Azure Analysis Services integrates with Azure Active Directory (Azure AD) to allow users within an AAD tenant to log into a server. Customers have asked for the ability to allow users from other organizations to access their models in Azure Analysis Services such as when working with partners or vendors.
When a user connects to a server from a client application like Power BI or Excel, or a tool like SSMS or SSDT, Azure Analysis Services checks with the Azure AD tenant associated with the subscription that the server belongs to in order to verify the user has an identity in that tenant. If the user has an identity in the tenant, and that identity is included in a server or model database security role, the user is granted access. A server can only be associated with one Azure AD tenant, which means that all users of that server must be in that tenant.
We are excited to announce extended support for Azure Active Directory to include Azure AD B2B collaboration. Using B2B, you can invite users from outside your organization to be guest users in your tenant. These users can be from another Azure AD tenant or any valid email address, including Microsoft accounts. Once a guest user had been added to your tenant directory, you can add them to security groups or as members to a server or model database role.
To learn more about the different ways to invite guest users see “What is Azure AD B2B collaboration?”
Connecting as a guest to an Azure Analysis Services server
Guest users can connect to a server with the following tools or data providers:
- Power BI Desktop June 2017 release or later.
- SQL Server Management Studio 17.1 or higher.
- SQL Server Data Tools 17.1 or higher.
- Client libraries; AMO, MSOLAP, ADOMD 14.0.500.170 or higher.
- Office 365 Excel (coming soon)
When connecting with one of these tools you will be prompted with an Azure AD login screen and you would log in as normal. Some tools like SQL Server Management Studio and Microsoft Excel, allow you to directly type in a username and a password without using the Azure AD login screen. Note that for certain types of guest users like Microsoft accounts, this is not supported. To connect with SQL Server Management Studio with one of those types of accounts, you must change the authentication option to Active Directory Universal Authentication, enter a username and press connect. You will be prompted with the appropriate logon screen for that type of guest user. Active Directory Universal Authentication can be used with any type of user. For Excel, you can enter the username leaving the password blank and press next.