Accessing Mosaic

How users reach Mosaic, what gets created on first sign-in, and how access actually works.

Mosaic's access model is layered but uncomplicated. Microsoft Entra ID controls who can sign in. Workspaces control what they can see once they're in. Power BI controls what data they can read inside embedded content.

Access model

Layer

What it controls

How

Tenant

Who can reach the app at all

Microsoft Entra ID. Only members of your Microsoft 365 tenant can sign in.

System role

Whether a user sees the Admin console

member (default), tenant_admin (sees Admin), or global_admin

Workspace

Which shared workspaces a user can open and what they can do inside

Workspace owner adds members by email and assigns a role: Owner, Editor, or Viewer.

Power BI

Which Power BI rows / pages / reports a user actually sees inside an embed

The user's own Microsoft Entra identity is forwarded to Power BI via the On-Behalf-Of flow. Row-Level Security holds end-to-end. Mosaic never bypasses or caches Power BI access decisions.

When a user opens Mosaic for the first time, a few things happen automatically:

Microsoft Entra signs them in

Mosaic redirects to Microsoft Entra ID. The user signs in with their Microsoft 365 work account - the same one they use for Power BI, Teams, and the rest of Microsoft 365.

Mosaic provisions their account

The first sign-in creates the user record in your Mosaic tenant.

A personal workspace is auto-created

Mosaic creates a personal workspace for the user, with a starter "Getting Started" page inside. Personal workspaces are private to the user — only they can edit content there.

They land on the home page

The user sees their personal workspace in the sidebar, the chat panel ready to take questions, and quick action pills for the common starting moves.

That's it for first-time sign-in. They can immediately ask the chat questions, embed Power BI reports they have access to, and write pages.

A personal workspace covers solo work. To collaborate, someone needs to create a shared workspace and invite teammates by email.

Create a shared workspace

Any user can create a shared workspace (e.g., FP&A, Risk Reporting, Merchandising Analytics). The creator becomes the workspace Owner.

Invite teammates by email

The Owner opens Workspace settings → Members and adds people by their work email, one at a time, with a role:

Editor - can create and edit pages, run agents, embed Power BI, write DAX
Viewer - read-only

Invitees must be members of your Microsoft 365 tenant — Mosaic does not support external guest collaboration today.

For more on what each role can do, see Workspace Roles.

Once added, the invitee sees the shared workspace in their sidebar the next time they sign in. Power BI access remains gated by Power BI's own access model — Mosaic shows them what they're allowed to see.

No security group integration today. Mosaic does not currently read Microsoft Entra security groups. Each member is added to a workspace individually by email. If you'd like group-based provisioning, that's on the Mosaic roadmap — let us know at info@vizlake.com so we can prioritise it.

Tenant administrators

Tenant admins (system_role = tenant_admin) see the Admin entry in their user menu. They can review:

Total AI sessions, active users, token usage, error rate, latency
Recent AI sessions across the whole tenant
Per-session timelines (every tool call, dataset accessed, model used)
Token usage trends

Tenant admins do not manage workspaces from the Admin console — workspaces are owner-driven. Setting a user's system role is currently done by Vizlake on request, or by an existing global admin via the scripts/admin.ts CLI. UI-driven role management is on the roadmap.

Access URL

Your Mosaic instance is at https://mosaic.aidi.ai. Customers with custom domain configurations may have a different URL - check with your Mosaic administrator if unsure.

What's next

Adding Members to a Workspace - the email-invite flow
Workspace Roles - what each role can do
User Login - first-sign-in walkthrough and troubleshooting

PreviousBring Your Own API Key NextAdding Members to a Workspace

Last updated 1 month ago