locked
Block PowerBI using ADFS RRS feed

  • Question

  • Hi there,

    We are trying to block the access to the Power BI mobile applications using ADFS and custom claims. We have tried several ways, like try blocking with the user agent, application ID, among others.

    Wth the user agent we tried to use something with the words PowerBI, but nothing. Then we tried with the "Apple" word and it worked, but it also blocked other apps, like the Outlook mobile app.

    We used claims like this. This is just one aproach. We tried several:
    c1:[Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ ".*Power Bi.*|.*PowerBi.*"] => issue(Type = "http://custom/powerbi", Value = "true");

    Do any of you know a way to block PowerBI using ADFS?

    Best regards,
    João V. S.
    Monday, May 9, 2016 9:13 AM

Answers

  • It's not a easy thing to put a screenshot here, because it's in the new azure portal, and the interface has several submenus and etc.

    But basically you can choose the application to do conditional access. In this case is PowerBI, but it can be Exchange, CRM, OneDrive, etc. It can even be LoB apps published via Azure AD Application Proxy. It's a very powerful tool.

    And you can do conditional access, and have several policies based on groups, location, device (Intune compliant or domain joined)...

    Thursday, February 16, 2017 3:54 PM

All replies

  • Hello Joao,

    Have you been able to figure out an effective way/claim rule via ADFS to block powerBI. We also have a same need to block PowerBI through an ADFS claim rule to block any external request.

    Thanks

    Tuesday, February 14, 2017 1:29 PM
  • If PowerBI client is having a special User-Agent you might be able to do some filtering. But filtering based on user-agent is not recommended as it is easy to spoof.

    If PowerBI is using a web-browser, or modern authentication, there is nothing you can do at the ADFS level.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, February 15, 2017 2:00 PM
  • Hi there,

    We weren't able to do this, because the Power-BI apps/clients doesn't have a special user agent, meaning that we were not able to identify it. Eventually we forgot this theme.

    But I think, now you can do this with Azure AD Conditional Access. 

    Thursday, February 16, 2017 10:14 AM
  • Very possible indeed. I don't have a PowerBI subscription. But if you have one and can copy/paste a screenshot of what the interface for Conditional Access in Azure AD looks like for the other users of this forum, that would be great!

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, February 16, 2017 12:41 PM
  • It's not a easy thing to put a screenshot here, because it's in the new azure portal, and the interface has several submenus and etc.

    But basically you can choose the application to do conditional access. In this case is PowerBI, but it can be Exchange, CRM, OneDrive, etc. It can even be LoB apps published via Azure AD Application Proxy. It's a very powerful tool.

    And you can do conditional access, and have several policies based on groups, location, device (Intune compliant or domain joined)...

    Thursday, February 16, 2017 3:54 PM