Last fall we introduced industry-leading Power BI data protection capabilities in public preview. Today we’re happy to announce these capabilities are generally available (GA), along with new and exciting capabilities we’re announcing in this space!
Power BI helps organizations empower everyone to make every decision based on data. It enables a single unified platform to ask smarter business questions and get to actionable insight faster. But democratizing access to insight is only part of the story. We’ve also worked hard to ensure that Power BI is part of an end-to-end security platform that is easy to use, integrated with productivity solutions, and enables remote work. Power BI’s data protection capabilities help people to securely uncover insight, collaborate, and share appropriately no matter where data goes – even outside the organizational network or on unmanaged devices.
Customers like BP already benefit from Microsoft Information Protection in Power BI to gain better visibility and control over their business-critical data:
“Our data owners can now classify their data with ease within Power BI and align with our existing Microsoft Information Protection labels. The integration with Microsoft Information Protection means that we can see where our important data is being used and be assured that exported data is automatically labelled and protected in accordance with our policies. In this way our users practice security by choice because it is easy. The ability to monitor activity and block or protect downloads of classified data in real-time using [Microsoft Cloud App Security] is a very powerful control, which gives us increased flexibility on collaborating and sharing securely.”
— Geoff Elton, Information Protection Security Engineering Lead at BP
General availability of sensitivity labels in Power BI
Microsoft Information Protection sensitivity labels provide a simple way for your users to classify critical content in Power BI without compromising productivity or the ability to collaborate. Sensitivity labels can be applied on datasets, reports, dashboards, and dataflows. When data is exported from Power BI to Excel, PowerPoint or PDF files, Power BI automatically applies a sensitivity label on the exported file and protects it according to the label’s file encryption settings. This way your sensitive data remains protected no matter where it is.
Power BI report sensitivity label and protection applied on file when export data to Excel file
Sensitivity labels applied on Power BI reports and dashboards are also visible in the Power BI iOS and Android mobile apps.
Power BI admins have full visibility over the sensitive data in Power BI tenant with the Protection metrics report available in the Power BI admin portal.
Protection metrics report
To give Power BI and security admins better visibility over sensitive data consumption, for the purpose of monitoring, investigation, and security alerts, we have extended the Power BI audit logs to include sensitivity label information for activities such as applying, removing, and changing labels, as well as for viewing reports, dashboards, etc.
New information protection capabilities in Power BI
End-to-end label consistency is one of our customers top asks. We heard you! New capabilities rolling out soon extend Power BI label consistency capabilities even more:
- Label inheritance upon creation of new content (rolling out in coming weeks): When new reports and dashboards are created in the Power BI service, they will automatically inherit the sensitivity label previously applied on parent dataset or report. For example, a new report created on top of a dataset that has a “Highly Confidential” sensitivity label will automatically receive the “Highly Confidential” label as well.
Dataset’s sensitivity label automatically applied on new report
- Sensitivity labels persist when a Power BI report is embedded in an app (rolling out in coming weeks): Power BI business reports are often embedded in business applications such as Microsoft Teams, SharePoint, or an organization’s website. Now when you embed sensitive information, the label applied on your reports and dashboards will be visible in the embedded view and persist when data is exported to Excel.
- Sensitivity label inheritance from Power BI to Excel for live data connections (rolling out later this year): When you create PivotTable in Excel with live connection to Power BI dataset (“Analyze In Excel”), that dataset’s sensitivity label will be inherited and applied to your Excel file along with its associated protection. If the label on the dataset is later changed to a more restrictive one it will automatically update on the linked Excel file upon data refresh. This capability is available now in Insiders on Excel for Windows and will launch to Microsoft 365 E3 customers later in the year.
Power BI and Microsoft Cloud App Security
Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that leverages Microsoft Information Protection’s labels and policies to provide data loss prevention in Microsoft services like Power BI and extends that to third-party cloud applications. For example, with Cloud App Security, you can create a policy that will block the download of sensitive data when the user is accessing data via an unauthorized device. Microsoft Cloud App Security enables you to gain rich visibility into shadow IT, identify and remediate cloud-native attacks via integration with Microsoft Threat Protection, and control how your data travels across all of your cloud resources.
Cloud App Security real time controls block download of highly confidential data to an unmanaged device
Cloud App Security also analyzes Power BI activities and raises a security alert if suspicious behavior is detected. For example:
- Multiple Power BI report sharing (Preview) – Alerts you when a user performs an unusual number of Power BI report sharing activities, compared to the learned baseline.
- Suspicious Microsoft Power BI sharing (Preview): Alert you when a potentially sensitive Power BI report is suspiciously shared outside of your organization.
- Impossible travel alert: This detection identifies two user activities on Power BI (in a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second. This indicates that a different user is using the same credentials. See this article for more information
Power BI admins have access to Power-BI-relevant data in Cloud App Security portal, like alerts, users at risk, activity logs, and other information.
We continue to extend sensitivity labels support, for example we’re adding sensitivity labels and protection in Power BI Desktop, which will enable you to classify, label, and apply protection to PBIX files. We also continue to invest in new sensitivity label inheritance scenarios, within Power BI and from data sources to Power BI. More to come, stay tuned.
To learn more about the capabilities covered in this blog, read data protection in Power BI documentation or checkout these videos: