🔐Entra ID Management

Manage Entra ID security groups through DataCentral

This feature enables DataCentral administrators to authenticate using their Azure Active Directory (AAD) credentials and exercise their rights through an Authentication Service Principal. This Principal is consented with delegated permissions, allowing AAD users to manage and organize security groups they are marked as "owners" of within Entra ID.

As a result, administrators gain the ability to control Entra ID security groups linked to Power BI entities, thereby governing both internal and external user access to these entities in a single place.

Overview - Entra ID report

• How it works

• Overview - Entra ID report

• Diagram

How it works

To configure the Authentication Service Principal correctly, please refer to the documentation provided here.

In DataCentral, Azure AD users can be assigned the role of 'Entra ID administrator', granting them access to link their Entra ID security group to DataCentral in 'Organization Unit'.

All activities are recorded and can be seen in the 'Overview - Entra ID report'

Users assigned the role of 'Entra ID administrator' needs to be the 'owner' of the Entra ID group they intend to manage through DataCentral.

Example of Entra ID security group 'owner'

Actions that an 'Entra ID administrator' can perform:

• Link Entra ID security group

• Adding member to security group

• Removing member from security group

Link Entra ID security group

Within DataCentral, the administrator can navigate to 'Organization Unit', click '+ Add root unit', and link the security group. For example if the administrator is 'owner' of the security group 'PBI X':

Adding Entra ID security group

After adding a new security group to DataCentral, click 'Preview comparison' to compare the DataCentral group with the Entra ID group. If members already exist in the Entra ID group, they will be added to the DataCentral system; otherwise, no changes will be detected.

'PBI X' added to DataCentral

In this case 'PBI X' has members in Entra ID security group and they will be added to DataCentral 'Organization Unit' and to 'Users' when administrator clicks 'Confirm'.

Left are DataCentral actions to be made; Right is Entra ID group members.

After 'Confirmation,' the security group has been synced, and the administrator can manage the group as desired by removing or adding members to it.

After initial sync between systems

The 'Overview - Entra ID report' shows current state of all groups that are managed by DataCentral. Here the 'PBI X' group can be seen and members that are within that group.

Overview - Entra ID report

Adding member to security group

To add a new member to security group go to 'Organization Unit' there are two ways.

1. Add member to security group through 'Organization Unit'

• Click on security group and then '+Add Member'

• Click 'Add Member' and choose member(s) to be added.

Add member through 'Organization Unit'

• List of member(s) to add to security group.

List of Users

1. Add member to security group through 'User Management'

• Click on '+ Create new user'

• Enter email address and then navigate to 'Organization Unit'

• Pick security group to add user to and 'Save' to confirm

Add user to security group through 'User Management'

Both ways lead to same result, user has been added to security group.

User added to security group

Removing member from security group

To remove member(s) from security group go to 'Organization Unit'.

• Pick security group that member will be removed from.

• Click on 'X' on the left of the User that will be removed.

• Confirm action by clicking 'Yes'

Remove member from security group 'PBI X'

Member been removed from Entra ID security group 'PBI X'

Overview - Entra ID report

The purpose of the report is to display the current state of security groups linked to the DataCentral tenant.

Overview - Entra ID report

In the top right corner user is able to see that he is viewing the report and a timestamp when the last Entra ID sync was made to DataCentral.

Entra ID Sync is a functionality that captures a snapshot of security groups within Entra ID that are linked to DataCentral. This ensures that only security groups associated with DataCentral are are recorded.

If discrepancies exist between Entra ID and DataCentral security groups, a record with an icon indicating an outlier will be displayed under 'Discrepancies Entra ID / Misræmi Entra ID'.

Member was added to Entra ID group within Azure Portal and will be synced to DataCentral.

Member was removed from Entra ID group within Azure Portal, investigate.

Authenticated user and discrepancies

All security groups ("öryggishópar") linked to the DataCentral tenant.

Security groups linked to tenant

All users ('notendur) existing within the tenant, along with icons indicating their user types within the DataCentral tenant.

User is an 'Entra ID administrator'

Azure AD user

External Azure AD user

System User (User Pass)

Azure AD disabled in Entra ID

Users that exist in tenant

Action logs that record activities by administrators with security groups within tenant.

Administrator action log

Diagram

A comprehensive overview of the components involved in implementing 'Entra ID Management' is provided. Once implemented, Entra ID security groups are fully managed within your DataCentral tenant, allowing users to access Power BI entities through their assigned security groups.

Subsequently, Power BI report administrators within the DataCentral tenant can embed reports that users now have access to via these security groups. When a user authenticates to the DataCentral tenant, they will see reports accessible to their assigned security group.

Administrators can effortlessly add or remove internal and external users from these groups, completing the entire user-cycle management within Power BI.