Managing Groups

Understand how the Reporting Hub utilizes groups/roles to manage levels of access

Groups Overview

As a Global Platform Administrator for your Reporting Hub, you decide which tenants can be accessed by your respective users, as well as the level of access they’ll be granted. User access is organized into groups according to the authentication scheme you’ve set up.

If you’re using Microsoft Entra ID (formerly known as Azure Active Directory), the Entra ID users/groups you've specified for your tenant will automatically appear in your Manage Groups settings. (To learn how to assign Entra ID groups/users to a tenant, see Tenant Admin.)

If you're using Microsoft Entra ID, the type of groups that will be synced are security groups, not Microsoft 365 groups.

Good to Know: While Microsoft Entra ID is the default scheme, other forms of user management can also be synced with the Reporting Hub.

See Authentication Admin for more information.

Groups' Relationship to Authentication Scheme

Reporting Hub uses security groups to simplify access management to reports. Security groups belong to the authentication scheme. As such, if you switch from one authentication scheme to another, any groups that were previously assigned to reports will be removed. You will need to go to Manage Groups and synchronize again. All permissions will need to be configured again for each report.

Syncing Groups

When you first deploy Reporting Hub, part of the setup process involves syncing groups from Entra ID. You may need to sync groups again in the following situations:

  • New groups have been created in the authentication provider.

  • The authentication scheme for a tenant has been changed.

  • The Sync All Groups setting has been updated on the Global Tenant.

Sync All Groups setting

Security groups are commonly used by organizations to manage user permissions and access within their directory. However, many of these groups may not be relevant to your Reporting Hub environment. To avoid syncing unnecessary groups, you can use the Sync All Groups setting.

This setting is enabled by default and can be configured from the Global Tenant Settings page. To limit the groups being synced:

  1. Assign a Parent Group in the Global Tenant settings.

  2. Disable the Sync All Groups toggle.

  3. Navigate to Manage Groups and select Sync Groups.

Once configured, only the groups that are members of the designated Parent Group will be displayed in Reporting Hub.

Note: Disabling Sync All Groups only applies to Entra ID, as many other identity providers do not support group nesting. For those providers, refer to the Sync Groups Manually section to control which groups are accessed by the application.

Enable for Content Permissions

If you have groups listed in your application that you do not want to assign to content in the Manage Content page, you can disable their assignment permissions from the Manage Groups table. By default, all groups are enabled for content assignment. However, if you want to prevent a specific group—such as a parent group—from being assigned to content, simply disable it under Content Permissions.

Manage Groups page in Admin Settings

User Impersonation

User impersonation allows you to preview the Reporting Hub from the perspective of a particular user by entering their email in the Impersonate User field on the Manage Groups page.

Enter User Email Address input and Start Impersonation button

The User impersonation feature will only appear if you're an application admin and your global tenant uses Entra ID-based Authentication (Microsoft SSO or Reporting Hub). It will only work for Entra ID-based users. If you are impersonating a user who only has access to a subtenant, it will display the subtenant site.

When impersonating a user, a banner will appear at the top of the window with the name of the impersonated user.

User impersonation banner

Creating Groups/Roles for New Tenants

There is an option in the global tenant settings to automatically create groups/roles for new tenants. See global tenant configuration to learn how to change this setting.

To learn how to add a new tenant, see Tenant Admin.

Automatic Group Creation

If the 'create groups/roles for new tenants' option is enabled on the global tenant, the Reporting Hub will automatically create four new groups within Entra ID when you add a new tenant. The groups will appear as follows:

  • New Tenant Name Parent Group for Reportinghub

  • New Tenant Name Admin Group for Reportinghub

  • New Tenant Name Content Admin Group for Reportinghub

  • New Tenant Name Report Users Group for Reportinghub

These groups will be empty until you assign them users within Entra ID. Within Entra ID, you can create as many new groups for your tenant as you'd like. The initial groups created can also provide a guideline for how you can structure user access. If new groups are added to your Entra ID (or other identity management scheme), go into your Manage Groups settings, select Sync Groups, and the new groups you've added will appear.

For more information on managing Microsoft Entra ID groups, see the Microsoft Entra ID groups tutorial:

LogoHow to manage groups - Microsoft EntraMicrosoftLearn

Manual Group Assignment

If the 'create groups/roles for new tenants' option is not enabled on the global tenant, you will have to assign pre-existing groups as a parent group when creating a new tenant.

Editing an Existing Tenant's Groups

If you’d prefer to assign pre-existing groups to your new tenant, reselect your tenant after saving changes and make the relevant adjustments from the Edit pop-up.

Syncing Groups Manually

When you click Sync Groups, it will Sync all groups from your authentication framework. If you do not want all groups visible in the Reporting Hub, there is a manual way to add specific user groups.

Steps for Entra ID

  1. Get your organization ID (the default org ID for your global tenant is 1). To get the organization ID for subtenants, check the Organizations table in your Reporting Hub database.

  2. Get security group IDs and names.

    1. In your Azure Portal, navigate to Entra ID.

    2. Select Groups from the left side menu.

    3. The value under the Name header will be the Group Name in the SQL template. The value under the Object Id heading will be the Azure Group Id.

    Finding the Object ID and Name from Entra ID

  3. Update your database.

    1. Substitute your values into the SQL Template below to create your script.

    2. Run your script in your Reporting Hub database.

SQL Template

Template Variables

Organisation Id: The ID for your tenant. Your global tenant has OrganisationId = 1 by default. Data type is integer.

Azure Group Id: This is the Group Object Id as it appears in Entra ID. Data type is string.

Group Name: This is the Group Name as it appears in Entra ID. Data type is string.

Description: This can be whatever description you want for the group. Data type is string.

Is User: 0 for an Azure Group; 1 if adding individual users. Data type is bit (0 or 1).

Example SQL Script
INSERT INTO [dbo].[UserGroups] 
    ([OrganisationId], [GroupAzId], [GroupName], [Description], [IsUser])
VALUES
    (1, '12345678-abcd-1234-abcd-123456789012', 'ReportingHubAdmin', 'Administrators for ReportingHub application', 0),
    (1, '12345678-abcd-1234-abcd-1234567890ab', 'ReportingHubCustomerA', 'Report Users Group for ReportingHub', 0)
PreviousManaging User AccessNextManaging Users in Entra ID

Last updated