# Tutorials Below are tutorials designed to simplify understanding of DataCentral, guiding you through the process of getting started with DataCentral and sharing information with diverse audiences. Under each tutorial, you will find an overview of its content and the prerequisites necessary for completing it. List of tutorials: * [Fundamentals with your Azure AD](#fundamentals-with-your-azure-a-d) * [Sharing with External Azure AD users](#sharing-with-external-azure-a-d-users) * [Configuring and using Power BI Service Principal](#configuring-and-using-power-bi-service-principal) * [Row-Level Security with Power BI Service Principal](#row-level-security-with-power-bi-service-principal) ## Fundamentals with your Azure AD Use Azure AD authentication to explore the basics of DataCentral. A free tenant is provided for testing, requiring no configurations or installations. The tenant will use the common endpoint for Power BI, with only internal AD sharing available. If you want to try external Azure AD sharing, see this [tutorial](#sharing-with-external-azure-a-d-users). Content of tutorial: * [x] Azure AD authentication * [x] Embedding report or app from your workspace * [x] Adding internal Azure AD users to Tenant * [x] Sharing report or app with internal Azure AD users ### Pre-requirements * Azure AD user account * Power BI Pro license * Admin member on Workspace in Power BI ### Tutorial Step-by-Step #### Authenticate to DataCentral An email confirmation link from signing up to Free-Tutorial, will redirect you to your assigned DataCentral Tenant. The next step is to authenticate using your Azure AD credentials.

#### Home Page Upon logging in, you will see the home page with the navigation bar on the left. The home page will display the report of your choice, pinned for your users in the Tenant. Navigation bar: * Home: * A pinned report of your choice for users in current Tenant. * Users will have the option to pin their favorite report to the home page. * Administration: 1. Users: Add new user to your Tenant 2. Power BI Items: Add a report or app from your Power BI environment 3. Languages: Changing the default language of your Tenant

#### Adding Power BI report or app to your Tenant Under '*Administration -> Power BI Items'* or by clicking on '*Go to reports'* you can manage which Power BI Items are added to your Tenant. Within '*Power BI Items'* menu you can click on '*Manage Workspaces'* in the top right corner. To see more about Workspace Management click [here](/datacentral-knowledge-center/product-guides/item-management.md).

The menu will display all the workspaces where you are an admin in Power BI Service. Choose a workspace from which you want to embed a report into your Tenant, and click '*Save'.*

Now, you can click '*+ Add new item*' and perform three operations: 1. Link Report: Embed report of your choice from workspace to Tenant 2. Link App: Embed app of your choice from workspace to Tenant 3. Upload Report: Upload .pbix file to your workspace from your Tenant In this tutorial, we will '*Link report'* Choose the workspace from which you want to embed the report and locate the report.

You can now enter additional information about the report. Once you have provided all the necessary details, click '*Save'.* {% hint style="info" %} **Important:** Before clicking '*Save*', ensure that the report has the '*User'* role. Users in your Tenant with the '*User'* role will then be able to see the report. {% endhint %}

The report from your workspace has now been embedded into your tenant. Repeat this process if you want to add more reports or apps.

#### Share report or app with internal Azure AD in Tenant Easily share report or app that you have added to your Tenant with internal Azure AD colleagues. Depending on the roles you assign to your users, they can access different reports available within the Tenant. Pre-requirements for internal AAD. * Azure AD account * Power BI Pro license (if workspace is not on a dedicated capacity) * Azure AD is at least '*Viewer'* member on Workspace(s) that report / app is embedded from Go to '*Administration -> Users'* to manage users added to your tenant. Begin by clicking on '*+ Create new user*' in the top right corner.

Enter the email address of the Azure AD user you intend to add, then navigate to '*Roles'.*

Keep in mind that the roles you assign to your users determine which items they can access within the Tenant. In this case, assign the "User" role to the Azure AD user. Then click '*Save'*.

An internal Azure AD authenticates to the Tenant and can view only the item(s) assigned the 'User' role. {% hint style="info" %} **Important**: The internal Azure AD user will only be able to embed a report or app if they have at least '*Viewer'* permissions within the workspace in Power BI from which the items are embedded or if they are part of a security group with equivalent permissions. {% endhint %}

*** ## Sharing with External Azure AD users Configure your Tenant with your organizational Azure Tenant ID. This will enable your users to authenticate against your Power BI environment and access reports in workspaces with the appropriate permissions. Content of tutorial: * [x] Configure your DataCentral Tenant * [x] Embedding report or app from your workspace * [x] Adding external Azure AD user to Tenant * [x] Sharing report or app with external Azure AD user ### Pre-requirements * DataCentral Pro * Azure Tenant ID * Azure AD user account * Admin member on Workspace in Power BI * Power BI Pro license ### Tutorial Step-by-Step #### Authenticate to DataCentral Go to your DataCentral Tenant and authenticate using your Azure AD credentials.

#### Configure your DataCentral Tenant to your organizational Azure Tenant ID Under '*Administration -> Settings'*, navigate to '*Azure Configurations'* where you can add your Azure Tenant ID, enabling users to authenticate to your Power BI environment. Click '*Save'*. Optionally, you can set '*Internal Domains'* to distinguish internal AD from external AD within your tenant. You will need to manually add the external Azure AD as a guest in your Azure Portal so they are able to authenticate to your Azure Tenant ID. If you want to automate this process, implement the Graph Service Principal. Click [here](/datacentral-knowledge-center/deployments/graph-service-principal.md) to learn more.

#### Share report with external Azure AD in Tenant With the Azure Tenant ID configured, you can add and share reports or apps within your Tenant with external Azure AD. Depending on the roles assigned to your users, they can access different subsets of reports available within the Tenant. Pre-requirements for external Azure AD. * Azure AD account * Power BI Pro license (if workspace is not on a dedicated capacity) * Azure AD is at least '*Viewer*' member on Workspace that report or app is embedded from Go to '*Administration -> Users*' to manage the users in your Tenant. Start by clicking on '*+ Create new user'* in the top right corner.

Enter the email address of the external Azure AD user you intend to add, then navigate to '*Roles'.*

Keep in mind that the roles you assign to your users determine which items they can access within the Tenant. In this case, assign the '*User'* role to the Azure AD user. Then click '*Save'*.

Now, you will see that the external Azure AD user has been added to the tenant. They will be able to authenticate to the Tenant and access the report or app. {% hint style="info" %} **Important:** You will need to manually add the external Azure AD as a guest in your Azure Portal so they are able to authenticate to your Azure Tenant ID if a [Graph Service Principal ](/datacentral-knowledge-center/deployments/graph-service-principal.md)has not been configured. {% endhint %}

The first time the external Azure AD user authenticates to your Tenant, they will be prompted with this window and will need to accept. This is the minimum privilege Microsoft Authenticator needs to verify the identity of the user signing in. {% hint style="info" %} If an external Azure AD user is a global administrator in their organization, they will be able to '*Consent on behalf of your organization*.' Consequently, users from their organization will have this consent pre-accepted and will not receive the prompt. {% endhint %}

First time authentication prompt (normal user)

First time authentication prompt (global administrator)

Here, the external Azure AD user has authenticated to the Tenant and can see the respective reports or apps assigned to their Role. {% hint style="info" %} **Important**: The external Azure AD user will only be able to embed a report or app if they have at least "Viewer" permissions within the workspace in Power BI from which the items are embedded or if they are part of a security group with equivalent permissions. {% endhint %}

*** ## Configuring and using Power BI Service Principal This will allow your Azure AD users to embed reports without needing Power BI Pro license, and it will unlock new user types, such as User Pass and Mobile ID, that can embed through your Service Principal. Additionally, certain [features](/datacentral-knowledge-center/product-guides/features.md) are now available within your Tenant. Content of tutorial: * [x] Configure your Power BI Service Principal * [x] Embedding report or app through the Service Principal * [x] Workspace on Dedicated Capacity * [x] Features with Service Principal ### Pre-requirements * DataCentral Pro * Azure Tenant ID * Azure AD user account * Workspace on a Dedicated Capacity ### Tutorial Step-by-Step #### Create your Power BI Service Principal in Azure Click [here](/datacentral-knowledge-center/deployments/power-bi-service-principal.md) to go through the step-by-step guide to create your own Power BI Service Principal. After creating your Power BI Service Principal, collect these values from the Azure Portal to complete this step-by-step tutorial. * Directory (tenant) ID * Application (client) ID * Client Secret #### Authenticate to DataCentral Go to your DataCentral Tenant and authenticate using your Azure AD credentials.

#### Configure your Power BI Service Principal to your Tenant Under '*Administration -> Settings'*, navigate to '*Azure Configurations'* where you can add your Power BI Service Principal. Optionally, you can select the '*Only use Service Principal to manage items and workspaces in tenant'* checkbox to restrict embedding in your Power BI environment to only the Service Principal(s). In this case, your and other admin Azure AD accounts will not be able to embed reports or apps.

The ability and benefits of using [multiple service principal](/datacentral-knowledge-center/product-guides/features.md#multiple-power-bi-service-principals) can be highly valuable. You would then also complete the setup for Power BI Service Principals 2 and 3, and enable them. #### Add a report or app through Power BI Service Principal Now you are able to share reports or apps, and enable certain features on reports with the Power BI Service Principal. To see the full list of features that can be used click [here](/datacentral-knowledge-center/product-guides/features.md). Go to '*Administration -> Power BI Items*' where you manage which Power BI Items are added to your Tenant. Within '*Power BI Items*' menu you can click on '*Manage Workspaces'* in the top right corner. If you checked the box '*Only use Service Principal to manage items and workspaces in tenant'* in Azure Configurations then you will only see workspaces your Service Principal has access to. If the box is unchecked the normal workspace management will occur through your Azure AD user. {% hint style="info" %} **Important:** Your Service Principal must have, at a minimum, 'member' permissions in the workspace to which report or app exists. {% endhint %}

Choose a report that you want to share with users who don't have a Power BI Pro license. Then click '*Save'*.

#### Share report with Azure AD without Pro License or User Pass / Mobile ID Go to '*Administration -> Users'* to manage the users in your tenant. Start by clicking on '*+ Create new user'* in the top right corner. Add three user types and make sure that they have correct role to see the report within Tenant: * Azure AD * User Pass * Mobile ID

After creating all three user types, allow them to authenticate to your DataCentral tenant and observe how they can view reports within their role scopes.

external Azure AD embedding through Service Principal

User Pass embedding hthrough Service Principal

Mobile ID embedding through Service Principal

*** ## Row-Level Security with Power BI Service Principal Enforcing row-level security (RLS) in your data models can simplify data management by allowing one model to serve multiple purposes, eliminating the need for duplicating models and adding unnecessary complexity. Here are two methods for implementing row-level security using your [Power BI Service Principal](/datacentral-knowledge-center/deployments/power-bi-service-principal.md) for your users. 1. [**Row-Level Security with Role Codes:**](#row-level-security-with-role-codes) Creating specific Role Codes, which are passed along with the Power BI Service Principal to the RLS Dataset. 2. [**Dynamic Row-Level Security with UserPrincipalName function:**](#dynamic-row-level-security-with-userprincipalname-function) Creating a role in Power BI Desktop using the UserPrincipalName() function that plays a crucial role in dynamic row-level security. Content of tutorial: * [x] Ensure efficient and secure sharing through Row-Level Security * [x] Using 'Role Codes' with Power BI Service Principal * [x] Using 'DynamicRLS' and UserPrincipalName() function. ### Pre-requirements * DataCentral Pro * Azure Tenant ID * Azure AD user account * Power BI Service Principal * Workspace on a Dedicated Capacity *** ### Row-Level Security with Role Codes #### Create data model and manage roles within Power BI Desktop In Power BI Desktop, go to Manage Roles and create specific roles that filter particular table based on the selected role. In this example, five roles have been created: AdminRLS, APAC, EMEA, LATAM, and NA. These roles filter the data model to specific country groupings (AdminRLS has access to all country groupings).

Power BI Desktop 'Modeling -> Manage Roles'

After publishing the report to a workspace of your choice, your RLS dataset should include these defined roles.

#### Add the Row-Level Security report to Tenant In your DataCentral Tenant go to '*Administration -> Power BI Items*' and add the Row-Level Security Report to your Tenant. {% hint style="info" %} **Important:** Your Service Principal must have, at a minimum, 'member' permissions in the workspace to which report exists. {% endhint %}

#### Add or create users and attach 'Role Codes' Go to '*Administration -> Users'* and add or edit the current user who will be using your Power BI Service Principal to embed the report. This can be an Azure AD account, a User Pass, or a Mobile ID. It is important to have already created the roles under '*Administration -> Roles'*. Click [here ](/datacentral-knowledge-center/product-guides/user-and-role-management.md#creating-roles)to read more about Role Management. The same process for using '*Role Codes*' applies to all user types. In this example, Mobile ID is used. The user should have specific roles assigned to them, which the Power BI Service Principal will use to ensure the security with the dataset and visibility of the report.

#### User authenticates to Tenant and embeds row-level security report The chosen user authenticates to your DataCentral tenant, embeds the report, and only receives the data they are authorized to access. In this case, the data is limited to APAC and EMEA.

If we edit the user's roles and assign them the AdminRLS role, they will be able to see all country groupings as configured within the data model for that role.

The user can now refresh their browser, and they will receive all the data because they are in the '*AdminRLS*' Role.

If you have for example +10 Role Codes and don't want to create all those roles in Power BI Desktop you would benefit using [Smart RLS](/datacentral-knowledge-center/product-guides/features.md#smart-rls). *** ### Dynamic Row-Level Security with UserPrincipalName function #### Create data model and manage roles within Power BI Desktop In Power BI Desktop, navigate to '*Manage Roles*' and create a specific role that filters particular tables based on the user embedding the report. In this example, a dynamic role is created, and logic around the UserPrincipalName() function is used to filter the data.

Dynamic RLS role with DAX to filter data

After publishing the report to a workspace of your choice, your RLS dataset should include the defined role.

#### Add the Row-Level Security report to Tenant In your DataCentral Tenant go to '*Administration -> Power BI Items'* and add the RLS Report to your Tenant. {% hint style="info" %} **Important:** Your Service Principal must have, at a minimum, '*member*' permissions in the workspace to which report exists. {% endhint %}

#### Add or create users and attach the dynamic role Go to '*Administration -> Users*' and add or edit the current user who will be using your Power BI Service Principal to embed the report. This can be an Azure AD account, a User Pass, or a Mobile ID. It is important to have already created the role that you defined in the Dataset under '*Administration -> Roles'.* Click [here ](/datacentral-knowledge-center/product-guides/user-and-role-management.md#creating-roles)to read more about Role Management. The same process for using '*Dynamic RLS*' applies to all user types. In this example, Mobile ID is used. The user should have the role assigned to them, which the Power BI Service Principal will use to ensure the security with the dataset and visibility of the report.

#### User authenticates to Tenant and embeds row-level security report The selected user authenticates to your DataCentral tenant, embeds the report, and only receives the data they are authorized to access based on the DAX definition within the DynamicRLS role.

If another Mobile ID user is given access to this report, they will receive a different set of data based on the DynamicRLS, which is determined by their UserPrincipalName() and DAX logic.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://uidata.gitbook.io/datacentral-knowledge-center/product-guides/tutorials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.