# Entra ID Management This feature enables DataCentral administrators to authenticate using their Azure Active Directory (AAD) credentials and exercise their rights through an [Authentication Service Principal](https://uidata.gitbook.io/datacentral-knowledge-center/deployments/authentication-service-principal). This Principal is consented with delegated permissions, allowing AAD users to manage and organize security groups they are marked as "owners" of within Entra ID. As a result, administrators gain the ability to control Entra ID security groups linked to Power BI entities, thereby governing both internal and external user access to these entities in a single place.

* [How it works](#how-it-works) * [Overview - Entra ID report](#overview-entra-id-report) * [Diagram](#diagram) ### How it works {% hint style="info" %} To configure the Authentication Service Principal correctly, please refer to the documentation provided [here](https://uidata.gitbook.io/datacentral-knowledge-center/deployments/authentication-service-principal). {% endhint %} In DataCentral, Azure AD users can be assigned the role of '*Entra ID administrator*', granting them access to link their Entra ID security group to DataCentral in '*Organization Unit'*. All activities are recorded and can be seen in the '*Overview - Entra ID report*' Users assigned the role of '*Entra ID administrator*' needs to be the '*owner*' of the Entra ID group they intend to manage through DataCentral.

Example of Entra ID security group 'owner'

Actions that an 'Entra ID administrator' can perform: * [Link Entra ID security group](#link-entra-id-security-group) * [Adding member to security group](#adding-member-to-security-group) * [Removing member from security group](#removing-member-from-security-group) #### Link Entra ID security group Within DataCentral, the administrator can navigate to '*Organization Unit'*, click '*+ Add root unit*', and link the security group. For example if the administrator is '*owner*' of the security group '*PBI X*':

After adding a new security group to DataCentral, click '*Preview comparison*' to compare the DataCentral group with the Entra ID group. If members already exist in the Entra ID group, they will be added to the DataCentral system; otherwise, no changes will be detected.

In this case '*PBI X*' has members in Entra ID security group and they will be added to DataCentral '*Organization Unit*' and to '*Users*' when administrator clicks '*Confirm*'.

Left are DataCentral actions to be made; Right is Entra ID group members.

After '*Confirmation*,' the security group has been synced, and the administrator can manage the group as desired by removing or adding members to it.

The '*Overview - Entra ID report*' shows current state of all groups that are managed by DataCentral. Here the '*PBI X*' group can be seen and members that are within that group.

#### Adding member to security group To add a new member to security group go to 'Organization Unit' there are two ways. 1. Add member to security group through 'Organization Unit' * Click on security group and then '+Add Member' * Click 'Add Member' and choose member(s) to be added.

* List of member(s) to add to security group.

2. Add member to security group through '*User Management*' * Click on '*+ Create new user*' * Enter email address and then navigate to '*Organization Unit*' * Pick security group to add user to and '*Save*' to confirm

Add user to security group through 'User Management'

Both ways lead to same result, user has been added to security group.

#### Removing member from security group To remove member(s) from security group go to '*Organization Unit*'. * Pick security group that member will be removed from. * Click on 'X' on the left of the User that will be removed. * Confirm action by clicking 'Yes'

Remove member from security group 'PBI X'

Member been removed from Entra ID security group 'PBI X'

### Overview - Entra ID report The purpose of the report is to display the current state of security groups linked to the DataCentral tenant.

In the top right corner user is able to see that he is viewing the report and a timestamp when the last Entra ID sync was made to DataCentral. Entra ID Sync is a functionality that captures a snapshot of security groups within Entra ID that are linked to DataCentral. This ensures that only security groups associated with DataCentral are are recorded. If discrepancies exist between Entra ID and DataCentral security groups, a record with an icon indicating an outlier will be displayed under '*Discrepancies Entra ID / Misræmi Entra ID*'.

Member was added to Entra ID group within Azure Portal and will be synced to DataCentral.

Member was removed from Entra ID group within Azure Portal, investigate.

All security groups ("öryggishópar") linked to the DataCentral tenant.

All users ('*notendu*r) existing within the tenant, along with icons indicating their user types within the DataCentral tenant.

User is an 'Entra ID administrator'

Azure AD user

External Azure AD user

System User (User Pass)

Azure AD disabled in Entra ID

Action logs that record activities by administrators with security groups within tenant.

### Diagram A comprehensive overview of the components involved in implementing 'Entra ID Management' is provided. Once implemented, Entra ID security groups are fully managed within your DataCentral tenant, allowing users to access Power BI entities through their assigned security groups. Subsequently, Power BI report administrators within the DataCentral tenant can embed reports that users now have access to via these security groups. When a user authenticates to the DataCentral tenant, they will see reports accessible to their assigned security group. Administrators can effortlessly add or remove internal and external users from these groups, completing the entire user-cycle management within Power BI.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://uidata.gitbook.io/datacentral-knowledge-center/product-guides/entra-id-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.