Tutorials

Step-by-step guidance through DataCentral

Below are tutorials designed to simplify understanding of DataCentral, guiding you through the process of getting started with DataCentral and sharing information with diverse audiences.

Under each tutorial, you will find an overview of its content and the prerequisites necessary for completing it.

List of tutorials:

Fundamentals with your Azure AD

Use Azure AD authentication to explore the basics of DataCentral. A free tenant is provided for testing, requiring no configurations or installations. The tenant will use the common endpoint for Power BI, with only internal AD sharing available. If you want to try external Azure AD sharing, see this tutorial.

Content of tutorial:

Azure AD authentication
Embedding report or app from your workspace
Adding internal Azure AD users to Tenant
Sharing report or app with internal Azure AD users

Pre-requirements

Azure AD user account
Power BI Pro license
Admin member on Workspace in Power BI

Tutorial Step-by-Step

Authenticate to DataCentral

An email confirmation link from signing up to Free-Tutorial, will redirect you to your assigned DataCentral Tenant. The next step is to authenticate using your Azure AD credentials.

Home Page

Upon logging in, you will see the home page with the navigation bar on the left. The home page will display the report of your choice, pinned for your users in the Tenant.

Navigation bar:

Home:
- A pinned report of your choice for users in current Tenant.
- Users will have the option to pin their favorite report to the home page.
Administration:
1. Users: Add new user to your Tenant
2. Power BI Items: Add a report or app from your Power BI environment
3. Languages: Changing the default language of your Tenant

Adding Power BI report or app to your Tenant

Under 'Administration -> Power BI Items' or by clicking on 'Go to reports' you can manage which Power BI Items are added to your Tenant. Within 'Power BI Items' menu you can click on 'Manage Workspaces' in the top right corner.

To see more about Workspace Management click here.

The menu will display all the workspaces where you are an admin in Power BI Service. Choose a workspace from which you want to embed a report into your Tenant, and click 'Save'.

Now, you can click '+ Add new item' and perform three operations:

Link Report: Embed report of your choice from workspace to Tenant
Link App: Embed app of your choice from workspace to Tenant
Upload Report: Upload .pbix file to your workspace from your Tenant

In this tutorial, we will 'Link report' Choose the workspace from which you want to embed the report and locate the report.

You can now enter additional information about the report. Once you have provided all the necessary details, click 'Save'.

Important: Before clicking 'Save', ensure that the report has the 'User' role. Users in your Tenant with the 'User' role will then be able to see the report.

The report from your workspace has now been embedded into your tenant. Repeat this process if you want to add more reports or apps.

Easily share report or app that you have added to your Tenant with internal Azure AD colleagues. Depending on the roles you assign to your users, they can access different reports available within the Tenant.

Pre-requirements for internal AAD.

Azure AD account
Power BI Pro license (if workspace is not on a dedicated capacity)
Azure AD is at least 'Viewer' member on Workspace(s) that report / app is embedded from

Go to 'Administration -> Users' to manage users added to your tenant. Begin by clicking on '+ Create new user' in the top right corner.

Enter the email address of the Azure AD user you intend to add, then navigate to 'Roles'.

Keep in mind that the roles you assign to your users determine which items they can access within the Tenant. In this case, assign the "User" role to the Azure AD user. Then click 'Save'.

An internal Azure AD authenticates to the Tenant and can view only the item(s) assigned the 'User' role.

Important: The internal Azure AD user will only be able to embed a report or app if they have at least 'Viewer' permissions within the workspace in Power BI from which the items are embedded or if they are part of a security group with equivalent permissions.

Configure your Tenant with your organizational Azure Tenant ID. This will enable your users to authenticate against your Power BI environment and access reports in workspaces with the appropriate permissions.

Content of tutorial:

Configure your DataCentral Tenant
Embedding report or app from your workspace
Adding external Azure AD user to Tenant
Sharing report or app with external Azure AD user

Pre-requirements

DataCentral Pro
Azure Tenant ID
Azure AD user account
Admin member on Workspace in Power BI
Power BI Pro license

Tutorial Step-by-Step

Authenticate to DataCentral

Go to your DataCentral Tenant and authenticate using your Azure AD credentials.

Configure your DataCentral Tenant to your organizational Azure Tenant ID

Under 'Administration -> Settings', navigate to 'Azure Configurations' where you can add your Azure Tenant ID, enabling users to authenticate to your Power BI environment. Click 'Save'.

Optionally, you can set 'Internal Domains' to distinguish internal AD from external AD within your tenant. You will need to manually add the external Azure AD as a guest in your Azure Portal so they are able to authenticate to your Azure Tenant ID. If you want to automate this process, implement the Graph Service Principal. Click here to learn more.

With the Azure Tenant ID configured, you can add and share reports or apps within your Tenant with external Azure AD. Depending on the roles assigned to your users, they can access different subsets of reports available within the Tenant.

Pre-requirements for external Azure AD.

Azure AD account
Power BI Pro license (if workspace is not on a dedicated capacity)
Azure AD is at least 'Viewer' member on Workspace that report or app is embedded from

Go to 'Administration -> Users' to manage the users in your Tenant. Start by clicking on '+ Create new user' in the top right corner.

Enter the email address of the external Azure AD user you intend to add, then navigate to 'Roles'.

Keep in mind that the roles you assign to your users determine which items they can access within the Tenant. In this case, assign the 'User' role to the Azure AD user. Then click 'Save'.

Now, you will see that the external Azure AD user has been added to the tenant. They will be able to authenticate to the Tenant and access the report or app.

Important: You will need to manually add the external Azure AD as a guest in your Azure Portal so they are able to authenticate to your Azure Tenant ID if a Graph Service Principal has not been configured.

The first time the external Azure AD user authenticates to your Tenant, they will be prompted with this window and will need to accept. This is the minimum privilege Microsoft Authenticator needs to verify the identity of the user signing in.

If an external Azure AD user is a global administrator in their organization, they will be able to 'Consent on behalf of your organization.' Consequently, users from their organization will have this consent pre-accepted and will not receive the prompt.

Here, the external Azure AD user has authenticated to the Tenant and can see the respective reports or apps assigned to their Role.

Important: The external Azure AD user will only be able to embed a report or app if they have at least "Viewer" permissions within the workspace in Power BI from which the items are embedded or if they are part of a security group with equivalent permissions.

Configuring and using Power BI Service Principal

This will allow your Azure AD users to embed reports without needing Power BI Pro license, and it will unlock new user types, such as User Pass and Mobile ID, that can embed through your Service Principal. Additionally, certain features are now available within your Tenant.

Content of tutorial:

Configure your Power BI Service Principal
Embedding report or app through the Service Principal
Workspace on Dedicated Capacity
Features with Service Principal

Pre-requirements

DataCentral Pro
Azure Tenant ID
Azure AD user account
Workspace on a Dedicated Capacity

Tutorial Step-by-Step

Create your Power BI Service Principal in Azure

Click here to go through the step-by-step guide to create your own Power BI Service Principal.

After creating your Power BI Service Principal, collect these values from the Azure Portal to complete this step-by-step tutorial.

Directory (tenant) ID
Application (client) ID
Client Secret

Authenticate to DataCentral

Go to your DataCentral Tenant and authenticate using your Azure AD credentials.

Configure your Power BI Service Principal to your Tenant

Under 'Administration -> Settings', navigate to 'Azure Configurations' where you can add your Power BI Service Principal.

Optionally, you can select the 'Only use Service Principal to manage items and workspaces in tenant' checkbox to restrict embedding in your Power BI environment to only the Service Principal(s). In this case, your and other admin Azure AD accounts will not be able to embed reports or apps.

The ability and benefits of using multiple service principal can be highly valuable. You would then also complete the setup for Power BI Service Principals 2 and 3, and enable them.

Add a report or app through Power BI Service Principal

Now you are able to share reports or apps, and enable certain features on reports with the Power BI Service Principal. To see the full list of features that can be used click here.

Go to 'Administration -> Power BI Items' where you manage which Power BI Items are added to your Tenant. Within 'Power BI Items' menu you can click on 'Manage Workspaces' in the top right corner.

If you checked the box 'Only use Service Principal to manage items and workspaces in tenant' in Azure Configurations then you will only see workspaces your Service Principal has access to. If the box is unchecked the normal workspace management will occur through your Azure AD user.

Important: Your Service Principal must have, at a minimum, 'member' permissions in the workspace to which report or app exists.

Choose a report that you want to share with users who don't have a Power BI Pro license. Then click 'Save'.

Go to 'Administration -> Users' to manage the users in your tenant. Start by clicking on '+ Create new user' in the top right corner.

Add three user types and make sure that they have correct role to see the report within Tenant:

Azure AD
User Pass
Mobile ID

After creating all three user types, allow them to authenticate to your DataCentral tenant and observe how they can view reports within their role scopes.

Row-Level Security with Power BI Service Principal

Enforcing row-level security (RLS) in your data models can simplify data management by allowing one model to serve multiple purposes, eliminating the need for duplicating models and adding unnecessary complexity. Here are two methods for implementing row-level security using your Power BI Service Principal for your users.

Row-Level Security with Role Codes: Creating specific Role Codes, which are passed along with the Power BI Service Principal to the RLS Dataset.
Dynamic Row-Level Security with UserPrincipalName function: Creating a role in Power BI Desktop using the UserPrincipalName() function that plays a crucial role in dynamic row-level security.

Content of tutorial:

Ensure efficient and secure sharing through Row-Level Security
Using 'Role Codes' with Power BI Service Principal
Using 'DynamicRLS' and UserPrincipalName() function.

Pre-requirements

DataCentral Pro
Azure Tenant ID
Azure AD user account
Power BI Service Principal
Workspace on a Dedicated Capacity

Row-Level Security with Role Codes

Create data model and manage roles within Power BI Desktop

In Power BI Desktop, go to Manage Roles and create specific roles that filter particular table based on the selected role. In this example, five roles have been created: AdminRLS, APAC, EMEA, LATAM, and NA. These roles filter the data model to specific country groupings (AdminRLS has access to all country groupings).

After publishing the report to a workspace of your choice, your RLS dataset should include these defined roles.

Add the Row-Level Security report to Tenant

In your DataCentral Tenant go to 'Administration -> Power BI Items' and add the Row-Level Security Report to your Tenant.

Important: Your Service Principal must have, at a minimum, 'member' permissions in the workspace to which report exists.

Add or create users and attach 'Role Codes'

Go to 'Administration -> Users' and add or edit the current user who will be using your Power BI Service Principal to embed the report. This can be an Azure AD account, a User Pass, or a Mobile ID.

It is important to have already created the roles under 'Administration -> Roles'. Click here to read more about Role Management.

The same process for using 'Role Codes' applies to all user types. In this example, Mobile ID is used.

The user should have specific roles assigned to them, which the Power BI Service Principal will use to ensure the security with the dataset and visibility of the report.

User authenticates to Tenant and embeds row-level security report

The chosen user authenticates to your DataCentral tenant, embeds the report, and only receives the data they are authorized to access. In this case, the data is limited to APAC and EMEA.

If we edit the user's roles and assign them the AdminRLS role, they will be able to see all country groupings as configured within the data model for that role.

The user can now refresh their browser, and they will receive all the data because they are in the 'AdminRLS' Role.

If you have for example +10 Role Codes and don't want to create all those roles in Power BI Desktop you would benefit using Smart RLS.

Dynamic Row-Level Security with UserPrincipalName function

Create data model and manage roles within Power BI Desktop

In Power BI Desktop, navigate to 'Manage Roles' and create a specific role that filters particular tables based on the user embedding the report. In this example, a dynamic role is created, and logic around the UserPrincipalName() function is used to filter the data.

After publishing the report to a workspace of your choice, your RLS dataset should include the defined role.

Add the Row-Level Security report to Tenant

In your DataCentral Tenant go to 'Administration -> Power BI Items' and add the RLS Report to your Tenant.

Important: Your Service Principal must have, at a minimum, 'member' permissions in the workspace to which report exists.

Add or create users and attach the dynamic role

Go to 'Administration -> Users' and add or edit the current user who will be using your Power BI Service Principal to embed the report. This can be an Azure AD account, a User Pass, or a Mobile ID.

It is important to have already created the role that you defined in the Dataset under 'Administration -> Roles'. Click here to read more about Role Management.

The same process for using 'Dynamic RLS' applies to all user types. In this example, Mobile ID is used.

The user should have the role assigned to them, which the Power BI Service Principal will use to ensure the security with the dataset and visibility of the report.

User authenticates to Tenant and embeds row-level security report

The selected user authenticates to your DataCentral tenant, embeds the report, and only receives the data they are authorized to access based on the DAX definition within the DynamicRLS role.

If another Mobile ID user is given access to this report, they will receive a different set of data based on the DynamicRLS, which is determined by their UserPrincipalName() and DAX logic.

PreviousItem Management NextFeatures

Last updated 5 months ago