This week I ran into an issue when trying to provision Azure Analysis Services (AAS) in Azure. The AAS team was fantastically helpful with helping me understand what was going on. 

When provisioning Azure Analysis Services in the portal, the final selection is to specify who the administrator is. AAS requires the administrator to be an account (user or group) which exists in Azure Active Directory (AAD). Because this was in a sandbox area for testing purposes, I went ahead and used my personal account for the AAS administrator selection:

After making the selections in the portal, the provisioning failed. In looking at the details, the error was: The identity emailaddr@domain.com was not found in Azure Active Directory:

This error was puzzling because of course I'm in Azure Active Directory. Turns out the tenant I was using to provision the service (the Development tenant in the diagram below) really only contains guest accounts:

The Analysis Services product team explained to me that a a user from a tenant which has never provisioned Azure Analysis Services cannot be added to another tenant's provisioned server. Put another way, our Corporate tenant had never provisioned AAS so the Development tenant could not do so via cross-tenant guest security.

One resolution for this is to provision an AAS server in a subscription associated with the Corporate tenant, and then immediately delete the service from the Corporate tenant. Doing that initial provisioning will do the magic behind the scenes and allow the tenant to be known to Azure Analysis Services. Then we can proceed to provision it for real in the Development tenant.

Another resolution is to utilize an AAD account which is directly from the Development tenant as the AAS administrator. 

You Might Also Like...

Why a Semantic Layer Like Azure Analysis Services is Relevant