Today, we’re excited to announce that Power BI is making it easier for Azure AD B2B Guest users to collaborate with colleagues across organizational boundaries. Rolling out to production this week is a new capability that allows external Guest users to edit and manage content in workspaces, get the full home experience, and to do many content administration tasks.
This capability will enable more organizational relationships to work well with Power BI. If you are a contractor who needs to build some content for a customer in their Power BI tenant, a subsidiary trying to get standard insights from a parent organization, or two organizations in collaborative partnership, the new capability makes it easy and cost effective to work collaboratively across organizations with Power BI.
At the same time, we have also updated the Using Azure AD B2B with Power BI whitepaper to go into details, including many new best practices to help you get the most from your Power BI environment.
New tenant admin setting
The Power BI Admin Portal provides the allow external guest users to edit and manage content in the organization setting in Tenant settings. By default, the setting is set to disabled, meaning external users get a constrained read-only experience which they have received since we shipped the initial Azure AD B2B integration in November 2017. The setting applies to users with UserType set to Guest in Azure AD.
However, this new setting allows the Power BI admin to choose which external users can edit and manage content within the organization. Once allowed, the external user can edit reports, dashboards, publish or update apps, work in workspaces, and connect to data they have permission to use.
To edit and manage content within your organization’s Power BI, the user must have a Power BI Pro license in a workspace other than My workspace. User can ‘bring their own license’ (BYOL) from their home tenant, or you can assign a Pro license to the Guest user directly in your tenant. The benefit of the BYOL approach is that if a user has a Pro license in their home tenant, they can use that license in any eternal tenant they are invited to.
These users can also view content that is shared with them from a workspaces in a Power BI Premium capacity.
Allowing Guest users to login to your Power BI
To help these users to login to Power BI, provide them with the Tenant URL. To find the tenant URL, follow these steps.
- In the Power BI service, in the top menu, select help (?) then About Power BI.
- Look for the value next to Tenant URL. This is the tenant URL you can share with your guest users.
You should ask that Guest users to add your organization’s URL in their Browser favorites. If you need to distribute the link to many users, you can use a custom URL in a dashboard tile to open the external Power BI tenant in a new window. The whitepaper mentioned in this blog provides more details on how this is best done.
If you share this URL with Guest users who are not allowed to edit and manage content, they will continue to get the constrained experiences they’re already familiar with. It is best to continue sending those users direct URLs to reports, dashboards, and apps.
What can guest users do and what can’t they do in your organization’s Power BI
When using the Allow external guest users to edit and manage content in the organization, the specified guest users get access to your organization’s Power BI and see any content to which they have permission. They can access Home, browse and contribute content to workspaces, install apps where they are on the access list, and have a My workspace. They can create or be an Admin of workspaces that use the new workspace experience. Use permissions and Power BI’s tenant settings to limit what these Guest users can do if you need to lock down their experiences.
When a Guest user who is enabled for Edit and Manage content access the Tenant URL shown above, they are presented Power BI Home for your organization. They can press the User icon at the top right to see they are logged in as themselves. They receive a My workspace where they can upload and share their own content using workspaces.
To upload or update Power BI Desktop authored reports (PBIX files), guest users must use the Get Data experience in the Power BI Service. They can select Files and then upload the file to the service.
While most experiences are available to these Guest users, there are some that are not supported, specifically:
- Direct publishing from Power BI Desktop to the Power BI service
- Guest users cannot use Power BI Desktop to connect to service datasets in the Power BI service
- Classic workspaces tied to Office 365 Groups: Guest user cannot create or be Admins of these workspaces. They can be members. This limitation does not apply to new workspace experience workspaces.
- Sending ad-hoc invites is not supported from workspace access lists
- Power BI Publisher for Excel is not supported for guest users
- Guest users cannot install a Power BI Gateway and connect it to your organization
- Guest users cannot install apps publish to the entire organization. Add Guest users to the app access list directly or through a security group.
- Guest users cannot use, create, update, or install organizational content packs
- Guest users cannot use Analyze in Excel
- Guest users cannot be @mentioned in commenting (coming soon)
- Guest users cannot use subscriptions (coming soon)
- Guest users who use this capability should have a work or school account. Guest users using Personal accounts will experience more limitations due to sign-in restrictions.
Additional considerations
By default, Guest users are subject to restrictions to their experience that are controlled by the Azure Active Directory administrator. If your guest users will need to own and share content with others and manage workspaces as workspaces Admins, you should change the Guest users permissions are limited setting in Azure AD to allow these users to use people pickers.
You can find this option by:
- Open Azure Portal (https://portal.azure.com)
- Open Azure Active Directory
- Select User Settings
- Selecting Manage external collaboration settings
Please read the following to lean more about Azure AD B2B
- Delegate invitations for Azure Active Directory B2B collaboration
- Allow or block invitations to B2B users from specific organizations
- What are the default user permissions in Azure Active Directory?
Power BI allows ad-hoc invites for Guest users through the Sharing UIs if enabled in the Power BI tenant settings. However, if you’re entering formal relationships with subsidiaries or partners, we recommend you use the planned invites approach outlined in the whitepaper.
Next steps
- As mentioned earlier, we have updated the whitepaper on using Azure AD B2B with Power BI . This major update includes all the best practices from real world use cases and customer questions. It is well worth the read.
- Read the documentation