Today we are announcing two features to assist organizations in meeting their security and compliance requirements as they deploy Power BI. First, Power BI now supports Azure AD Conditional Access to provide more control for how users access Power BI. Second, Power BI Auditing (available in Preview) allows administrators to monitor important user activities. Read on for all of the details.
Azure AD Conditional Access for Power BI
Power BI lets business users keep a finger on the pulse of their business by monitoring the most important and sensitive data from across their organization. As a result, securing access to Power BI is of paramount importance. We’ve heard over and over again how critical it is for organizations to apply additional security to Power BI to protect their data, while not impacting access to other services.
With this said, we are excited to announce Azure AD Conditional Access policies for Power BI are now available. This offers simple ways for organizations to secure access to Power BI and help protect against the risk of stolen or phished credentials by requiring multi-factor authentication (MFA) or blocking access based on network location for Power BI.
Setting up conditional access policies for Power BI is simple and only takes a few clicks.
1. Navigate to manage.windowsazure.com and sign-in with your account (you need to be an admin on the tenant to setup the conditional access policy). Next, navigate to your directory.
2. Click on Applications->Power BI –> Configure
3. Set “Enable Access Rules” to ON.
Next, you need to specify the users that the access rules apply to. By default, the policy will apply to all users that have access to the application.
Next you need to choose the actual access rule that will be applied. You have the following options:
1. Always require MFA
2. Require MFA when not at work
3. Block access when not at work.
Once a policy is configured, it will be automatically applied when a user attempts to sign in to Power BI.
For example, let’s say that an admin has configured conditional access policy requiring MFA for only Power BI. When a user visits the Office 365 portal, they will be seamlessly signed-in and they can access their email.
But when they try to navigate to Power BI, they will be asked to complete an MFA challenge.
Conditional access works regardless of whether you access Power BI through the web or any of the Power BI mobile apps (windows, android or iOS). You can also use these policies in conjunction with the preview of device-based policies mentioned here.
You can secure access to Power BI even further by enabling these conditional access policies can be enabled alongside Risk Based Conditional Access policy available with Azure AD Identity Protection.
The risk based policies give an advanced baseline of coverage, challenging users for MFA or blocking access as risk is detected.
Note: Conditional Access requires all users to have Azure Active Directory Premium Licenses.
Power BI Auditing Preview
Help your organization meet regulatory requirements or implement internal compliance controls with the new Preview of Power BI Auditing. Auditing events are stored when users view Power BI content, export data, or make changes to important settings. When you need to examine user activity, audit logs can be viewed in the Office 365 Security and Compliance Portal, with easy tools to search by user, date, and type of activity. For advanced scenarios and automation, the same audit logs can be accessed with PowerShell commands.
Auditing is a feature of Power BI Pro and user-level auditing events will only be available for Pro users. In this Preview, auditing is available for customers in the United States. We are looking forward to your feedback and to expanding Auditing to other regions in the future.