Using Power BI Service with Windows Authentication
You can publish and share reports in Power BI Service, so that other users can also run them. This can be achieved by configuring AtScale to authenticate with an external Directory that supports Windows Authentication.
In case you manage your users with Azure Active Directory you can choose to use token-based authentication, as described in Using Power BI Service with token-based authentication.
Before you begin
Configure authentication with external directory
You should configure AtScale to authenticate with an external Directory that supports Windows Authentication (NTLM v2). You also need to enable concurrent NTLM authentication requests. For details, see Connecting to AtScale Using Windows Authentication.
In case the Active Directory used for authentication is configured to use channel binding, you need to configure the communication between AtScale and Active Directory. For details, see Connecting to Active Directory that uses LDAP Channel Binding.
Required Azure and Power BI Services
The following services must be enabled for your account:
- You must have an Azure Active Directory Domain Services managed domain. For details see the Microsoft Azure Active Directory Domain Services Tutorial.
- Configure Power BI Gateway to work with Azure AD. For details see the Power BI Gateway Manage Gateway Data Sources Documentation for Analysis Services and the corresponding video tutorial.
- Create domain accounts and Power BI Service accounts for each report users as well as the "service account" that will be used to communicate with Atscale.
Configuring AtScale
If you are UPGRADING a system and think you should change the USER UNIQUE ID ATTRIBUTE setting please contact the AtScale Support Team first. Changing this setting after the initial system installation without the additional steps provided by the AtScale Support Team will result in service disruptions.
- 
Log in as a System Administrator to complete the following steps. 
- 
Make sure Windows Authentication is enabled via the auth.ntlm.enabled engine setting. 
- 
Set the AtScale Directory user identity attributes to the Directory values required by Power BI Desktop and Power BI Service. - 
Go to SECURITY > Directory, Setup. Scroll down to the User Schema Settings section. 
- 
Set the USER UNIQUE ID ATTRIBUTE value. This is the attribute used as the unique identifier for User Objects. Power BI Desktop users and the "service account" user that executes reports on behalf of other users will use this attribute for identification. This value is typically set to "sAMAccountName". 
- 
Set the PROXY USER ATTRIBUTE value. This is the attribute that Power BI Gateway uses to identify report users who are impersonated by a "service account". This value is typically set to "userPrincipalName". 
 
- 
- 
Define a "service account". This is the account that the Power BI Gateway will use to access AtScale on behalf of other users. - 
Create a new user or select an existing user to be the "service account". 
- 
Create an AtScale role and assign it the Impersonation permission. 
- 
Assign the "service account" user to the role. 
- 
Assign the following permissions to this user or role. The account may have the these permissions from a different role or by explicitly adding them to the "Impersonation" role defined above. - query
- read projects
- login
 
- 
Grant the user or role Run-time Query access to each cube you want to access from the Power BI Service. 
 
- 
- 
Create the standard report users in AtScale. These users must also have Power BI Service accounts. These users must be identified by Power BI Service and by the AtScale Directory by the "PROXY USER ATTRIBUTE". Finally these users will be impersonated by the "service account" defined in the previous step. 
- 
If you wish to use the report user's identity when communicating to the data warehouse, then you must enable AtScale Impersonation when configuring the data warehouse connection. Data Warehouse User Impersonation is not supported for all Data Warehouses. Review the AtScale Supported Tools and Platforms documentation to learn if AtScale supports User Impersonation for your data warehouse. 
Configuring Power BI Gateway
- 
Install Power BI Gateway on a Windows machine that is in the same domain as your Directory server. This server should be reachable from Power BI Service via a secure connection (for example, IP Sec Tunnel), and should be able to access your AtScale server. For more information see the Power BI Gateway documentation. 
- 
Login to Power BI Service as a pbi service admin and go to Settings > Manage Gateways. Follow the Microsoft documentation instructions to connect to your Gateway. 
- 
Click "Add Datasource" on the Manage Gateways screen. 
- 
Give your AtScale datasource a name and select "Analysis Services" as the data source type. 
- 
Enter the necessary connection information to connect to the AtScale server. - 
You must use exactly the same string for the hostname that will be used in your reports authored with Power BI Desktop. Power BI Service and Power BI Desktop use exact string matching to find host configurations, and will not perform hostname or IP address resolution when looking up dataset connections. 
- 
The user name must include your Windows domain. For example, either bob.smith@mydomain.comormydomain.com\\bob.smithwill work.
- 
For the "Database" field you must enter the AtScale "Project Name" (not the cube name). 
 
- 
You must set the same query string parameter to the "Server" field of all desired Datasource configurations.
- Click "Add". A connection confirmation indicates that Power BI Service successfully authenticated the service user against atscale and your directory service.
Publishing and Sharing Reports
- 
As the user in the Impersonation role, create a report using PBI Desktop connected to the AtScale cube. Once ready, publish the report to the PBI Service by clicking the "Publish" button in Power BI Desktop (must be logged in to Power BI Service). 
- 
Using the same account that you used to author the report, log on to the PBI Service. 
- 
Find the new report in the workspace you selected when publishing. Click the "Share" icon. 
- 
Type in the user names of the other users that you want to run the report and click the "Share" button. 
Other Power BI Service users will now be able to run the report. Additionally, their identity will be used to enforce Run-Time Cube security and will be displayed on the AtScale Query Screen.
What to do next
- Learn how to connect Power BI Desktop to AtScale.
- Build your report in Power BI. For details see Create reports and dashboards in Power BI.
- Review the list of AtScale's Power BI Known Issues and Limitations.