Skip to main content

Updates to Microsoft Purview data loss prevention policies in Power BI

Headshot of article author Yael Biss

Data loss prevention (DLP) policies help you govern the sensitive information managed in your Power BI tenant and comply with governmental or industry regulations, such as GDPR (the European Union’s General Data Protection Regulation). Earlier this year, we announced the release of DLP policies for Power BI to public preview.

We’ve seen impressive results with DLP policies in Power BI, with tenants scanning tens of thousands of datasets per day, and more. DLP policies provide you with an automatic solution to govern sensitive business data in your Power BI tenant, at scale.

 

DLP policies identify sensitive data uploaded from Power BI Desktop and show a policy tip.

 

We’re happy to share with you two significant enhancements to DLP policies in Power BI:

  1. CPU metering for DLP policy evaluation
  2. Overriding policy tips and reporting false positives

 

Introducing CPU metering for DLP policy evaluation

Today, you can set up DLP policies in your organization that will automatically detect uploading of sensitive information or of data with a specific sensitivity label to “import datasets” into workspaces associated with your Gen2 Premium capacities.
When a dataset is evaluated by the policy, it is scanned for sensitive information types or sensitivity labels, according to the policy conditions configured in Microsoft Purview compliance portal. This evaluation is triggered in one of the following data upload scenarios: Publish, Republish, On-demand refresh and Scheduled refresh. 

With each of these actions, Power BI will evaluate the dataset to determine if it contains sensitive information or not. This process utilizes CPU from the premium capacity associated with the workspace the evaluated dataset resides in. The CPU consumption of the evaluation will be equal to 30% of the CPU consumed by the refresh action that triggered the evaluation. For example, if a refresh action costs 30 milliseconds of CPU, then the DLP scan will cost an additional 9 milliseconds. The fixed 30% additional CPU consumption for the DLP evaluation can help you predict the impact of DLP policies on your overall Capacity CPU utilization, and perform capacity planning when rolling out DLP policies in your organization.

*To clarify, there is no additional CPU metering due to DLP evaluation for Premium Per User workspaces, as they are not associated to Premium capacities.

To see the CPU usage of your data loss prevention policies, go to the “Power BI Premium Capacity Metrics App”. For more information visit Monitor Power BI Premium capacities with the Premium Capacity Metrics app. – Power BI | Microsoft Docs

 

 

Override policy tips and report false positives

We’re introducing the ability for Power BI users to give feedback on the policy rules evaluating their datasets. This will enable them to provide insight on the datasets met with rules defined by the Security Admins in Microsoft Purview Compliance Portal, and help create a built-in line of communication to ensure smooth operation on both teams.

In the dataset’s detail page, you will now be able to see all the policy rules that have been matched for this dataset. By clicking on the “view all” in the top yellow banner, you will open a side panel with a card representing each and every rule. On top of viewing all the matched rules, data owners will be able to take action if they believe the data was falsely identified.

Based on how the policy rule was configured, you will be able to see one or a combination of these actions:

  • Report an issue: Report the issue as a false positive (meaning that the policy has mistakenly identified non-sensitive data as sensitive, for example).
  • Override: Override the policy. Overriding a policy means that this policy will no longer evaluate this particular dataset. Depending on the policy configuration, you may be required to provide a justification for the override.
  • Report and override: Report the issue as a false positive and override the policy.

 

Policy tip panel with a card representing each rule matched by the DLP policy, and its available actions.

 

Learn more

For more information, see Data loss prevention policies for Power BI.