Tenant Admin
Lay the groundwork for your Reporting Hub tenants
Last updated
Lay the groundwork for your Reporting Hub tenants
Last updated
A tenant is a segregated Reporting Hub application instance, containing the content of your choosing, displayed according to your preferences, and accessible only to the Entra ID users and/or groups you've specified.
As an Application Administrator, you'll be able to create tenants that can be accessed by your organization, groups and users.
Important: The number of tenants you can create depends on your Reporting Hub subscription level. If you've chosen the "Essentials" package, for example, you'll be limited to a single tenant. For more information, see Managing Multiple Tenants.
Within your global Reporting Hub tenant, you can create sub-tenants, allowing you to customize the Reporting Hub display for individual users and/or groups within your Entra–ideal if, say, you want to create a unique Reporting Hub environments for multiple clients. For more information, see Why Use Multiple Tenants?.
A tenant can be customized in terms of theme, content, and accessibility. For a detailed run-down of tenant customization options, see Global vs. Sub-Tenants.
Your organization's main Reporting Hub environment is referred to as your global tenant.
To configure your global tenant:
Select App Settings from the Admin Settings drop-down.
Select Tenant Admin tab.
From the list of tenants, find the global tenant (denoted with a label).
Select the ellipsis next to your global tenant and choose Edit.
You can make changes to any of the following fields:
Tenant Name: Enter the name of your organization as you want it to appear in your environment.
Language: Select a preferred language for your tenant. (To learn how to add languages, see Language Admin.)
Authentication Scheme: Select a preferred Authentication Scheme for your tenant. (To learn more about Authentication Schemes, see Authentication Admin.)
Parent Group: Select the Parent security group that can access your tenant.
Security Group Inheritance:
By selecting Inherited, Child security groups will be granted access to reports assigned to a Parent Group. Any content to which your Parent Group has been granted access will automatically be accessible to any user within your Parent Group.
By selecting Non Inherited, groups/users can only access content to which they've been specifically granted access, regardless of their inclusion within a Parent Group.
Google Analytics Code: If you want to collect data from your tenant using Google Analytics, enter your Google Analytics Code here. (For more information on Google Analytics, and how it integrates with the Information Hub, see Setting Up Usage Tracking/Google Analytics.)
Application Owner: This field will be defaulted to the user who completed the installation of the Reporting Hub web application. The application owner is the only user that can edit this field or add additional application owners. An application owner is mandatory and must be assigned to your global tenant. Only individual users can be assigned as application owners. security groups can not be assigned as application owners.
Administrator Group: Select which group will be given Administrator privileges for your tenant.
Power BI Embedded Capacity: Select the Power BI Embedded capacity you wish to connect to your tenant. If your organization has multiple Embedded capacities, choose the one that's relevant. (For more information on Embedded capacities, see Embedded Capacity Admin.)
Power BI Workspaces: Select the Power BI Workspaces to which your tenant will be granted access.
Is Active (sub-tenants only): by default a tenant is 'Active'. You can deactivate a sub-tenant by unselected this checkbox. Deactivating a tenant will not delete it, it will only make it inaccessible by users.
Enable Embed Links: Click to enable this option if you want to make embed URL codes available. See Create Embed URL Links for more info.
Enable Service Principal Profiles: Enable this option if you want to automatically create a service principal profile for each new tenant that you create. Learn more about Service principal profiles for multitenancy apps in PBI Embedded.
Create Groups/Roles for New Tenants: When this option is enabled, groups/roles will be automatically created when you create a new tenant. If this option is disabled, you will have to manually assign groups for your tenant.
Click Save Changes.
The Administrator Group you select for your tenant will be granted Application Administrator privileges for that tenant. Application Administrators have full control over your tenant's appearance, content, navigation, and accessibility.
Note: In your Manage Group settings, you can also assign access at the Content Administrator and Report User levels. A Content Administrator can only control content and navigation settings, while a Report User can only view content. For more information on managing roles within Security Groups, see Managing Groups > Setting Admin Permissions.
The amount of tenants you can create, and the features to which they'll have access, depend on your Reporting Hub subscription level.
Essentials tier: 1 application tenant
Business tier: 3 application tenants, each tenant shares the same language settings and authentication scheme
Enterprise and Commercial tiers: unlimited tenants, each tenant can have its own language settings and authentication scheme
To learn how to set languages and authentication schemes, see Language Admin and Authentication Admin.
Your global tenant is your organization's main tenant. As an Application Administrator, you'll use your global tenant to access Admin Settings and create/modify sub-tenants.
Creating sub-tenants allows you to provide users their own segregated and customizable Reporting Hub instance, while maintaining control over content and accessibility settings. Some key differences and similarities between global and sub-tenants:
Important: The overview below applies to the Enterprise and Commercial pricing tiers.
At the Essentials pricing tier, a global tenant cannot create sub-tenants.
At the Business pricing tier, a global tenant can create up to two additional sub-tenants, but cannot edit their language settings or assign distinct authentication schemes.
| Global Tenant Admin Functions | Sub-Tenant Admin Functions |
|---|---|
Customizable theme, content, and navigation | Customizable theme, content and navigation |
Customizable languages across all tenants | Language set by global tenant |
Has access to all Power BI Workspaces within an Embedded Capacity | Can only access Power BI Workspaces to which tenant been assigned by the global tenant |
Has access to all users and groups within its authentication scheme (usually Entra ID) | Can only access users and groups to which it's been assigned by the global tenant |
Can create/modify sub-tenants, grant groups/users access to sub-tenants, assign PBI Workspaces to which they'll have access | Cannot create sub-tenants |
If your organization operates in multiple geographies or has multiple departments or clients, creating and assigning them a distinct tenant allows you to customize their Reporting Hub display in a way that makes sense to them, while making sure they only have access to the content that's relevant to their needs.
Some advantages of multiple tenants include:
Providing a different look and feel, with distinct content and layout
Co-branding for various clients, business sub-divisions/subsidiaries
Distinct language settings and authentication scheme, provided you have an Enterprise or Commercial-tier subscription.
Creating segregation between application environments
To create a new sub-tenant:
Select App Settings from the Admin Settings drop-down.
Select the Tenant Admin tab.
Click the Add New Tenant button.
Enter the following fields:
Tenant Name
Language
Authentication Scheme
Google Analytics Code: If you want to collect data from your tenant using Google Analytics, enter your Google Analytics Code here. (For more information on Google Analytics, and how it integrates with the Information Hub, see App Usage Tracking.)
Tenant Domain Name (URL): A default domain name is set based on the tenant name specified in the first field, but you can specify a custom domain name here. For more information, see Custom Tenant Domain.
Service Principal Profile ID: If Service Principal Profile was enabled on the global tenant, after saving a new sub-tenant, you'll see a greyed out text box with an ID. This is the Service Principal Profile ID that is assigned to this sub-tenant. It is read-only.
Power BI Embedded Capacity: Select the appropriate Embedded capacity for your tenant. (For more information on Embedded capacities, see Embedded Capacity Admin.)
Power BI Workspaces: From the drop-down, select the Power BI Workspaces to which your tenant will have access. (For more information on configuring Power BI workspaces, see Configure Power BI Workspaces.)
Date Expires: Your tenant’s access will terminate on the date selected. (This can come in handy if you want to give potential customers a free trial for a limited period.)
Product To Bill: With a Commercial-tier subscription, you can bill your customers directly through the Reporting Hub using Stripe. Note this field is only present in commercial subscriptions.
Per User Billing: Enable this if you'd like to bill this tenant for each user they have.
Create Tenant Specific Workspace: Enable this if you'd like to automatically create a new Power BI Workspace for this tenant. The new Workspace will be named the same as the new tenant name.
Click Save Changes.
If you have Tenant Products set up, you must assign a Product to Bill when creating/editing tenants. If you don't want to bill one of your tenants, then create a free product in Stripe and choose that for the tenant.
If the 'Create Groups/Roles for New Tenants' option is enabled in the global tenant, the Reporting Hub will automatically create four new groups within your Entra ID (or other authentication platform) upon creation of a new tenant. The groups will appear as follows:
New Tenant Name Parent Group for Reportinghub
New Tenant Name Admin Group for Reportinghub
New Tenant Name Content Admin Group for Reportinghub
New Tenant Name Report Users Group for Reportinghub
These groups will be empty until you assign groups/users to them within Entra ID. To learn how accessibility is controlled via groups, see Managing Groups.
Good to Know: Access to your tenant can be divided into however many groups you'd like; you're by no means limited to the four groups created here. Any group/user within your Entra ID can be assigned to a tenant.
Navigation options can enabled or disabled for each tenant. Enabling an option does not enable it for all users for all reports: it allows content administrators to grant a given permission to report users. The options are as follows:
Allow editing of the report
To enable navigation options, select the Navigation Options tab in the create/edit tenant menu and toggle on the desired permissions.
As an Application Administrator, you decide which Microsoft Entra ID groups/users will be granted access to your tenant, as well as the level of access they'll be permitted. To learn more, see Managing Groups.
If you choose to create sub-tenants, your sub-tenant Application Administrator(s) will be able to decide which groups/users will have access to your sub-tenant, and at what level. However, the sub-tenant admin(s) will only have access to groups/users within the Parent Group assigned to the sub-tenant.
So you have everything set up for one tenant and want to copy all the categories, sub-categories and menu items from one tenant to another. This is a valuable feature who adds a new customer and is offering all the same navigation experience but to a different set of users. Cloning a tenant will clone all the navigation items and reports. All the reports and items will be visible in the manage content section where you can assign user permissions and groups to each of them. It also clones all the branding, theme & layout, colors and font settings.
To clone a tenant:
Select App Settings from the Admin Settings drop-down.
Select Tenant Admin tab.
Select the ellipsis next to the tenant you want to clone and select Clone.
Select the Parent group and Admin group from the dropdown based on the Authentication scheme you select.
Click Save Changes.
A default domain name is set based on the tenant name specified in the first field, but you can specify a custom domain name in the Edit Tenant form. This must be a unique URL; it cannot be the same URL used by another tenant or your global tenant.
This feature is available with a Commercial license.
To set a custom domain for one of your tenants:
In your Reporting Hub, edit the Tenant Domain Name and save.
In your Azure portal, add a custom domain name to your Azure App Service. See the Azure tutorial for detailed instructions.
Update your domain name provider with the CNAME provided by Azure. This step is explained in detail in the Azure tutorial linked above.
Validate the domain ownership and complete the mapping.
Ensure you follow the order of the steps above. If you add the domain(s) to the Azure App Service first, the app may interpret this as a DNS change to your global tenant.
