Securely enable access to data and insight with powerful information protection capabilities in Power BI
Microsoft Information Protection is a built-in, intelligent, unified, and extensible solution to protect sensitive data across your enterprise – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. Microsoft Information Protection provides a unified set of capabilities for classification, labeling, protection and data loss prevention across Microsoft 365 apps (Word, PowerPoint, Excel, Outlook) and Microsoft services like Power BI, OneDrive, SharePoint, Teams, and Exchange.
Security and compliance are important for democratizing access to data and insights, particularly in today’s remote work environment. This focus on security and compliance has helped Power BI enable employees and business partners to make data-driven decisions confidently. Power BI leverages Microsoft Information Protection to help organizations protect their sensitive data no matter where or how it is accessed.
Today we are excited to announce the general availability of Microsoft Information Protection’s sensitivity labels in Power BI. The same sensitivity labels you use to classify and label data in Microsoft365 apps (e.g. Excel) can now be used to classify and label sensitive data in the Power BI service too. Labels and protection actions like file encryption will persist when sensitive data is exported out of Power BI to Excel, Power Point, or PDF files. We are also announcing roll out of new capabilities that further persist labeling and protection of data as it moves between Power BI and other solutions like Microsoft Teams.
Customers like BP already benefit from Microsoft Information Protection in Power BI to gain better visibility and control over their business-critical data:
“Our data owners can now classify their data with ease within Power BI and align with our existing Microsoft Information Protection labels. The integration with Microsoft Information Protection means that we can see where our important data is being used and be assured that exported data is automatically labelled and protected in accordance with our policies. In this way our users practice security by choice because it is easy. The ability to monitor activity and block or protect downloads of classified data in real-time using [Microsoft Cloud App Security] is a very powerful control, which gives us increased flexibility on collaborating and sharing securely.”
-- Geoff Elton, Information Protection Security Engineering Lead at BP
General availability of sensitivity labels in Power BI
Sensitivity labels provide a simple way for your users to classify critical content in Power BI without compromising productivity or the ability to collaborate. Sensitivity labels can be applied on datasets, reports, dashboards, and dataflows. When data is exported from Power BI to Excel, PowerPoint or PDF files, Power BI automatically applies a sensitivity label on the exported file and protects it according to the label’s file encryption settings. This way your sensitive data remains protected no matter where it is.
Figure 1: Power BI report's sensitivity label and protection applied on Excel file upon data export.
Sensitivity labels applied on Power BI reports and dashboards are also visible in the Power BI iOS and Android mobile apps.
Figure 2: Sensitivity labels appear in the Power BI mobile app
With sensitivity labels now generally available in Power BI, you gain more value when you create and deploy labels and policies from the Microsoft 365 compliance center. The Microsoft 365 compliance center provides visibility into label-related user activities (e.g. applying, removing, or changing sensitivity labels).
New information protection capabilities in Power BI
It is a common scenario for your users to embed a Power BI report in Microsoft Teams or maintain a live data connection between an Excel file and a Power BI dataset. The ability to maintain the same sensitivity label as data moves has been a top ask from users. We heard you! The capabilities listed below are rolling out soon.
- Label inheritance upon creation of new content (rolling out in coming weeks): When new reports and dashboards are created in the Power BI service, they will automatically inherit the sensitivity label of their parent artifact. For example, a new report created on top of a dataset that has a “Highly Confidential” sensitivity label will automatically receive the “Highly Confidential” label as well.
- Sensitivity labels persist when a Power BI report is embedded in an app (rolling out in coming weeks): Power BI business reports are often embedded in business applications such as Microsoft Teams, SharePoint, or even in an organization’s website. Now when you embed sensitive information, the label applied on your reports and dashboards will be visible in the embedded view as well.
- Sensitivity label inheritance from Power BI to Excel for live data connections (rolling out later this year): When you maintain a live connection between an Excel file and a Power BI dataset, that dataset's sensitivity label will be inherited and applied to your Excel file along with its associated protection like encryption. If the label is later changed on the data set it will automatically change on the linked Excel file upon data refresh.
Figure 3: Power BI dataset’s sensitivity label applied on an Excel file upon creating a live connection
Power BI and Microsoft Cloud App Security
Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that leverages Microsoft Information Protection’s labels and policies to provide data loss prevention in Microsoft services like Power BI and extends that to third-party cloud applications. For example, with Cloud App Security, you can create a policy that will block the download of sensitive data when the user is accessing data via an unauthorized device. Microsoft Cloud App Security enables you to gain rich visibility into shadow IT, identify and remediate cloud-native attacks via integration with Microsoft Threat Protection, and control how your data travels across all of your cloud resources.
Cloud App Security analyzes Power BI activities and raises a security alert if suspicious behavior is detected. For example:
- Unusual report sharing alert (in Preview): Unusual Power BI report sharing policy is available out-of-the-box and is automatically enabled to alert you if an unusual sharing activity occurs
- Impossible travel alert (in GA): This detection identifies two user activities on Power BI (in a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second. This indicates that a different user is using the same credentials. See this article for more information
We are continuously expanding the capabilities of Microsoft Information Protection. You can see in this blog a summary of some of the investments we’ve made in the last two months. We are working on adding sensitivity labels in Power BI Desktop. This will enable you to classify, label, and protect PBIX files as well. To learn more about the capabilities covered in this blog:
- Watch this 30 min session with demos or this 2 min overview video
- Read these documents on Cloud App Security and sensitivity labels in Power BI
- Learn more about required licensing. If you are new to Microsoft 365, learn how to try or buy a subscription
As you navigate this challenging time, we have additional resources to help. For more information about securing your organization in this time of crisis, visit our Remote Work site. We’re here to help in any way we can.
Denis Mizetski, Senior Program Manager, Microsoft Information Protection
Anton Fritz, Senior Program Manager, Power BI