As discussed in my post about Sharing and Security in Power BI, a group workspace in Power BI is our best option currently for organizing content by subject area, and/or by security boundaries.
Members in a group workspace may be allowed to edit content, or restricted to view content (this applies to *all* members in the group rather than individually). This is easy enough to work around by setting members to view only, and allowing only administrators of the group to edit content. For groups, such as "Sales Staff" for instance, where there could be dozens or even hundreds of salespersons, this type of setup would allow all of the salespersons view only access with a very small number of people allowed to edit the content.
Dozens or hundreds of users in a group is what is prompting me to write this post. Manually managing the members within the Power BI workspace is just fine for groups with a very small number of members - for instance, your team of 8 people can be managed easily. However, there are concerns with managing members of a large group for the following reasons:
- Manual Maintenance. The additional administrative effort of managing a high number of users is a concern.
- Risk of Error. Let's say there is an Active Directory (A/D) group that already exists with all salespersons add to the group. System admins are quite accustomed to centrally managing user permissions via A/D groups. Errors and inconsistencies will undoubtedly result when changes in A/D are coordinated with other applications, but not replicated to the Power BI Group.Depending on how sensitive the data is, your auditors will also be unhappy.
To avoid the above two main concerns, I came up with an idea. It didn't work unfortunately, but I'm sharing what I learned with you anyway to save you some time.
The Idea For a Way to "Sync" Members from Active Directory to a Power BI Group
Essentially, the idea was that if synchronization (or federation) from on-premises Active Directory is already taking place to Azure & Office 365, that we could use the sync'd O365 group (security group, distribution group, or mail-enabled security group) as the only member of the O365 unified group that controls the Power BI workspace.
There are multiple types of groups in Office 365. The names shown in the screenshots below are just because I did some various experimentation with Security, Distribution, and Mail-Enabled Security Groups. In the screenshots below:
MCTesting_DistributionGroup: An O365 Distribution Group (the one to be sync'd from A/D)
MCTesting_AlignWithDistributionGroup: An O365 Unified Group (created in Power BI)
Unsuccessful Attempt 1: "Invitation Will Be Sent" Message
When I tried to add the O365 distribution group as a member directly in the Power BI group workspace, I got a message "Invitation will be sent" rather than the normal dropdown to set admin or member. I saw this message recently as well when I typed an individual person's e-mail address incorrectly. At this point, I believe the "Invitation Will Be Sent" message is really indicating it's an invalid e-mail address so I take it to mean the Power BI group doesn't actually recognize usage of the O365 distribution group. (A bit of a guess there on my part - either way, it didn't work.)
Unsuccessful Attempt 2: Using the O365 Interface
In order to get around the first issue, I tried instead use the Office 365 group interface:
The good news is the e-mail address for the group was accepted in this interface. However, my happiness didn't last long because what it does is take that group and expand it out to the individual members (Meagan agreed to be my guinea pig in the test group):
Just for grins, I decided to add one more member to the O365 group. Sure enough, it doesn't flow through to the O365 Unified Group for use in Power BI. I didn't expect it to, just wanted to double check.
Ideally we would want the Power BI Group (i.e., the Office 365 Unified Group) to be maintenance-free in terms of membership - once the original A/D group members are updated, we want them to flow through to Office 365 and thus Power BI.
Alternative Solution: PowerShell
You can use PowerShell to automate synchronization of members extracted from Active Directory into the respective Office 365 Unified Group for use in Power BI. There are some ExchangeOnline cmdlets that could be utilized for this purpose. Specifically, the "Add-UnifiedGroupLinks" cmdlet adds one or more members to a unified group. Don't forget to also delete members that no longer exist in Active Directory. Also, you may want to only manage your read-only members in the O365 Unified Group & let the group admins be manually set in the group (presuming that most users are read-only & that there's only a handful of admins who can edit content).
The purpose of this post is to share what I've observed so far with respect to easing the effort of maintaining a large number of users in Power BI groups. At some point I'm certain our options will evolve, so be sure to validate in your environment.