Managing Groups

Understand how the Reporting Hub utilizes groups/roles to manage levels of access

Groups Overview

As a global administrator for your Reporting Hub, you decide which tenants can be accessed by your respective users, as well as the level of access they’ll be granted. User access is organized into groups according to the authentication scheme you’ve set up.

If you’re using Microsoft Entra ID (formerly known as Azure Active Directory), the Entra ID users/groups you've specified for your tenant will automatically appear in your Manage Groups settings. (To learn how to assign Entra ID groups/users to a tenant, see Tenant Admin.)

If you're using Microsoft Entra ID, the type of groups that will be synced are security groups, not Microsoft 365 groups.

Good to Know: While Microsoft Entra ID is the default scheme, other forms of user management can also be synced with the Reporting Hub.

See Authentication Admin for more information.

Groups' Relationship to Authentication Scheme

The Reporting Hub uses security groups to simplify access management to reports. Security groups belong to the authentication scheme. As such, if you switch from one authentication scheme to another, any groups that were previously assigned to reports will be removed. You will need to go to Manage Groups and synchronize again. All permissions will need to be configured again for each report.

App Roles

Each App Role corresponds to a specific set of permissions within a tenant:

  • User: A User can only view content.

  • Content Administrator: A Content Administrator has full access to Navigation Settings. They can create and edit Categories, as well as any Power BI content to which their tenant has been granted access. (To learn how to assign tenants access to Power BI workspaces, see Tenant Admin.)

  • Application Administrator: An Application Administrator has full admin privileges within the Reporting Hub tenant. This role does not give a user administrator privileges to Azure or Power BI.

Assigning App Roles to Groups and Users

Group/user access is divided into three levels, and controlled via your Manage Groups settings. To assign permission levels for your groups/users:

  1. Select your profile picture to access the Admin Settings menu.

  2. Select Manage Groups.

  3. Select Sync Groups to ensure you're seeing the most up-to-date list of groups/users.

  4. Find the group/user whose permission level you want to assign, then select an App Role from the dropdown list.

    Enter user/group names using the search bar if you don't want to scroll through the entire directory.

You must Sync Groups to refresh your Entra ID security groups. Changes made to your Entra ID won't be reflected in the Reporting Hub until you have synced.

User Impersonation

User impersonation allows you to preview the Reporting Hub from the perspective of a particular user by entering their email in the Impersonate User field on the Manage Groups page.

The User impersonation feature will only appear if you're an application admin and your global tenant uses Entra ID-based Authentication (Microsoft SSO or Reporting Hub). It will only work for Entra ID-based users. If you are impersonating a user who only has access to a subtenant, it will display the subtenant site.

When impersonating a user, a banner will appear at the top of the window with the name of the impersonated user.

Creating Groups/Roles for New Tenants

There is an option in the global tenant settings to automatically create groups/roles for new tenants. See global tenant configuration to learn how to change this setting.

To learn how to add a new tenant, see Tenant Admin.

Automatic Group Creation

If the 'create groups/roles for new tenants' option is enabled on the global tenant, the Reporting Hub will automatically create four new groups within Entra ID when you add a new tenant. The groups will appear as follows:

  • New Tenant Name Parent Group for Reportinghub

  • New Tenant Name Admin Group for Reportinghub

  • New Tenant Name Content Admin Group for Reportinghub

  • New Tenant Name Report Users Group for Reportinghub

These groups will be empty until you assign them users within Entra ID. Within Entra ID, you can create as many new groups for your tenant as you'd like. The initial groups created can also provide a guideline for how you can structure user access. If new groups are added to your Entra ID (or other identity management scheme), go into your Manage Groups settings, select Sync Groups, and the new groups you've added will appear.

For more information on managing Microsoft Entra ID groups, see the Microsoft Entra ID groups tutorial:

Manual Group Assignment

If the 'create groups/roles for new tenants' option is not enabled on the global tenant, you will have to assign pre-existing groups to your tenant as a parent group and an administrator group.

Editing an Existing Tenant's Groups

If you’d prefer to assign pre-existing groups to your new tenant, reselect your tenant after saving changes and make the relevant adjustments from the Edit pop-up.

Syncing Groups Manually

When you click Sync Groups, it will Sync all groups from your authentication framework. If you do not want all groups visible in the Reporting Hub, there is a manual way to add specific user groups.

Steps for Entra ID

  1. Get your organization ID (the default org ID for your global tenant is 1). To get the organization ID for subtenants, check the Organizations table in your Reporting Hub database.

  2. Get security group IDs and names.

    1. In your Azure Portal, navigate to Entra ID.

    2. Select Groups from the left side menu.

    3. The value under the Name header will be the Group Name in the SQL template. The value under the Object Id heading will be the Azure Group Id.

  3. Update your database.

    1. Substitute your values into the SQL Template below to create your script.

    2. Run your script in your Reporting Hub database.

SQL Template

Template Variables

Organisation Id: The ID for your tenant. Your global tenant has OrganisationId = 1 by default. Data type is integer.

Azure Group Id: This is the Group Object Id as it appears in Entra ID. Data type is string.

Group Name: This is the Group Name as it appears in Entra ID. Data type is string.

Description: This can be whatever description you want for the group. Data type is string.

Is User: 0 for an Azure Group; 1 if adding individual users. Data type is bit (0 or 1).

Example SQL Script
INSERT INTO [dbo].[UserGroups] 
    ([OrganisationId], [GroupAzId], [GroupName], [Description], [IsUser])
VALUES
    (1, '12345678-abcd-1234-abcd-123456789012', 'ReportingHubAdmin', 'Administrators for ReportingHub application', 0),
    (1, '12345678-abcd-1234-abcd-1234567890ab', 'ReportingHubCustomerA', 'Report Users Group for ReportingHub', 0)

Last updated