Using token-based authentication
When you have users managed with Azure Active Directory you can switch to token-based authentication. This would simplify report consumption for Power BI service users, since they would only need their Power BI online account to access reports published by cube designers.
[!IMPORTANT] AtScale offers Beta support for the token-based authentication features described in this section of the user documentation. Official support for these features is planned for future releases. If interested in beta testing, please contact your Account Executive.
Procedure
To initiate the process of token-based authentication, an AtScale administrator should configure Azure AD and enable tokens:
-
Make sure you have the Super User role in AtScale; for details see Granting the "Super User" Permission.
-
Configure Azure AD as described in Connecting to Azure Active Directory.
-
Follow the procedure in Changing Engine Settings to set the following settings (no restart required):
-
Enable
xmla.auth.token.enabled
. -
Set the token expiration duration using the following settings (default values are 30 days):
xmla.auth.token.personalTokenDuration
xmla.auth.token.serviceTokenDuration
-
Save your changes.
-
User roles
With token-based authentication enabled and configured as described above, you need to decide which users should perform the corresponding roles. There are three types of user roles: Cube designer, AtScale administrator, and Report user. All users in these roles are managed in Azure AD.
For detailed information on the workflows for each user role, see Using Power BI Service with token-based authentication
Cube designer
Cube designer's main tasks are designing cubes in AtScale, creating reports with Power BI Desktop, and sharing these reports using Power BI Gateway. To perform these activities, the Cube designer should use a personal token as follows:
-
Make sure the cube you need is published.
-
Open the user menu in the top right corner of the Design Center and choose Personal Tokens.
-
Choose Generate Token, and ensure your personal token is displayed.
It should look like this:
76da811d-26b7-4f09-61eb-f378cb958ac7
-
Follow the procedure in Getting Cube Connection Information to access and copy the URL displayed for MDX + TOKEN for a particular cube.
It should look like this:
http://atscale.example.com:10502/xmla/default/76da811d-26b7-4f09-61eb-f378cb958ac7
-
Use this URL as described in Using AtScale with Power BI Desktop.
AtScale administrator
AtScale administrator's main tasks are enabling tokens and configuring the data source in Power BI Gateway. To perform these activities, the administrator should obtain and use a service token as follows:
- In AtScale, go to Settings > Organization Settings > Engine.
- Locate the Gateway Service Token section at the bottom of the page and choose Generate Token.
- Copy the service token; it has the same format as the personal token.
- Copy the connection URL for MDX + TOKEN as described above, and replace the personal token at the end with the service token.
Report user
Report users are running reports in Power BI service:
- They don't need to log in to AtScale.
- Once a report is approved and shared by a cube designer and an administrator, report users can simply log in to Power BI service and run it. For details, see Getting started with Power BI service.
More information
When you don't want or need to use token-based authentication you can use Windows authentication instead.