✅Tutorials

Step-by-step guidance through DataCentral

Below are tutorials designed to simplify understanding of DataCentral, guiding you through the process of getting started with DataCentral and sharing information with diverse audiences.

Under each tutorial, you will find an overview of its content and the prerequisites necessary for completing it.

List of tutorials:

• Fundamentals with your Azure AD

• Sharing with External Azure AD users

• Configuring and using Power BI Service Principal

• Row-Level Security with Power BI Service Principal

Fundamentals with your Azure AD

Use Azure AD authentication to explore the basics of DataCentral. A free tenant is provided for testing, requiring no configurations or installations. The tenant will use the common endpoint for Power BI, with only internal AD sharing available. If you want to try external Azure AD sharing, see this tutorial.

Content of tutorial:

• Azure AD authentication

• Embedding report or app from your workspace

• Adding internal Azure AD users to Tenant

• Sharing report or app with internal Azure AD users

Pre-requirements

• Azure AD user account

• Power BI Pro license

• Admin member on Workspace in Power BI

Tutorial Step-by-Step

Authenticate to DataCentral

An email confirmation link from signing up to Free-Tutorial, will redirect you to your assigned DataCentral Tenant. The next step is to authenticate using your Azure AD credentials.

Authenticate with Azure AD

Home Page

Upon logging in, you will see the home page with the navigation bar on the left. The home page will display the report of your choice, pinned for your users in the Tenant.

Navigation bar:

• Home:

  • A pinned report of your choice for users in current Tenant.

  • Users will have the option to pin their favorite report to the home page.

• Administration:

  1. Users: Add new user to your Tenant

  2. Power BI Items: Add a report or app from your Power BI environment

  3. Languages: Changing the default language of your Tenant

Home page

Adding Power BI report or app to your Tenant

Under 'Administration -> Power BI Items' or by clicking on 'Go to reports' you can manage which Power BI Items are added to your Tenant. Within 'Power BI Items' menu you can click on 'Manage Workspaces' in the top right corner.

To see more about Workspace Management click here.

Power BI Items menu

The menu will display all the workspaces where you are an admin in Power BI Service. Choose a workspace from which you want to embed a report into your Tenant, and click 'Save'.

Workspaces available

Now, you can click '+ Add new item' and perform three operations:

1. Link Report: Embed report of your choice from workspace to Tenant

2. Link App: Embed app of your choice from workspace to Tenant

3. Upload Report: Upload .pbix file to your workspace from your Tenant

In this tutorial, we will 'Link report' Choose the workspace from which you want to embed the report and locate the report.

Operations to workspace

You can now enter additional information about the report. Once you have provided all the necessary details, click 'Save'.

Important: Before clicking 'Save', ensure that the report has the 'User' role. Users in your Tenant with the 'User' role will then be able to see the report.

Report additional information

The report from your workspace has now been embedded into your tenant. Repeat this process if you want to add more reports or apps.

Embedded report

Share report or app with internal Azure AD in Tenant

Easily share report or app that you have added to your Tenant with internal Azure AD colleagues. Depending on the roles you assign to your users, they can access different reports available within the Tenant.

Pre-requirements for internal AAD.

• Azure AD account

• Power BI Pro license (if workspace is not on a dedicated capacity)

• Azure AD is at least 'Viewer' member on Workspace(s) that report / app is embedded from

Go to 'Administration -> Users' to manage users added to your tenant. Begin by clicking on '+ Create new user' in the top right corner.

User Management

Enter the email address of the Azure AD user you intend to add, then navigate to 'Roles'.

Adding a Azure AD

Keep in mind that the roles you assign to your users determine which items they can access within the Tenant. In this case, assign the "User" role to the Azure AD user. Then click 'Save'.

Role assignment

An internal Azure AD authenticates to the Tenant and can view only the item(s) assigned the 'User' role.

Important: The internal Azure AD user will only be able to embed a report or app if they have at least 'Viewer' permissions within the workspace in Power BI from which the items are embedded or if they are part of a security group with equivalent permissions.

Report embedded for Azure AD

---

Sharing with External Azure AD users

Configure your Tenant with your organizational Azure Tenant ID. This will enable your users to authenticate against your Power BI environment and access reports in workspaces with the appropriate permissions.

Content of tutorial:

• Configure your DataCentral Tenant

• Embedding report or app from your workspace

• Adding external Azure AD user to Tenant

• Sharing report or app with external Azure AD user

Pre-requirements

• DataCentral Pro

• Azure Tenant ID

• Azure AD user account

• Admin member on Workspace in Power BI

• Power BI Pro license

Tutorial Step-by-Step

Authenticate to DataCentral

Go to your DataCentral Tenant and authenticate using your Azure AD credentials.

Authenticate with Azure AD

Configure your DataCentral Tenant to your organizational Azure Tenant ID

Under 'Administration -> Settings', navigate to 'Azure Configurations' where you can add your Azure Tenant ID, enabling users to authenticate to your Power BI environment. Click 'Save'.

Optionally, you can set 'Internal Domains' to distinguish internal AD from external AD within your tenant. You will need to manually add the external Azure AD as a guest in your Azure Portal so they are able to authenticate to your Azure Tenant ID. If you want to automate this process, implement the Graph Service Principal. Click here to learn more.

Azure Configurations

Share report with external Azure AD in Tenant

With the Azure Tenant ID configured, you can add and share reports or apps within your Tenant with external Azure AD. Depending on the roles assigned to your users, they can access different subsets of reports available within the Tenant.

Pre-requirements for external Azure AD.

• Azure AD account

• Power BI Pro license (if workspace is not on a dedicated capacity)

• Azure AD is at least 'Viewer' member on Workspace that report or app is embedded from

Go to 'Administration -> Users' to manage the users in your Tenant. Start by clicking on '+ Create new user' in the top right corner.

Adding a new user to Tenant

Enter the email address of the external Azure AD user you intend to add, then navigate to 'Roles'.

Azure AD user

Keep in mind that the roles you assign to your users determine which items they can access within the Tenant. In this case, assign the 'User' role to the Azure AD user. Then click 'Save'.

Role on Azure AD user

Now, you will see that the external Azure AD user has been added to the tenant. They will be able to authenticate to the Tenant and access the report or app.

Important: You will need to manually add the external Azure AD as a guest in your Azure Portal so they are able to authenticate to your Azure Tenant ID if a Graph Service Principal has not been configured.

Users of Tenant

The first time the external Azure AD user authenticates to your Tenant, they will be prompted with this window and will need to accept. This is the minimum privilege Microsoft Authenticator needs to verify the identity of the user signing in.

If an external Azure AD user is a global administrator in their organization, they will be able to 'Consent on behalf of your organization.' Consequently, users from their organization will have this consent pre-accepted and will not receive the prompt.

First time authentication prompt (normal user)

First time authentication prompt (global administrator)

Here, the external Azure AD user has authenticated to the Tenant and can see the respective reports or apps assigned to their Role.

Important: The external Azure AD user will only be able to embed a report or app if they have at least "Viewer" permissions within the workspace in Power BI from which the items are embedded or if they are part of a security group with equivalent permissions.

Report embedded for external Azure AD

---

Configuring and using Power BI Service Principal

This will allow your Azure AD users to embed reports without needing Power BI Pro license, and it will unlock new user types, such as User Pass and Mobile ID, that can embed through your Service Principal. Additionally, certain features are now available within your Tenant.

Content of tutorial:

• Configure your Power BI Service Principal

• Embedding report or app through the Service Principal

• Workspace on Dedicated Capacity

• Features with Service Principal

Pre-requirements

• DataCentral Pro

• Azure Tenant ID

• Azure AD user account

• Workspace on a Dedicated Capacity

Tutorial Step-by-Step

Create your Power BI Service Principal in Azure

Click here to go through the step-by-step guide to create your own Power BI Service Principal.

After creating your Power BI Service Principal, collect these values from the Azure Portal to complete this step-by-step tutorial.

• Directory (tenant) ID

• Application (client) ID

• Client Secret

Authenticate to DataCentral

Go to your DataCentral Tenant and authenticate using your Azure AD credentials.

Configure your Power BI Service Principal to your Tenant

Under 'Administration -> Settings', navigate to 'Azure Configurations' where you can add your Power BI Service Principal.

Optionally, you can select the 'Only use Service Principal to manage items and workspaces in tenant' checkbox to restrict embedding in your Power BI environment to only the Service Principal(s). In this case, your and other admin Azure AD accounts will not be able to embed reports or apps.

The ability and benefits of using multiple service principal can be highly valuable. You would then also complete the setup for Power BI Service Principals 2 and 3, and enable them.

Add a report or app through Power BI Service Principal

Now you are able to share reports or apps, and enable certain features on reports with the Power BI Service Principal. To see the full list of features that can be used click here.

Go to 'Administration -> Power BI Items' where you manage which Power BI Items are added to your Tenant. Within 'Power BI Items' menu you can click on 'Manage Workspaces' in the top right corner.

If you checked the box 'Only use Service Principal to manage items and workspaces in tenant' in Azure Configurations then you will only see workspaces your Service Principal has access to. If the box is unchecked the normal workspace management will occur through your Azure AD user.

Important: Your Service Principal must have, at a minimum, 'member' permissions in the workspace to which report or app exists.

Choose a report that you want to share with users who don't have a Power BI Pro license. Then click 'Save'.

Share report with Azure AD without Pro License or User Pass / Mobile ID

Go to 'Administration -> Users' to manage the users in your tenant. Start by clicking on '+ Create new user' in the top right corner.

Add three user types and make sure that they have correct role to see the report within Tenant:

• Azure AD

• User Pass

• Mobile ID

Azure AD user

User Pass

Mobile ID

After creating all three user types, allow them to authenticate to your DataCentral tenant and observe how they can view reports within their role scopes.

Users within Tenant

external Azure AD embedding through Service Principal

User Pass embedding hthrough Service Principal

Mobile ID embedding through Service Principal

---

Row-Level Security with Power BI Service Principal

Enforcing row-level security (RLS) in your data models can simplify data management by allowing one model to serve multiple purposes, eliminating the need for duplicating models and adding unnecessary complexity. Here are two methods for implementing row-level security using your Power BI Service Principal for your users.

1. Row-Level Security with Role Codes: Creating specific Role Codes, which are passed along with the Power BI Service Principal to the RLS Dataset.
2. Dynamic Row-Level Security with UserPrincipalName function: Creating a role in Power BI Desktop using the UserPrincipalName() function that plays a crucial role in dynamic row-level security.

Content of tutorial:

• Ensure efficient and secure sharing through Row-Level Security

• Using 'Role Codes' with Power BI Service Principal

• Using 'DynamicRLS' and UserPrincipalName() function.

Pre-requirements

• DataCentral Pro

• Azure Tenant ID

• Azure AD user account

• Power BI Service Principal

• Workspace on a Dedicated Capacity

---

Row-Level Security with Role Codes

Create data model and manage roles within Power BI Desktop

In Power BI Desktop, go to Manage Roles and create specific roles that filter particular table based on the selected role. In this example, five roles have been created: AdminRLS, APAC, EMEA, LATAM, and NA. These roles filter the data model to specific country groupings (AdminRLS has access to all country groupings).

Power BI Desktop 'Modeling -> Manage Roles'

After publishing the report to a workspace of your choice, your RLS dataset should include these defined roles.

RLS Dataset Security

Add the Row-Level Security report to Tenant

In your DataCentral Tenant go to 'Administration -> Power BI Items' and add the Row-Level Security Report to your Tenant.

Important: Your Service Principal must have, at a minimum, 'member' permissions in the workspace to which report exists.

RLS Report in Tenant

Add or create users and attach 'Role Codes'

Go to 'Administration -> Users' and add or edit the current user who will be using your Power BI Service Principal to embed the report. This can be an Azure AD account, a User Pass, or a Mobile ID.

It is important to have already created the roles under 'Administration -> Roles'. Click here to read more about Role Management.

The same process for using 'Role Codes' applies to all user types. In this example, Mobile ID is used.

The user should have specific roles assigned to them, which the Power BI Service Principal will use to ensure the security with the dataset and visibility of the report.

Role Codes for user

User authenticates to Tenant and embeds row-level security report

The chosen user authenticates to your DataCentral tenant, embeds the report, and only receives the data they are authorized to access. In this case, the data is limited to APAC and EMEA.

Role Codes within RLS Report

If we edit the user's roles and assign them the AdminRLS role, they will be able to see all country groupings as configured within the data model for that role.

Role Codes for user

The user can now refresh their browser, and they will receive all the data because they are in the 'AdminRLS' Role.

Role Codes within RLS Report

If you have for example +10 Role Codes and don't want to create all those roles in Power BI Desktop you would benefit using Smart RLS.

---

Dynamic Row-Level Security with UserPrincipalName function

Create data model and manage roles within Power BI Desktop

In Power BI Desktop, navigate to 'Manage Roles' and create a specific role that filters particular tables based on the user embedding the report. In this example, a dynamic role is created, and logic around the UserPrincipalName() function is used to filter the data.

Dynamic RLS role with DAX to filter data

After publishing the report to a workspace of your choice, your RLS dataset should include the defined role.

RLS Dataset Security

Add the Row-Level Security report to Tenant

In your DataCentral Tenant go to 'Administration -> Power BI Items' and add the RLS Report to your Tenant.

Important: Your Service Principal must have, at a minimum, 'member' permissions in the workspace to which report exists.

RLS Report in Tenant

Add or create users and attach the dynamic role

Go to 'Administration -> Users' and add or edit the current user who will be using your Power BI Service Principal to embed the report. This can be an Azure AD account, a User Pass, or a Mobile ID.

It is important to have already created the role that you defined in the Dataset under 'Administration -> Roles'. Click here to read more about Role Management.

The same process for using 'Dynamic RLS' applies to all user types. In this example, Mobile ID is used.

The user should have the role assigned to them, which the Power BI Service Principal will use to ensure the security with the dataset and visibility of the report.

Role Codes for user

User authenticates to Tenant and embeds row-level security report

The selected user authenticates to your DataCentral tenant, embeds the report, and only receives the data they are authorized to access based on the DAX definition within the DynamicRLS role.

Report using Dynamic RLS

If another Mobile ID user is given access to this report, they will receive a different set of data based on the DynamicRLS, which is determined by their UserPrincipalName() and DAX logic.

Report using Dynamic RLS