Automatically provision users to Tableau Online from Azure Active Directory
Modern identity providers (IdP) are designed to allow customers to manage user access across all of their cloud applications, including Tableau Online. By using an external IdP, Tableau Online customers can take advantage of the many benefits provided by the IdP such as single sign-on and multi-factor authentication. Increasingly, customers have also set up automatic user provisioning with their IdPs in order to improve security and save time by managing their users and groups centrally in the IdP.
Tableau Online supports automatic user provisioning with multiple IdPs. Here we want to walk through a couple of ways to set up automatic user provisioning with Azure Active Directory (Azure AD), the identity service provided by Microsoft and one of the most popular IdPs used by Tableau Online customers.
User authentication and provisioning
Before diving into the details, we’d like to describe two key concepts that are related, but separate—user authentication and provisioning:
- User authentication is the process of verifying a user’s identity. The process can be performed by Tableau Online using Tableau ID, or by an external IdP. When using an external IdP, customers can set up single sign-on so that the users can log in to Tableau Online using the same set of login credentials (e.g. username and password) as for other applications in their organizations.
- User provisioning is the process of creating user accounts in an application. When provisioning a user in Tableau Online, the site administrator can specify the user’s authentication method, site role, and group membership. With automatic user provisioning, customers can manage their users and groups centrally in their IdP such as Azure AD. Tableau Online will then automatically stay in sync with the IdP, adding and removing users and groups based on the provisioning assignments and rules set up in the IdP. This can improve security and greatly reduce the amount of manual work that Tableau Online site administrators need to do to manage site users and group membership.
Tableau Online customers using Azure AD will typically first set up authentication by configuring single sign-on with Azure AD using SAML, then set up automatic user provisioning using one of the following two options.
Option 1: Use the Tableau Online app from the Azure Marketplace
The quickest way to enable automatic user provisioning from Azure AD to Tableau Online is to use the Tableau Online app from the Azure Marketplace. To do this, you will need a site administrator account of your Tableau Online site. This account must use Tableau ID authentication type with username and password (not single sign-on). You will also need access to the Azure portal of your organization or work with someone that has the access.
Once in the Azure portal, you can follow the Microsoft tutorial and set it up in just a few minutes.
Once set up, the app automatically adds new users or groups assigned to Tableau Online in the Azure portal to the Tableau Online site, and sets the user site roles according to the assignments. It also updates the user site roles when their assignments change in Azure portal, and deprovisions users or groups no longer assigned to Tableau Online.
If your organization has multiple Tableau Online sites and needs to provision users to more than one site, no problem. You can add more instances of the Tableau Online app to the same Azure AD tenant and configure them the same way as the first—just be sure to name them differently as you create them, so you can easily distinguish them in the application list.
While we expect the Tableau Online app to meet the majority of Tableau Online customers’ needs for automatic user provisioning, it has a few limitations:
- You will not have full control over when the synchronization happens. It depends on when the Azure AD provisioning service runs. On average it runs about once every 40 minutes, but the actual timing can vary.
- The app does not currently support the new grant license on sign in feature. Grant license on sign in allows a user to be added as “unlicensed” to Tableau Online and then automatically promotes it to a licensed role when the user signs in. Because the notion of license promotion doesn’t exist in external IdP’s like Azure AD, the IdP may reset the user’s site role to the original value assigned in the IdP, negating the effect of grant license on sign in.
- The app will attempt to add a dummy user with “Unlicensed” site role to the Tableau Online site and then remove it as a test for authorization. This test is performed every time the Azure AD provisioning service runs. Occasionally the service may fail to remove the test user and leave a user name similar to “firstname.lastname@example.org” on the Tableau Online site.
- If you’re on a free trial site of Tableau Online, it is not recommended to keep the automatic provisioning enabled for more than a day. Otherwise the large number of dummy users added by the Azure AD provisioning service over time would hit the capacity limit on a free trial site and fail.
Option 2: Develop your own custom app
If you need more granular control over how user provisioning is performed for your organization, you can develop a custom app using the Tableau Online REST API and the Azure AD API. We’ve provided a ready-to-use, open-source application TabProvision to demonstrate how to automate the provisioning of users from Azure AD to Tableau Online. The app reads the user and group information from the IdP, such as Azure AD, and automatically adds, modifies, or removes them on your Tableau Online site to keep them in sync with the IdP.
While this option requires more upfront setup, including developing the app and an environment to host it, it provides several advantages over the out-of-the-box app from Azure Marketplace:
- The custom app allows you full control over how and when the user provisioning is performed.
- You can customize the user provisioning flow to accommodate any special processes in your organization.
- You can expand the custom app to read user and group information from multiple IdPs. For example, you may have internal users from Azure AD and external users managed separately using a different provider.
- It supports the grant license on sign in feature (built into TabProvision).
- The same app can also provision users to on-premises Tableau Server with version 2020.3 or later.
Other things to consider
Tableau Online supports a mixture of Tableau ID and external IdP on the same site. When you set up Azure AD provisioning on your Tableau Online site, you may want to think through whether there are exceptions and if so how they should be configured.
For example, some users of your Tableau Online sites may be external partners, suppliers, or clients who are not in your organization’s Azure AD. For them, the Tableau ID authentication type may be the most appropriate.
Similarly, sometimes defining local groups not synchronized with Azure AD makes sense. For instance, Tableau Online site administrators may want more control over the grouping of some users for permission or subscriptions.
Check out these additional resources to better streamline the user provisioning process of your Tableau Online sites:
- Learn about Tableau license management in the Tableau Blueprint.
- Listen to the recording of webinar “Keys” to Success with Tableau Licensing.