Digital transformation has revolutionized the way organizations operate, improved their productivity, enabled greater collaboration and enhanced business workflows with state-of-the-art technologies like AI. Digital transformation also created new threats of business data leakage as well as new regulations such as the new European Union’s General Data Protection (GDPR) governing how organization should store and protect sensitive business data. More than ever before, data protection is a top of mind for many central IT teams.
Power BI adoption by large enterprises is growing very fast. To reduce the risk for data leakage, up until now some organizations have chosen to block export from Power BI and/or limit user access to sensitive data, at the expense of productivity. Others, have chosen just to rely on their employees following the organizationโs data protection guidelines, in order to maintain high productivity. Both options require IT teams to make a compromise between data protection and productivity.
Over the past six months, the Power BI team has worked closely with the Microsoft Information Protection and Cloud App Security teams to provide a solution that will enable Power BI customers to have their data protected, while maintaining high productivity.
It is now possible to:
- Classify and label sensitiveย Power BIย dataย usingย theย familiarย Microsoft Information Protection sensitivity labelsย used in Office.
- Enforceย governance policiesย evenย when Power BI content is exportedย to Excel, PowerPoint, or PDF,ย toย helpย ensureย data isย protectedย even when itย leavesย Power BI.
- Monitor and protect user activity on sensitive data in real timeย with alerts, session monitoring, and risk remediation using Microsoft Cloud Appย Security.
- Empower security administratorsย who useย dataย protection reports and security investigation capabilitiesย withย Microsoft Cloud App Security to enhance organizational oversight.
Sensitivity labels in Power BI
A sensitivity label is a tag that you can apply on Power BI datasets, reports, dashboards and dataflows, it is:
- Customizable to the organizations needs โ By defining sensitivity labels, organizations can create categories for different levels of sensitive content, such as Personal, Public, General, Confidential, and Highly Confidential.
- Easily visible โ It’s easy for content creators to apply sensitive labels as part of the content creation flow. Once the label has been appliedย any consumer that interacts with the content can see the content sensitivity.
- Persistent – after a sensitivity label has been applied to content in Power BI, it persist applying both the label and protection when it is exported to: Excel, PowerPoint and PDF.
The beauty of this new capability is that these are the same sensitivity labels often used by organizations to classify, label and protect Office 365 files such as Excel, PowerPoint, Word, and Outlook emails.
Once a sensitivity label is applied to a report, Power BI extends applicable protection policies to that report data when it is exported from Power BI to Excel, PowerPoint and PDF files.
For example, if the sensitivity label on a report has a file protection policy, when data is exported from this report to an Excel file, authorized users will be able to view the file, whereas the file is protected against access by unauthorized users.
Authorized users will be able to open the file and see the sensitivity label applied to the Power BI report:
Unauthorizedย users will not be able to open the file:
Sensitivity labels applied on reports and dashboards are also visible when viewing reports and dashboards in the Power BI mobile app (IOS and Android)
Licenses are required to apply and view sensitivity labels in Power BI and in Office apps.
Learn about data protection in Power BI
How to enable sensitivity labels in Power BI
Real-time controls and monitoring with Microsoft Cloud App Security
Microsoft Cloud App Security is one of the worldโs leading cloud access security brokers used to secure the use of cloud apps. It enables organizations to monitor and control, in real time, risky Power BI sessions such as user access from unmanaged devices. Security administrators can define policies to control user actions, such as downloading reports with sensitive information.
For example, if a user connects to Power BI from an unmanaged device, the session can be monitored by Microsoft Cloud App Securityโs real-time controls, and risky actions, such as downloading data that has the โHighly Confidentialโ sensitivity label applied to it, can be blocked in real time.
Additionally, with Microsoft Cloud App Security, administrators have real-time visibility and control over Power BI user activities concerning data that has sensitivity labels. This visibility and control include security alerts for Power BI service activities such as mass or suspicious report sharing (preview), etc.
Microsoft Cloud App Security licenses are required for these capabilities.
Read more about Microsoft Cloud App Security capabilities for Power BI
Click here to sign-up to data protection webinar.
Coming soon: New protection metrics report for admins in Power BI admin portal