Skip to main content

More control over when Azure Active Directory B2B guest users appear in lists of suggested people

Headshot of article author Lukasz Pawlowski

We’re rolling out a new Power BI Admin Tenant Setting to help organizations choose how easily users can share with external users. The new setting controls whether external users are suggested by Power BI sharing experiences when one user searches for another user.

 

New Show Azure Active Directory guests in lists of suggested people tenant setting

In Power BI Admin Portal tenant settings, we’ve added a new setting Show Azure Active Directory guest in lists of suggested people. It helps customize when Power BI suggests external users who are already Azure Active Directory guest during sharing.

Graphical user interface, text, application, email Description automatically generated

 

When Show Azure Active Directory guest in lists of suggested people is enabled, the default, guest users are suggested in sharing experiences in Power BI. When typing a partial name, the list of suggestions includes external users. This helps users find guests that are already added to the organization to support quick and easy collaboration.

Graphical user interface, text, application, chat or text message Description automatically generated

 

When Show Azure Active Directory guests in list of suggested people is disabled, the list of suggested users only include users who are members in Azure Active Directory. This limits the users in the suggested list to only those that are ‘internal’ to the organization. Work with your Azure AD admins if you’d like to know how your organization handles external users, since in some cases external users may be configured as members.

Graphical user interface, application Description automatically generated

 

Importantly, sharing to external users is still allowed even when the setting is disabled. To share with a guest, the user must provide the guest’s full email address, as shown below. If the external user isn’t already a guest in Azure AD, they need to be invited to join the organization. Only users with the Guest Inviter role in Azure AD can do this, and then only if the Power BI admin allowed inviting guests through Power BI experiences.

Graphical user interface, text, application Description automatically generated

 

Other controls you should include in an overall data security strategy

Power BI offers a number of capabilities that together help organizations manage external access to content. The new setting fits into these by helping determine how easy or hard it is to share to an external users. Below is a list of other capabilities to also use as part of a strategy:

  1. Azure Active Directory – you can configure who is allowed to invite guest users to your organization by using the Guest Inviter role. You can also use conditional access policies to allow or deny users the ability to access Power BI.
  2. Power BI Tenant settings – there are additional setting that control whether and which guest users can access Power BI, whether inviting guests users is allowed through Power BI sharing experiences, and what level of access guest users have once they can access Power BI.
  3. Microsoft Information Protection Sensitivity Labels – these labels apply policies to content like datasets, reports, and dashboards. They are respected by other parts of the Microsoft stack like Microsoft Excel. By configuring labels, you can help users know what is the acceptable use of data, and choose if external users can view the data at all.
  4. Auditing and Access Management – using Power BI’s audit log that integrates with the Office 365 Audit log, you can review which users are accessing what content.

As always, let us know you feedback in the comments or submit suggestions to https://ideas.powerbi.com

 

Next Steps:

Distribute Power BI content to external guest users using Azure Active Directory B2B

Power BI security white paper – Power BI | Microsoft Docs

Read the documentation