest, including creation, password resets, etc.

替代选项 2:使用自定义身份验证创建自定义 Power BI Embedded 应用程序Alternative Option 2: Create a custom Power BI Embedded application using custom authentication

Contoso 的另一种选择是通过自定义身份验证 ("应用拥有数据") 构建自己的自定义嵌入 Power BI 应用程序。Another option for Contoso is to build its own custom embedded Power BI application with custom authentication ('App owns data'). 尽管许多组织没有时间或资源来创建自定义应用程序以将 Power BI 内容分发给其外部合作伙伴, 但对于某些组织来说, 这是最佳方法, 值得认真考虑。While many organizations do not have the time or resources to create a custom application to distribute Power BI content to their external partners, for some organizations this is the best approach and deserves serious consideration.

通常, 组织具有可集中访问合作伙伴的所有组织资源的现有合作伙伴门户, 提供与内部组织资源的隔离, 并为合作伙伴提供简化的体验, 以支持多个合作伙伴和各自的用户。Often, organizations have existing partner portals that centralize access to all organizational resources for partners, provide isolation from internal organizational resources, and provide streamlined experiences for partners to support many partners and their individual users.

许多合作伙伴门户

在上面的示例中, 每个供应商的用户登录到 Contoso 的合作伙伴门户, 该门户使用 AAD 作为标识提供者。In the example above, users from each supplier login to Contoso's Partner Portal that uses AAD as an identity provider. 它可以使用 AAD B2B、Azure B2C、本机标识或与任意数量的其他标识提供者联合。It could use AAD B2B, Azure B2C, native identities, or federate with any number of other identity providers. 用户使用 Azure Web 应用或类似的基础结构登录并访问合作伙伴门户生成。The user would log in and access a partner portal build using Azure Web App or a similar infrastructure.

在 web 应用中, Power BI 报表嵌入 Power BI Embedded 部署。Within the web app, Power BI reports are embedded from a Power BI Embedded deployment. Web 应用将简化对报表和任何相关服务的访问, 旨在使供应商能够轻松地与 Contoso 交互。The web app would streamline access to the reports and any related services in a cohesive experience aimed to make it easy for suppliers to interact with Contoso. 此门户环境将与 Contoso 内部 AAD 和 Contoso 内部 Power BI 环境隔离, 以确保供应商无法访问这些资源。This portal environment would be isolated from the Contoso internal AAD and Contoso's internal Power BI environment to ensure suppliers could not access those resources. 通常, 数据将存储在单独的合作伙伴数据仓库中, 以确保数据的隔离。Typically, data would be stored in a separate Partner data warehouse to ensure isolation of data as well. 此隔离具有一些优点, 因为它限制了可直接访问你的组织数据的外部用户的数量, 从而限制了可能向外部用户提供的数据, 以及限制与外部用户的意外共享。This isolation has benefits since it limits the number of external users with direct access to your organization's data, limiting what data could potentially be available to the external user, and limiting accidental sharing with external users.

使用 Power BI Embedded, 门户可以利用应用令牌、主用户和 Azure 模型中购买的高级容量来利用有利的许可, 这简化了向最终用户分配许可证的顾虑, 并可根据需要进行扩展/缩减使用情况.Using Power BI Embedded, the portal can leverage advantageous licensing, using app token or the master user plus premium capacity purchased in Azure model, which simplifies concerns about assigning licenses to end users, and can scale up/down based on expected usage. 门户可以提供整体上质量和一致的体验, 因为合作伙伴可访问单个门户, 该门户旨在满足合作伙伴的所有需求。The portal can offer an overall higher quality and consistent experience since partners access a single portal designed with all of a Partner's needs in mind. 最后, 由于基于 Power BI Embedded 的解决方案通常设计为多租户, 因此可以更轻松地确保合作伙伴组织之间的隔离。Lastly, since Power BI Embedded based solutions are typically designed to be multi-tenant, it makes it easier to ensure isolation between partner organizations.

选择此替代项的原因:Reasons to choose this alternative:

  • 随着合作伙伴组织数量的增加, 更易于管理。Easier to manage as the number of partner organizations grows. 由于合作伙伴被添加到独立于 Contoso 的内部 AAD 目录的单独目录, 因此它简化了管理任务, 并帮助防止意外将内部数据共享给外部用户。Since partners are added to a separate directory isolated from Contoso's internal AAD directory, it simplifies IT's governance duties and helps prevent accidental sharing of internal data to external users.
  • 典型的合作伙伴门户是高度品牌丰富的经验, 具有跨合作伙伴的一致体验, 并简化了以满足典型合作伙伴的需求。Typical Partner Portals are highly branded experiences with consistent experiences across partners and streamlined to meet the needs of typical partners. 因此, Contoso 可以通过将所有所需的服务集成到单个门户, 为合作伙伴提供更好的总体体验。Contoso can therefore offer a better overall experience to partners by integrating all required services into a single portal.
  • 高级方案 (例如编辑 Power BI Embedded 中的内容) 的许可成本包含在 Azure 购买的 Power BI Premium 中, 不需要将 Power BI Pro 许可证分配给这些用户。Licensing costs for advanced scenarios like Editing content within the Power BI Embedded is covered by the Azure purchased Power BI Premium, and does not require assignment of Power BI Pro licenses to those users.
  • 如果构建为多租户解决方案, 则可在合作伙伴之间提供更好的隔离。Provides better isolation across partners if architected as a multi-tenant solution.
  • 合作伙伴门户通常包含其他工具, 供合作伙伴以外的其他工具 Power BI 报表、仪表板和应用。The Partner Portal often includes other tools for partner beyond Power BI reports, dashboards, and apps.

不选择这种替代方法的原因:Reasons not to choose this alternative:

  • 构建、操作和维护此类门户需要大量精力, 使其对资源和时间投入巨大的投入。Significant effort is required to build, operate, and maintain such a portal making it a significant investment in resources and time.
  • 解决方案的时间比使用 B2B 共享长得多, 因为需要在多个工作流中进行仔细规划和执行。Time to solution is much longer than using B2B sharing since careful planning and execution across multiple workstreams is required.
  • 如果有较少数量的合作伙伴, 此替代选项所需的工作量可能太大, 无法证明。Where there are a smaller number of partners the effort required for this alternative is likely too high to justify.
  • 与即席共享的协作是组织面临的主要方案。Collaboration with ad-hoc sharing is the primary scenario faced by your organization.
  • 每个合作伙伴的报表和仪表板均不同。The reports and dashboards are different for each partner. 除了直接与合作伙伴共享以外, 此替代方法还引入了管理开销。This alternative introduces management overhead beyond just sharing directly with Partners.

常见问题解答FAQ

Contoso 是否可以发送自动兑换的邀请, 使用户只需 "准备就绪"?或者, 用户是否始终需要单击到兑换 URL?Can Contoso send an invitation that is automatically redeemed, so that the user is just "ready to go"? Or does the user always have to click through to the redemption URL?

最终用户必须始终单击许可体验才能访问内容。The end user must always click through the consent experience before they can access content.

如果你将邀请多个来宾用户, 则我们建议你通过将用户添加到资源组织中的来宾邀请者角色, 从核心 Azure AD 管理员委托此项。If you will be inviting many guest users, we recommend that you delegate this from your core Azure AD admins by adding a user to the guest inviter role in the resource organization. 此用户可以使用登录 UI、PowerShell 脚本或 Api 邀请合作伙伴组织中的其他用户。This user can invite other users in the partner organization by using the sign-in UI, PowerShell scripts, or APIs. 这会减少 Azure AD 管理员向合作伙伴组织的用户邀请或重新发送邀请的管理负担。This reduces the administrative burden on your Azure AD admins to invite or resent invites to users at the partner organization.

如果来宾用户的合作伙伴没有多重身份验证, Contoso 用户是否可以强制使用多因素身份验证?Can Contoso force multi-factor authentication for guest users if its partners don't have multi-factor authentication?

是。Yes. 有关详细信息, 请参阅B2B 协作用户的条件性访问For more information, see Conditional access for B2B collaboration users.

当受邀伙伴使用联合添加自己的本地身份验证时, B2B 协作的工作原理是什么?How does B2B collaboration work when the invited partner is using federation to add their own on-premises authentication?

如果合作伙伴具有联合到本地身份验证基础结构的 Azure AD 租户, 则会自动实现本地单一登录 (SSO)。If the partner has an Azure AD tenant that is federated to the on-premises authentication infrastructure, on-premises single sign-on (SSO) is automatically achieved. 如果合作伙伴没有 Azure AD 租户, 则可能会为新用户创建 Azure AD 帐户。If the partner doesn't have an Azure AD tenant, an Azure AD account may be created for new users.

是否可以邀请来宾用户使用使用者电子邮件帐户?Can I invite guest users with consumer email accounts?

Power BI 中支持邀请具有使用者电子邮件帐户的来宾用户。Inviting guest users with consumer email accounts is supported in Power BI. 这包括域, 如 hotmail.com、outlook.com 和 gmail.com。This includes domains such as hotmail.com, outlook.com and gmail.com. 但是, 这些用户可能会遇到除使用工作或学校帐户的用户所遇到的限制。However, those users may experience limitations beyond what users with work or school accounts encounter.