Skip to main content
Version: I2023.3.0

Using token-based authentication

When you have users managed with Azure Active Directory you can switch to token-based authentication. This would simplify report consumption for Power BI service users, since they would only need their Power BI online account to access reports published by cube designers.

[!IMPORTANT] AtScale offers Beta support for the token-based authentication features described in this section of the user documentation. Official support for these features is planned for future releases. If interested in beta testing, please contact your Account Executive.

Procedure

To initiate the process of token-based authentication, an AtScale administrator should configure Azure AD and enable tokens:

  1. Make sure you have the Super User role in AtScale; for details see Granting the "Super User" Permission.

  2. Configure Azure AD as described in Connecting to Azure Active Directory.

  3. Follow the procedure in Changing Engine Settings to set the following settings (no restart required):

    1. Enable xmla.auth.token.enabled.

    2. Set the token expiration duration using the following settings (default values are 30 days):

      • xmla.auth.token.personalTokenDuration
      • xmla.auth.token.serviceTokenDuration

    3. Save your changes.

User roles

With token-based authentication enabled and configured as described above, you need to decide which users should perform the corresponding roles. There are three types of user roles: Cube designer, AtScale administrator, and Report user. All users in these roles are managed in Azure AD.

For detailed information on the workflows for each user role, see Using Power BI Service with token-based authentication

Cube designer

Cube designer's main tasks are designing cubes in AtScale, creating reports with Power BI Desktop, and sharing these reports using Power BI Gateway. To perform these activities, the Cube designer should use a personal token as follows:

  1. Make sure the cube you need is published.

  2. Open the user menu in the top right corner of the Design Center and choose Personal Tokens.

  3. Choose Generate Token, and ensure your personal token is displayed.

    It should look like this: 76da811d-26b7-4f09-61eb-f378cb958ac7

  4. Follow the procedure in Getting Cube Connection Information to access and copy the URL displayed for MDX + TOKEN for a particular cube.

    It should look like this: http://atscale.example.com:10502/xmla/default/76da811d-26b7-4f09-61eb-f378cb958ac7

  5. Use this URL as described in Using AtScale with Power BI Desktop.

AtScale administrator

AtScale administrator's main tasks are enabling tokens and configuring the data source in Power BI Gateway. To perform these activities, the administrator should obtain and use a service token as follows:

  1. In AtScale, go to Settings > Organization Settings > Engine.
  2. Locate the Gateway Service Token section at the bottom of the page and choose Generate Token.
  3. Copy the service token; it has the same format as the personal token.
  4. Copy the connection URL for MDX + TOKEN as described above, and replace the personal token at the end with the service token.

Report user

Report users are running reports in Power BI service:

  • They don't need to log in to AtScale.
  • Once a report is approved and shared by a cube designer and an administrator, report users can simply log in to Power BI service and run it. For details, see Getting started with Power BI service.

More information

When you don't want or need to use token-based authentication you can use Windows authentication instead.