Tenant Admin

Lay the groundwork for your Reporting Hub tenants

Tenant Overview

A tenant is a segregated Reporting Hub application instance, containing the content of your choosing, displayed according to your preferences, and accessible only to the Azure Active Directory users and/or groups you've specified.

As an Application Administrator, you'll be able to create tenants that can be accessed by your organization, groups and users.

Important: The number of tenants you can create depends on your Reporting Hub subscription level. If you've chosen the "Essentials" package, for example, you'll be limited to a single tenant. For more information, see Managing Multiple Tenants.

Within your global Reporting Hub tenant, you can create sub-tenants, allowing you to customize the Reporting Hub display for individual users and/or groups within your Azure Active Directory–ideal if, say, you want to create a unique Reporting Hub environments for multiple clients. For more information, see Why Use Multiple Tenants?.

A tenant can be customized in terms of theme, content, and accessibility. For a detailed run-down of tenant customization options, see Global vs. Sub-Tenants.

Tenant Configuration Options

Global Tenant Configuration

Your organization's main Reporting Hub environment is referred to as your global tenant.

To configure your global tenant:

  1. Select App Settings from the Admin Settings drop-down.

  2. Select Tenant Admin tab.

  3. From the list of tenants, find the global tenant (denoted with a label).

  4. Select the ellipsis next to your global tenant and choose Edit.

  5. You can make changes to any of the following fields:

    • Tenant Name: Enter the name of your organization as you want it to appear in your environment.

    • Language: Select a preferred language for your tenant. (To learn how to add languages, see Language Admin.)

    • Authentication Scheme: Select a preferred Authentication Scheme for your tenant. (To learn more about Authentication Schemes, see Authentication Admin.)

    • Parent Group: Select the Active Directory Parent group that can access your tenant.

    • Security Group Inheritance:

      • By selecting Inherited, Child security groups will be granted access to reports assigned to a Parent Group. Any content to which your Parent Group has been granted access will automatically be accessible to any user within your Parent Group.

      • By selecting Non Inherited, groups/users can only access content to which they've been specifically granted access, regardless of their inclusion within a Parent Group.

    • Google Analytics Code: If you want to collect data from your tenant using Google Analytics, enter your Google Analytics Code here. (For more information on Google Analytics, and how it integrates with the Information Hub, see Setting Up Usage Tracking/Google Analytics.)

    • Administrator Group: Select which Active Directory groups/users will be given Administrator privileges for your tenant.

    • Power BI Embedded Capacity: Select the Power BI Embedded capacity you wish to connect to your tenant. If your organization has multiple Embedded capacities, choose the one that's relevant. (For more information on Embedded capacities, see Embedded Capacity Admin.)

    • Power BI Workspaces: Select the Power BI Workspaces to which your tenant will be granted access.

    • Is Active (sub-tenants only): by default a tenant is 'Active'. You can deactivate a sub-tenant by unselected this checkbox. Deactivating a tenant will not delete it, it will only make it inaccessible by users.

    • Enable Embed Links: Click to enable this option if you want to make embed URL codes available. See Create Embed URL Links for more info.

    • Enable Service Principal Profiles: Enable this option if you want to automatically create a service principal profile for each new tenant that you create. Learn more about Service principal profiles for multitenancy apps in PBI Embedded.

    • Create Groups/Roles for New Tenants: When this option is enabled, groups/roles will be automatically created when you create a new tenant. If this option is disabled, you will have to manually assign groups for your tenant.

    • Click Save Changes.

Assigning Application Administrator Group(s)

The Administrator Group you select for your tenant will be granted Application Administrator privileges for that tenant. Application Administrators have full control over your tenant's appearance, content, navigation, and accessibility.

Note: In your Manage Group settings, you can also assign access at the Content Administrator and Report User levels. A Content Administrator can only control content and navigation settings, while a Report User can only view content. For more information on managing roles within Security Groups, see Managing Groups > Setting Admin Permissions.

Managing Multiple Tenants

The amount of tenants you can create, and the features to which they'll have access, depend on your Reporting Hub subscription level.

  • Essentials tier: 1 application tenant

  • Business tier: 3 application tenants, each tenant shares the same language settings and authentication scheme

  • Enterprise and Commercial tiers: unlimited tenants, each tenant can have its own language settings and authentication scheme

Global vs. Sub-Tenants

Your global tenant is your organization's main tenant. As an Application Administrator, you'll use your global tenant to access Admin Settings and create/modify sub-tenants.

Creating sub-tenants allows you to provide users their own segregated and customizable Reporting Hub instance, while maintaining control over content and accessibility settings. Some key differences and similarities between global and sub-tenants:

Important: The overview below applies to the Enterprise and Commercial pricing tiers.

At the Essentials pricing tier, a global tenant cannot create sub-tenants.

At the Business pricing tier, a global tenant can create up to two additional sub-tenants, but cannot edit their language settings or assign distinct authentication schemes.

Why Use Multiple Tenants?

If your organization operates in multiple geographies or has multiple departments or clients, creating and assigning them a distinct tenant allows you to customize their Reporting Hub display in a way that makes sense to them, while making sure they only have access to the content that's relevant to their needs.

Some advantages of multiple tenants include:

  • Providing a different look and feel, with distinct content and layout

  • Co-branding for various clients, business sub-divisions/subsidiaries

  • Distinct language settings and authentication scheme, provided you have an Enterprise or Commercial-tier subscription.

  • Creating segregation between application environments

Creating a New Tenant

To create a new sub-tenant:

  1. Select App Settings from the Admin Settings drop-down.

  2. Select the Tenant Admin tab.

  3. Click the Add New Tenant button.

  4. Enter the following fields:

    • Tenant Name

    • Language

    • Authentication Scheme

    • Google Analytics Code: If you want to collect data from your tenant using Google Analytics, enter your Google Analytics Code here. (For more information on Google Analytics, and how it integrates with the Information Hub, see App Usage Tracking.)

    • Tenant Domain Name (URL): In the Enterprise tier, you'll see the DNS assigned to your sub-tenant. This must be a unique URL; it cannot be the same URL used by another tenant or your global tenant. A default domain name is set based on the tenant name specified in the first field. This option is only available with a Commercial license. NOTE: the tenant domain name should be unique - it cannot be the same as the Parent tenant or other sub-tenant domain names. You should also edit the Tenant Domain Name before updating the Azure app service. If you add the domain(s) to the Azure App Service first, the app may interpret this as a DNS change to your global tenant.

    • Service Principal Profile ID: If Service Principal Profile was enabled on the global tenant, after saving a new sub-tenant, you'll see a greyed out text box with an ID. This is the Service Principal Profile ID that is assigned to this sub-tenant. It is read-only.

    • Power BI Embedded Capacity: Select the appropriate Embedded capacity for your tenant. (For more information on Embedded capacities, see Embedded Capacity Admin.)

    • Power BI Workspaces: From the drop-down, select the Power BI Workspaces to which your tenant will have access. (For more information on configuring Power BI workspaces, see Configure Power BI Workspaces.)

    • Date Expires: Your tenant’s access will terminate on the date selected. (This can come in handy if you want to give potential customers a free trial for a limited period.)

    • Product To Bill: With a Commercial-tier subscription, you can bill your customers directly through the Reporting Hub using Stripe. Note this field is only present in commercial subscriptions.

    • Per User Billing: Enable this if you'd like to bill this tenant for each user they have.

    • Create Tenant Specific Workspace: Enable this if you'd like to automatically create a new Power BI Workspace for this tenant. The new Workspace will be named the same as the new tenant name.

  5. Click Save Changes.

Product to Bill

If you have Tenant Products set up, you must assign a Product to Bill when creating/editing tenants. If you don't want to bill one of your tenants, then create a free product in Stripe and choose that for the tenant.

Group Creation

If the 'Create Groups/Roles for New Tenants' option is enabled in the global tenant, once you have saved changes, the Reporting Hub will automatically create four new groups within your Azure Active Directory, which will appear as follows:

  • New Tenant Name Parent Group for Reportinghub

  • New Tenant Name Admin Group for Reportinghub

  • New Tenant Name Content Admin Group for Reportinghub

  • New Tenant Name Report Users Group for Reportinghub

These groups will be empty until you assign groups/users to them within Active Directory. To learn how accessibility is controlled via groups, see Managing Groups.

Good to Know: Access to your tenant can be divided into however many groups you'd like; you're by no means limited to the four groups created here. Any group/user within your Active Directory can be assigned to a tenant.

Azure AD Relationship to Tenants

As an Application Administrator, you decide which Azure Active Directory (AAD) groups/users will be granted access to your tenant, as well as the level of access they'll be permitted. To learn more, see Managing Groups.

If you choose to create sub-tenants, your sub-tenant Application Administrator(s) will be able to decide which AAD groups/users will have access to your sub-tenant, and at what level. However, the sub-tenant admin(s) will only have access to AAD groups/users within the Parent Group assigned to the sub-tenant.

Last updated