I have a Azure VM that I've joined to my Azure AD, works great. I've installed (Development Edition SQL Server 2022) SSAS Tabular on this server using the local admin account and would like to use this to create and access cubes with my external AzureAD guest users (of which I have many).
First problem, when I attempt to add Azure AD users to a tabular cube role, I cannot find them in the "Select Users or Groups":
(Clicking "Check Name" doesn't locate my Azure AD user account)
I've worked around this by using XLMA and adding the user through that command:
{ "memberName": "AzureAD\DavidRogers", "memberId": "S-1-12-1-...." }
Now it shows up in my cubes view without issue:
However it doesn't actually work, when I RDP into my SSAS server and login to my tabular instance:
I cannot see the tabular cube that I have assigned my self access to, I can login using my windows credential (Azure AD user) without issue it just appears as though the role permission are not flowing through.
Ultimately what I'm trying to do is to put my tabular cubes behind a MSMDPump file and then have my guest users (who by definition are going to be in a different domain when they access my cubes) access the cubes via passing through their Azure AD credentials through basic authentication (IIS somewhere) to my tabular cube server. Is that even possible? This current example (which is not working) is indicating no, but I don't understand why? Why isn't my Azure AD credentials being treated like any other standard user account on my SSAS on-premise instance?
If this can't be accomplished via a Azure VM joined to Azure AD, then could it be accomplished in another way?
This article clearly states that guest credentials are not
replicated over to servers joined to a Azure AD DS domains. That
would indicate to me that this is not a viable alternative. Do I have
that wrong?
The only other viable alternative that I could think of would be to
move my Tabular cubes to Azure Analysis Services and then send all my
guest users to direct connect via Azure AD MFA. Would that work for
guest users?
Are there any other viable alternatives to accomplishing the
functionality I'm attempting to achieve?
Update 1
Exploring further the concept of Azure AD and it's implementation in windows I now feel I understand a bit more about what is going on. I've discovered that I can only login in to SSAS as a Azure AD user when I'm RDP'd on to the server directly, if I'm attempting to login via Windows Authentication from another computer (also Azure AD joined, same user) I'm immediately presented with the following error message:
The connection either timed out or was lost.
(Microsoft.AnalysisServices.AdomdClient)
and in the event log (on the SSAS server) I see the following "Audit Failures":
I think this is because Kerberos by default is not enabled for Azure AD, and Windows Authentication is attempting to use Kerberos (or NTLM which is not supported in Azure AD as well) to authenticate my Azure AD credentials. Am I on the right track with that?
There is some discussion about enabling Kerberos for Azure AD here, but I don't know if that applies or would work for SSAS tabular using windows credentials? I'm also wondering if the "Select Users or Groups" popup is using LDAP and that's the reason it doesn't work with Azure AD?
