Learn

Learn Power BI Governing and administering Power BI

Governing and administering Power BI

Governance of Power BI is a broad and potentially complex subject that can encompass the overall data governance within an organization as well as Power BI Desktop and the Power BI service. However, at its core, governance for Power BI is simply a set of established rules and policies regarding what people can do with organizational data.

The overall goals of governance in the context of Power BI are as follows:

  • Empower business users to use data for making decisions.
  • Comply with applicable government, industry, and contractual regulations.
  • Establish rules that comply with organizational requirements.

The usage models in the Understanding usage models section within this chapter are one way of implementing governance. For example, controlling who is allowed to publish official datasets is an example of governance. By centralizing the creation of datasets and metrics, business users can be empowered because it is ensured that those business users are using consistent metrics and accurate data. In addition, those creating the datasets can ensure that only appropriate data is exposed to the business, thereby avoiding regulatory compliance issues.

The following sections explore two additional important governance controls, tenant settings and deploying Power BI content.

Tenant settings

As explained in Chapter 1, Understanding Business Intelligence and Power BI, a tenant

is simply a logical slice of the Power BI service particular to a single organization. Each Power BI tenant must have at least one account that is deemed the tenant administrator. The tenant administrator or administrators control which features and functionality are enabled within the tenant. This section explains the various tenant settings within Power BI along with suggestions and recommendations for their enablement or disablement.

For tenant administrators, it is important to understand these tenant settings and carefully consider the implications of each with regard to empowering business users and complying with regulatory and organizational requirements. For business users, it is also important to understand what available features may have been disabled by tenant

administrators so that requests can be made to enable those features should the need arise to make use of them.

Tenant settings are accessed in the Power BI service by clicking on the gear icon in the upper-right corner of the Power BI service, choosing Admin portal and then Tenant settings. Or, alternatively, the ellipsis () in the upper-right corner, then Settings, Admin portal, and finally Tenant settings.

Once enabled, many tenant settings allow the tenant administrator to choose whether the feature is enabled for the entire organization or for specific security groups (Office 365 Groups). In addition, tenant administrators can also exclude specific security groups if desired.

The common dialog for setting tenant security is shown in Figure 12.6:


Figure 12.6 – Tenant security settings

In general, it is advisable to use a least privileges approach to tenant settings. That is, only enable the features required by the organization and only enable those features for the groups of business users that require the use of those features.

Help and support settings

Help and support settings include options to control help and support links as well as notifications about service outages, and the use of enhanced features on a trial basis and custom messages when publishing content. Let’s look at them briefly:

  • Publish “Get Help” information: This setting allows the administrator to change certain menu links in the service to point to internal help and support resources. Enabling this can be helpful for large organizations in order to point business users toward internal support organizations and content. Configuring this option would generally be done for the entire organization and provides the ability to replace the help links in the Power BI help menu (? Help & Support) with custom links.

    Figure 12.7 shows the different settings that can be customized as well as which menu links are changed:


Figure 12.7 – Publish “Get Help” Information settings

  • Receive email notifications for service outages or incidents: If enabled, the specified mail-enabled security groups receive email notifications if there is an outage or other issue with the Power BI tenant. It is recommended that this option be enabled for specific mail-enabled security groups such as IT support and the help desk or anyone responsible for the administration and governance of Power BI.
  • Allow users to try Power BI paid features: If enabled, users in the entire organization or specified security groups can get a free individual trial of upgraded Power BI features such as Power BI Pro and Power BI PPU for 60 days. In general, it is recommended that this option be disabled.
  • Show a custom message before publishing reports: This feature is useful for organizations that wish to inform content creators of any organizational policies or procedures that should be followed when publishing content. When content creators publish a report, they’ll see a custom message prior to publication. Enable this feature if your organization wishes to inform publishers of organizational policies although you may wish to exempt certain groups such as IT.
Workspace settings

Workspace settings control who and what types of workspaces can be created as well as the use of datasets between workspaces:

  • Create workspaces (new workspace experience): If enabled, users can create new workspaces within the Power BI service. It is recommended that this be enabled for only authorized security groups within the organization in order to avoid the proliferation of workspaces within the tenant.
  • Use datasets across workspaces: Users in the organization can use datasets across workspaces if they have the required build permission. It is recommended that this be enabled for specific security groups within the organization and is a required setting for usage models such as golden datasets.
  • Block classic workspace creation: Users in the organization cannot create classic workspaces. As classic workspaces are essentially deprecated within the Power BI service, this setting should be enabled for the entire organization.
Information protection

Information protection settings control the application and use of sensitivity labels for Power BI content:

  • Allow users to apply sensitivity labels for Power BI content: When enabled, Microsoft Information Protection sensitivity labels published by your organization can be applied to Power BI content. Sensitivity labels are created in the Microsoft 365 compliance center and are only applied to files exported to Excel, PowerPoint, or PDF. All other export and sharing options do not support the application of sensitivity labels and protection. Sensitivity labels allow for the classification and protection of organizational data, while at the same time making sure that user productivity and collaboration are not impacted.

    If your organization uses sensitivity labels, then enable this setting for the specifi groups responsible for labeling sensitive content. Sensitivity labels can be applied to dashboards, reports, datasets, and datafl ws but notpaginated reports or workbooks.

  • Apply sensitivity labels from data sources to their data in Power BI: Enabling this setting means that Power BI datasets that connect to sensitivity-labeled data inherit those labels. Currently supported source systems include Excel, Azure Synapse Analytics, and Azure SQL Database. This setting should be enabled if the organization uses sensitivity labels.
  • Automatically apply sensitivity labels to downstream content: If enabled, when sensitivity labels are applied or changed for Power BI content, the label is applied to content created from that content. For example, if a sensitivity label is applied to a dataset, this means other datasets, reports, and dashboards created from that dataset inherit the applied sensitivity label. This setting should be enabled if the organization uses sensitivity labels.
  • Allow workspace admins to override automatically applied sensitivity labels:

    If enabled, users and groups with the Admin role for a workspace can change or remove automatically applied sensitivity labels. In general, this setting should only be enabled for specific groups and not the entire organization.

  • Restrict content with protected labels from being shared via a link with everyone in your organization: If enabled, this prevents content with protection settings in the sensitivity label from being shared with everyone in the organization via a link. This setting should be enabled if the organization uses sensitivity labels.

 

 

Export and sharing settings

Export and sharing settings control guest user access to the tenant, export formats for reports, the ability of users to certify and promote content, and additional sharing and collaboration functionality:

  • Allow Azure Active Directory guest users to access Power BI: This setting enables or disables the ability of Azure Active Directory Business-to-Business (B2B) guest users to access the organization’s Power BI tenant and content such as reports, dashboards, and apps to which they have permissions. Only enable this setting if required. However, it is even more important to control the invitation of guest users. See the next tenant setting, Invite external users to your organization.
  • Invite external users to your organization: Allows users in the organization to share reports, dashboards, and apps with users outside the organization. Once invited, outside users become Azure Active Directory B2B guest users. This should only be enabled if absolutely necessary and, if enabled, should only be enabled for specific groups of users.
  • Allow Azure Active Directory guest users to edit and manage content in the organization: If enabled, organizational users can invite Azure Active Directory B2B guest users to edit and manage content within workspaces. In addition, these guest users can browse and request access to content. This feature should generally be disabled unless absolutely required by the business and should only be enabled for specific groups of users.
  • Show Azure Active Directory guests in lists of suggested people: When users search for people in Power BI, such as when sharing content, they see a list of suggested people. Enabling this feature includes Azure Active Directory (AD) members and guests as suggested people. When disabled, guests aren’t shown in the suggested people list. However, it is still possible to share content with guests by

    providing their full email address. For most organizations, it is generally a good idea to disable this setting.

  • Publish to web: If enabled, users can publish public reports to the web. When reports are published to the web, those reports do not require authentication in order to view them, anyone with the link can view the report. It is highly advised that this setting be disabled as this can result in severe security and compliance issues for most organizations. If enabled, tenant administrators should regularly review generated embed codes via the Embed Codes page in the admin portal in order to ensure that no confidential information has been published to the web.
  • Copy and paste visuals: Enables or disables the ability for users to copy and paste dashboard tiles or report visuals as static images. There is no real security benefit in disabling this feature as users can still take screenshots or take pictures of tiles and visuals using their mobile device.
  • Export to Excel: Enables or disables the ability of users to export data from report visuals or paginated reports to an Excel file. This applies to both the interface for exporting in the service as well as the Power BI REST API. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
  • Export to .csv: Enables or disables the ability of users to export data from dashboard tiles, report visuals or paginated reports to a Comma-Separated Value (CSV) file. Th s applies to both the interface for exporting in the service and the Power BI REST API. Enabling this setting can be benefi al to end users but some organizations may see this as a security risk and therefore would disable this setting.
  • Download reports: Enables or disables the ability of users to download Power BI Desktop (.pbix) files or paginated report (.rdl) files. This applies to both the interface for downloading in the service as well as the Power BI REST API. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
    • Allow live connections: Enables or disables the ability of users to connect live to Power BI datasets. Disabling this feature effectively disables the Analyze in Excel functionality in the service as the Excel files generated by Analyze in Excel use a live connection to the dataset. Enabling this feature is a requirement for the golden dataset usage model.
    • Export reports as PowerPoint presentations or PDF documents: Enables or disables the ability of users to export reports to PowerPoint or PDF files. This applies to both Power BI reports and paginated reports and also applies to the interface for exporting in the service as well as the Power BI REST API. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
    • Export reports as MHTML documents: Enables or disables the ability of users to export reports as MHTML files. The MHTML file format is only available for paginated reports. This applies to both the interface for exporting in the service as

      well as the Power BI REST API. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.

  • Export reports as Word documents: Enables or disables the ability of users to export reports as Microsoft Word files. Word files are only available for paginated reports. This applies to both the interface for exporting in the service as well as the Power BI REST API. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
  • Export reports as XML documents: Enables or disables the ability of users to export reports as XML files. The XML file format is only available for paginated reports. This applies to both the interface for exporting in the service as well as the Power BI REST API. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
  • Export reports as image files: Enables or disables the ability of users to export reports as PNG files for Power BI reports and image files for paginated reports. Exporting as images is only available via the Power BI REST API, and there is no interface within the service that supports this format. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
  • Print dashboards and reports: Enables or disables the ability of users to print dashboards, reports, and paginated reports. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
  • Certification: Enabling this feature allows users to certify datasets, dataflows, reports, and apps. When a user certifies content, that content displays a certification badge along with that user’s contact details. Certified datasets are really about

    self-service and discoverability, not security. Certified content is featured more prominently when creators start creating content. This setting should only be enabled for trusted contributors.

  • Email Subscriptions: Enables or disables the ability of users to create email subscriptions for reports, paginated reports, and dashboards. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
  • Featured content: Enables or disables the ability of users to promote dashboards, reports, and paginated reports to the Featured section of the Power BI Home page. This setting should only be enabled for trusted contributors.
  • Allow connections to featured tables: Enables or disables the ability of users to access and perform calculations on data from featured tables. Featured tables are defined in the modeling view of Power BI Desktop. Featured tables can be viewed using the data types gallery of Excel. To view the data types gallery in Excel, use the Data tab of the ribbon and then expand the dropdown in the Data Types group. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
  • Allow shareable links to grant access to everyone in your organization: Enables or disables the ability of users to create links that enable anyone within the organization to view the content (assuming the correct license type). This link cannot be used by users outside of the organization’s tenant. Only enable this setting if necessary and only for specific groups.
  • Enable Microsoft Teams integration in the Power BI service: Enables or disables the ability for users to access features associated with integration for Microsoft Teams, including launching Teams experiences from the Power BI service such as chats, the Power BI app for Teams, and receiving Power BI notifications in Teams. To completely enable or disable Teams integration, use the Manage apps section of the Teams administrator site to allow or block the Power BI app. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
Discovery settings

Discovery settings control whether or not users can discover content within the Power BI service to which they do not have permissions:

  • Make promoted content available: If enabled, allows users who promote content to make that content discoverable by users without permission to access the content. This provides users without permissions with the ability to request access. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
  • Make certified content discoverable: If enabled, allows users who certify content to make that content discoverable by users without permission to access the content. This provides users without permissions with the ability to request access. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
  • Discover content: If enabled, allows users to discover content they do not have permissions to if that content was made discoverable. This provides users without permissions with the ability to request access. Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting.
Content pack and app settings

Content pack and app settings control the ability of users to create content packs and apps and their ability to distribute such content:

  • Publish content packs and apps to the entire organization: If enabled, users can publish apps and content packs (deprecated) to the entire organization. This setting should only be enabled for specific security groups.
  • Create template organizational content packs and apps: If enabled, users in the organization can create template content packs (deprecated) and apps that use datasets built on one data source in Power BI Desktop. Enable this setting if you plan on using template organizational apps.
  • Push apps to end users: If enabled, users can share apps directly with others without requiring installation from AppSource. This setting should only be enabled for specific security groups.
Integration settings

Integration settings control the integration and use of third-party systems within the Power BI service:

  • Allow XMLA endpoints and Analyze in Excel with on-premises datasets:

    If enabled, users can use the Analyze in Excel functionality to create Excel files that link to Power BI datasets. In addition, this setting allows XMLA endpoint connections. XMLA endpoints are required for certain tools such as ALM Toolkit.

    Enabling this setting can be beneficial to end users but some organizations may see this as a security risk and therefore would disable this setting. This setting should at least be enabled for administrative security groups.

  • Use ArcGIS Maps for Power BI: Enables or disables the ability of users to use Esri’s ArcGIS Maps for Power BI visualization. Enable this setting if you wish to use ArcGIS Maps.
  • Use global search for Power BI: Enables or disables the Search bar present in the header of the Power BI service. Search functionality is provided by Azure Search’s external search index. It is generally recommended to enable this setting
  • Use Azure Maps visual: Enables or disables the ability of users to use Azure Maps visualization. Carefully read the terms and conditions regarding the use of Azure Maps as Azure Maps is powered by TomTom, a third-party provider,

    and may use Azure services located outside of your Power BI tenant’s geographic region, compliance boundary, or national cloud instance. Microsoft shares certain information with TomTom and the queries provided may be stored and processed in any country in which Microsoft or its subs operate. Enable this setting if you wish to use Azure Maps.

  • Integration with SharePoint and Microsoft Lists: Enables or disables the ability of users to launch Power BI from SharePoint lists and Microsoft Lists. Enabling this setting can be very beneficial to end users.
  • Snowflake SSO: Enables or disables Single Sign-On (SSO) for Snowflake. When enabled, user information such as the user’s name and email address is sent to Snowflake for the purposes of authentication. If using Snowflake, it is recommended to enable this setting.
  • Redshift SSO: Enables or disables SSO for Amazon Redshift When enabled, user information such as the user’s name and email is sent to Amazon Redshift for the purposes of authentication. If using Redshift it is recommended to enable this setting.
  • Azure AD Single Sign-On (SSO) for Gateway: Enables or disables SSO for the

    on-premises data gateway. When enabled, user information such as the user’s name and email address is sent to the SSO-supported data source for the purposes of authentication. It is generally recommended to enable this setting.

Power BI visuals

Power BI visuals settings control the use of custom visuals within the Power BI service:

  • Allow visuals created using the Power BI SDK: Enables or disables the ability of users to add, view, share, and interact with custom visuals in the Power BI service. It is recommended that this setting be disabled and that you use Organizational visuals to control what custom visuals are allowed. This setting does not apply

    to Organizational visuals. Organizational visuals can be managed within the

    Organizational visuals page of the admin portal.

  • Add and use certified visuals only (block uncertified): If enabled, users can only use certified visuals. It is recommended that this setting be disabled and that you use Organizational visuals to control what custom visuals are allowed. This setting does not apply to Organizational visuals. Organizational visuals can be managed within the Organizational visuals page of the admin portal.

 

 

R and Python visual settings

R and Python visual settings control whether or not users are permitted to use R and Python visuals within the Power BI service:

  • Interact with and share R and Python visuals: Enables or disables the ability of users to use visuals created with R and Python scripts. Only enable this setting if absolutely necessary as this setting applies to the entire organization and R and Python scripts could pose a potential security risk.

 

Audit and usage settings

Audit and usage settings control the collection of audit logs and metrics as well as the ability of users to view and access these logs and metrics. For more information about audit and usage logs, see the Further reading section in this chapter:

  • Create audit logs for internal activity auditing and compliance: Enables auditing to monitor user actions in the Power BI service. This setting is enabled and cannot be disabled for tenants that have enabled recording user and admin activity in the Office 365 admin portal. This setting should absolutely be enabled.
  • Usage metrics for content creators: Enables or disables the ability for users to see usage metrics for dashboards and reports to which they have permissions. Enabling this setting is beneficial to end users and is generally recommended.
  • Per-user data in usage metrics for content creators: Enables or disables the ability of content creators to view usage metrics that include the display names and email addresses of users accessing the content. There are several schools of thought around this topic. However, transparency tends to promote better security, and thus it is recommended that this be enabled for the entire organization.
  • Azure Log Analytics connections for workspace administrators: Enables or disables the ability for administrators of premium workspaces to send their workspace logs to Azure Log Analytics. It is generally recommended to enable this setting.
Dashboard settings

Dashboard settings control the type of content available in dashboards as well as whether data classification is available for dashboards:

  • Web content on dashboard tiles: Enables or disables the ability of users to create web content tiles on dashboards. It is highly recommended that this setting be disabled as this may expose your tenant to malicious software.
  • Data classification for dashboards: Enables or disables the ability to tag dashboards with a classification. These classifications are informational only and are defined directly in the tenant settings when enabling this feature.

    Figure 12.8 shows the data classification for the dashboard interface:


Figure 12.8 – Data classification for dashboards

It is not recommended that you use this feature. Oddly, once enabled, viewing and setting the data classifi ation for dashboards can only be accessed when choosing Settings after clicking the three vertical dots next to a dashboard in the Navigation pane. Opening a dashboard’s settings in any other manner does not display the data classifi ation for the dashboard nor is the classifi ation designation present when viewing the dashboard. Th s effectively makes this feature useless in any practical sense.

Developer settings

Developer settings control the use of embedding as well as the use of Power BI APIs and resource keys. For more information about Power BI APIs, see the Further reading section in this chapter.

  • Embed content in apps: Enables or disables the ability of users to embed dashboards and reports in web applications using the Embed for your customers method. Only enable this setting if necessary.
  • Allow service principals to use Power BI APIs: Enables or disables the ability for assigned service principals to access web apps registered in Azure Active Directory (Azure AD) without a signed-in user. An allowed security group must include

    the service principal. This setting should be disabled unless this functionality is required.

  • Block ResourceKey Authentication: If enabled, blocks users from using a resource key for streaming datasets. Only disable this setting if you require authentication via resource keys.
learn
We will be happy to hear your thoughts

Leave a reply

Share knowledge
Learn
Logo
Enable registration in settings - general