Skip to content

Create Azure Resources for Self Hosted Advanced Analytics and Connect to IFS Cloud Remote

This section guides you through the provisioning and configuration of the Azure resources in the customer tenant which are required to set up Advanced Analytics.

Disclaimer

Please note that this is a guideline, and the setup will still need to be verified by your company security board to ensure your company standards and policies have been adhered to. IFS takes no responsibility for any data breach for any artifact hosted outside of the IFS domain.

Prerequisites

  • An Azure Subscription in the customer tenant
  • Privileges to create a Power BI Workspace
  • Privileges to link workspaces to the Power BI Embedded Capacity
  • In case of reports that are running in live connection to Azure Analysis Services (AAS) mode, a configured AAS.

Create Azure Resources for Self Hosted Advanced Analytics

Prerequisites

Create a Service Principal

Follow the steps below to create a service principal.

Note

Azure is not a service maintained by IFS, the steps may have since changed. When in doubt, please refer to the documentation on Microsoft Learn.

  1. First, you should navigate to the App Registrations page on the Azure Portal.

  2. Then, click on New Registration.

  3. Now, you should fill in the following form displayed.

    App Registration Form

  4. Finally, click on the Register button.

  5. Once the App Registration is completed, click on Certificates & secrets.

  6. Click on New client secret.

    Certificates and Secrets

  7. Fill in the required information.

Note

Remember to save the secret information as it must be submitted to IFS or to be included in the yaml file.

New Client Secret

Note

If you intend to create Power BI reports using a live connection to AAS, this Service Principal must be given access to all required resources on the AAS instance.

Setting up Power BI Embedded solution when connecting Azure BI Infrastructure to Cloud/Remote

This section provides details on what relevant details to fetch from Azure portal after the App registration process.

IFS service center form - for Advanced Analytics Corresponding value
App registration client ID linked to the Service 1. Application (client) ID from App registrations page
Azure Tenant ID 2. Directory (tenant ID) from App registrations page
Azure AD SPN Object ID 3. Object ID from the Enterprise Application page
Azure AD SPN Client Secret value Certificates & Secrets (as noted above)

App Registration:

Enterprise Application:

Read more about connecting Azure BI Infrastructure to IFS Cloud.

Scenario 2:

Note

During an App registration process, these two objects are created: Application and Service Principal. In the custom values yaml file, the Object ID needs to have the value from the Enterprise Applications page (object type= Service Principal). Service Principals can be listed in Enterprise Applications.

Create a group that will be allowed to call the Power BI APIs

This group contains the Service Principal you created in the section above.

  1. Navigate to the Groups page on the Azure Portal.

  2. Select New Group.

  3. Fill in the form displayed below.

    New Group

  4. Add the Service Principal from the previous step to the owners of this group. Then this can be used to add additional users/service principals.

Add New Owner

Add the new group to the list of groups that are allowed to use the Power BI APIs

  1. Navigate to the Admin portal of Power BI.

  2. In Developer settings, enable the setting that says Allow service principals to use Power BI APIs.

    Allow Service Principals

  3. From the radio buttons, select Specific security groups.

  4. Add the group created in the section above.

  5. Finally, click on the Apply button.

Create a Power BI-embedded Capacity

Follow the steps below to create a Power BI Embedded Capacity.

Note

Azure is not a service maintained by IFS, the steps may have since changed. When in doubt, please refer to the documentation on Microsoft Learn.

  1. Navigate to the Power BI Embedded page on the Azure Portal.

  2. Fill out the following form.

    Create Capacity

  3. Finally, click on the Review + Create button.

Create a new Power BI Workspace

  1. Go to Power BI.

  2. Expand workspaces.

    Workspace Menu

  3. At the bottom of the expanded menu, click the New workspace button.

    New Workspace Button

  4. Provide a name for the new workspace.

  5. Click on the Advanced button.

  6. For the License mode, select Embedded.

  7. Specify the Power BI Embedded capacity created in the previous section.

  8. Click on the Save button.

Configure Workspace

Give the Service Principal Access to the Workspace

  1. Go to Power BI.

  2. Open the workspace that was created using the steps outlined in the section above.

  3. Click on the Access tab.

    Access

  4. Type the name of the Service Principal created in the section above.

  5. Select Admin as role.

    Admin Role

  6. Finally, click on the Add button.

Connect Azure BI Infrastructure to IFS Cloud Remote

To connect the BI Infrastructure created on-prem, fill in the following YAML entries and include them into your ifscloud-values.yaml file. Then run the installer with the mtinstaller action.

## This yml file is to be used with the IFS installer when IFS Cloud is deployed as REMOTE 
## and the customer has deployed the BI infrastructure in their own Azure Subscription
## i.e. Scenario 2 with AA
ifscore:
  passwords: 
    pbiesAadSecret:
      data: xxxxxxx                 ## Azure Service Principal secret's value (Usually a 40 char string, not a guid).
      name: pbies-aad-secret
    busmodAadSecret:
      data: xxxxxxx                 ## Azure Service Principal secret's value (Usually a 40 char string, not a guid).
      name: busmod-aad-secret

#powerbi-svc
ifsapppowerbisvc:
  replicas: 1
  serviceConfigEnabled: "true"
  azureAdClientId: a1a1a1a1-a1a1-a1a1-a1a1-a1a1a1a1a1a1                   ## App registration page -> Application (client) ID, same value as ifsamSsasUsername without prefix "app:""
  azureAdTenantId: a1a1a1a1-a1a1-a1a1-a1a1-a1a1a1a1a1a1                   ## App registration page -> Directory (tenant) ID
  azureAdServicePrincipalObjectId: a1a1a1a1-a1a1-a1a1-a1a1-a1a1a1a1a1a1   ## Enterprise Applications page -> Object ID of the service principal
  authConfigUserNameClaim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  authConfigCustomDataClaim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  logLevel: warn

#busmod
ifsappbusmod:
  replicas: 1
  assServerName: asazure://xxxx.asazure.windows.net/xxxx                  ## Same value as ifsamSsasServerName
  authService: https://xxxx.asazure.windows.net                           ## AAS site in the region
  tenantId: a1a1a1a1-a1a1-a1a1-a1a1-a1a1a1a1a1a1                          ## Microsoft Entra ID page -> Tenant ID, same as ifsapppowerbisvc.azureAdTenantId
  appId: a1a1a1a1-a1a1-a1a1-a1a1-a1a1a1a1a1a1                             ## App registration page -> Application (client) ID, same value as ifsamSsasUsername without prefix "app:""

Download the template YAML file from here.