Home > Documentation > Azure Analysis Services > Security

Security in Azure Analysis Services

Overview

Securing your Azure Analysis Services (AAS) models is crucial for protecting sensitive data and ensuring authorized access. AAS provides a robust set of security features that can be integrated with Azure Active Directory (Azure AD) and other Azure security services.

This document covers key security concepts and best practices for Azure Analysis Services, including:

  • Authentication and Authorization
  • Role-Based Access Control (RBAC)
  • Data Encryption
  • Network Security
  • Auditing and Monitoring

Authentication and Authorization

Azure Analysis Services uses Azure Active Directory (Azure AD) for authentication. All users and applications accessing your AAS resources must be authenticated against an Azure AD tenant. Authorization determines what authenticated users can do and access.

Azure AD Integration

When you create an Azure Analysis Services server, you associate it with an Azure AD tenant. This allows you to manage access using identities and groups from your organization's Azure AD directory.

For programmatic access, you can use service principals or managed identities to authenticate applications and services.

Role-Based Access Control (RBAC)

RBAC is the primary mechanism for controlling access to your Azure Analysis Services models. You can define roles within your AAS models and assign users or Azure AD groups to these roles.

Server-Level Roles

At the server level, you can assign users to the following roles:

  • Administrator: Full control over the server, including creating and managing databases.
  • Custom Roles: Administrators can create custom roles with specific permissions to manage databases and models.

Database-Level Roles

Within each Analysis Services database, you can define granular roles:

  • Database Reader: Can read data from the database.
  • Database Builder: Can read data and process tables within the database.
  • Database Administrator: Full control over the database, including managing roles and permissions.
  • Custom Roles: Define specific permissions like read, write, process, and administrate for tables, columns, and rows.
Tip: Use Azure AD security groups to manage role assignments. This simplifies administration by allowing you to manage group memberships in Azure AD rather than assigning permissions individually.

Data Encryption

Azure Analysis Services encrypts data at rest and in transit by default.

  • Encryption in Transit: All communication between clients and the AAS server is secured using TLS.
  • Encryption at Rest: Data stored within AAS is encrypted using industry-standard algorithms.

Network Security

Azure Analysis Services offers network security features to control access to your server:

Firewall Rules

You can configure firewall rules to restrict access to your AAS server based on IP addresses or virtual networks.

az aas server firewall-rule create --resource-group myResourceGroup --server myaas-server --name AllowMyIP --start-ip-address 203.0.113.1 --end-ip-address 203.0.113.1

Virtual Network Service Endpoints

For enhanced security, you can integrate your AAS server with Azure Virtual Networks (VNet) using service endpoints. This ensures that traffic to the AAS service originates from your VNet.

Auditing and Monitoring

Auditing and monitoring are essential for detecting suspicious activity and ensuring compliance. Azure Analysis Services integrates with Azure Monitor and Azure Log Analytics.

Auditing

You can enable auditing to log various activities performed on your AAS server and databases. This includes connection attempts, query executions, and administrative operations.

Audit logs can be sent to Azure Log Analytics, Azure Storage, or Event Hubs for analysis and retention.

Monitoring

Azure Monitor provides key metrics for your AAS server, such as CPU usage, memory usage, and query performance. You can set up alerts based on these metrics to proactively identify potential issues.

Note: Regularly review audit logs and monitor server performance to maintain a secure and efficient Analysis Services environment.

Best Practices

  • Principle of Least Privilege: Grant users only the permissions they need to perform their tasks.
  • Use Azure AD Security Groups: Simplify role management by assigning permissions to groups.
  • Regularly Review Permissions: Periodically audit user roles and permissions to ensure they are still appropriate.
  • Implement Network Restrictions: Use firewall rules and VNet integration to limit network access.
  • Enable Auditing: Configure auditing to track all significant activities.
  • Secure Connection Strings: Avoid hardcoding credentials in connection strings. Use managed identities or service principals where possible.