Did you know that Microsoft actually allows you to bring your license to other tenants? That means you can bring the licenses you have in your main tenant over to tenants where you are set up as a guest user, and you don’t have to pay for licenses twice! You can easily set up “Bring Your Own License” in Entra, giving you complete control and a seamless user experience for the end users. In this blog post we will have a look at how to use a Power BI Pro license across tenants. We have only tested with what is part of the Microsoft 365 suite, but according to Microsoft, there are many more licenses where this feature can be utilized. (Link)
The issue
So imagine this: you have built a really cool Power BI report that you want to share with users that aren’t in your tenant. You don’t (and shouldn’t) want to use the build-in “Publish to web” function in Power BI service, and you don’t have a Fabric or Power BI embedded license. You also know that the external user you want to share your report with have a Power BI Pro license assigned to their user account in their own tenant.
If you simply invite a guest user to view your awesome report, you may experience that they are prompted to start a 60 day trial before they can view your report (or, if the 60 days trial function is blocked in the tenant, they can’t see anything). This is because the guest account is set up with a free Power BI license. We can see below that our test user, Nestor Wilke, does not have a Power BI Pro license.
First, a quick check of the definitions used:
- A resource tenant in this example is where the Power BI report (which requires a Power BI pro license) is located and shared from. The report here is accessed through an unlicensed guest user.
- A user tenant in this example is where the external user resides. They have their own Power BI pro license here in their home tenant.
The solution
To the cool part! You can actually solve this issue without having to pay a single extra license fee. By setting up Bring Your Own License (BYOL), users can bring their Power BI Pro license from their own tenant into yours. This solution requires that your B2B collaboration settings allows this, which may require some configuration in both tenants, depending on the environments. The external users need to be added as guest users in Entra ID. We also recommend that you create a separate app in the Power BI service so you can manage access through groups, making it easy to add or remove reports you want to share.
Configure the tenants
If both resource and user tenants have “Allow all” on both inbound and outbound B2B Collaboration settings, on both users and applications, then you should be good to go. This is not always the case however, and then you need to set up some cross-tenant access settings for this to work.
It is presumed in this example that the default B2B connections within these tenants are configured with certain restrictions, and as such, we will proceed to grant targeted access for the Bring Your Own License (BYOL) arrangements.
Both tenants: Add the other tenant
In Entra ID: go to “External Identities“, select “Cross-tenant access settings” and under “Organizational settings” click “Add Organization“. Add the other tenant using either its Tenant ID or domain name. This allows us to set up customized settings for B2B collaboration.
User tenant: configure outbound settings
While still under “External Identities” and “Cross-tenant access settings“, the resource tenant should appear under “Organizational settings“.
Now click “Inherited from default” under Outbound access (make sure you don’t select the one under inbound access).
Under B2B Collaboration, select “Customize settings“, “Users and groups“, “Allow Access“, “Select *tenant name* users and groups“. Here you can add which users or groups are allowed to access the resource tenant. In the example below I’ve added an Entra ID group dedicated for accessing this report in the resource tenant.
In the same window, select “External applications“, “Allow access“, “Select external applications“, “Add Microsoft applications” and then select “Power BI Service“. Click “Save” at the bottom when you’re done (It’s blue if you have unsaved changes).
Resource tenant: configure inbound settings
Go to “Cross-tenant access settings“. If you don’t find any tenants in the list, you need to add them (as seen in an earlier step). Click on “Inbound access”
Go to “B2B collaboration“, “Customize settings“, and select “Select *tenant name* users and groups“
You can both add users directly or use groups, but we of course recommend using groups. You need the group ID from the tenant you are adding inbound settings for. Enter the GUID and press “Submit“.
When this is done, please go to the “Applications” tab.
You can now add which application the users from the other tenant can access. In this post we use “Power BI Service” as an example, but you can use others – also non-Microsoft Applications.
This is an optional step only for tenants which you trust. Go to “Trust settings“, “Customize settings” and turn on “Trust multifactor authentication form Microsoft Entra tenants“. The end user will then be able to use their own MFA to satisfy the MFA requirements in your tenant. As mentioned: this is for tenants you do trust.
Keep in mind that these settings may require some waiting before they go into effect.,
Invite external users
For an easier and safer way of dealing with access permissions, please create an Entra ID group for external users that should be able to access your Power BI report.
Add the external/guest users to this group. If they aren’t external/guest users already, you need to invite them (and they need to accept the invitation). When this is done, you should be able to add them to your access group.
In Power BI Service
Find your app, and add the Entra ID security group.
Please make sure that you review your other app settings. For example, if you would like user with access to the app to allows access the semantic models, download content to Excel and so on.
When this is done, you can now distribute the link to the Power BI app to your external users and they should be able to access it by signing in with their usual UPN.
When signed in, the users now also should have a new tab in the Power BI home screen called “From External Orgs“
Testing the result
Logging back in as the user Nestor Wilke and accessing the same report, we now see that he has a Power BI Pro license, which he brought with him from his home tenant into the resource tenant.
In Entra ID, we can see that the guest account is unlicensed.
Authors
Discover more from Agder in the cloud
Subscribe to get the latest posts sent to your email.
Per-Torben Sørensen