Skip to main content

Detect upload of sensitive information to Power BI using Microsoft 365 data loss prevention policies

Headshot of article author Anton Fritz

Many enterprises rely on Microsoft 365 data loss prevention (DLP) policies for Office 365 apps, SharePoint, OneDrive, Teams, Exchange, etc. to comply with governmental or industry regulations, such as the European Union’s General Data Protection Regulation (GDPR), the U.S. Government’s Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA). Many of these enterprises also leverage DLP policies to reduce the risk of sensitive business data leakage, for example, intellectual property.

In December we announced a public preview of Microsoft 365 DLP policies for Power BI premium workspaces, supporting automatic detection of sensitive data upload for data that has specific sensitivity labels applied (that is, sensitivity labels serve as rule conditions), along with the option to trigger automatic risk remediation actions such as alerts to security admins and/or customizable policy tips for end users.

Today we’re happy to announce that we’re extending Microsoft 365 DLP policies for Power BI to support detection of uploading sensitive information such as social security and credit card numbers, leveraging Microsoft’s built-in sensitive information types and/or custom information types defined by your organization in the Microsoft 365 compliance center.

 

 

How to deploy DLP policies for Power BI

Deploying a DLP policy is a process that requires evaluation, planning, and testing before rolling it out to the entire organization. The process is usually driven by the organization’s security/compliance administrators. For more detail, as well as for guidance about how to plan DLP deployment in your organization, please read Plan for data loss prevention.

 

Creation and monitoring of a DLP policy for Power BI is quite straightforward, and is very similar to how DLP policies work for other supported DLP locations like SharePoint and OneDrive.

The steps below outline the process of enabling a DLP policy for Power BI:

  1. Go to Microsoft 365 Compliance. No configuration is required in the Power BI admin portal.
  2. Choose Data loss prevention > Policies > Create policy.
  3. Choose Custom > Custom policy.
  4.  Provide a name for the policy.
  5. Choose Power BI as the location. You can choose which workspaces you’d like the policy to apply to. You can specify all premium workspaces, specific premium workspaces, or all premium workspaces except specific specified workspaces.
  6. Choose Create or customize advanced DLP rules, and then Create rule.
  7. Create new rule:
    1. Set a condition,  “Sensitive info types” and/or “Sensitivity labels”.
    2. Set actions (optional):
      1. User notification (customizable policy tip).
      2. Incident report (alert to security admin).
  8. Test or turn on the policy. You have the option of running the policy in test mode first. Test mode will create the audit activities when a policy condition is met (for example, when the upload of a dataset with credit card info is detected) without triggering any user-facing actions.
  9. How to validate a DLP rule condition match:
    1. See the entry created in Microsoft 365 audit logs.
    2. If you configured “incident report”, an alert will appear in Microsoft 365 alerts section.
    3. If you configured a “policy tip”, it will appear in the dataset’s details at Power BI Dataset hub.

For more information checkout Configure a DLP policy for Power BI documentation.

 

 

To learn more about best practices for deploying Microsoft 365 DLP policies see Create, test, and tune a DLP policy documentation.

 

Notes:

  1. Microsoft 365 DLP policies for Power BI require a Microsoft 365 E5 license. Check out the documentation for more details.
  2. DLP policy evaluation is not currently included in capacity CPU usage.  Metering as a background operation in capacity CPU consumption is expected to begin during Q2 CY2022
  3. DLP policies are supported for Premium Gen2 workspaces only.
  4. Power BI DLP policies are not current not supported in the following data centers: Southeast Asia, Australia and northen Europe. We’re actively working on enabling DLP policies in these data centers, we’ll update with an ETA when available.

Learn about data loss prevention policies for Power BI

 

Coming soon:

Support for a user option to report false positive detection, and user options to override policy actions.

Finally – If you have any suggestions or feedback about MIP in Power BI, feel free to fill out this form.