I often get asked questions about Power BI and security. Microsoft do provide a detailed security whitepaper which can be downloaded from the Microsoft Trust Center with other information relating to security. I would strongly recommend reading the whitepaper if you have security concerns.
With that said, I wanted to offer something a little less wordy. Something that got to the point and answered the various common questions in simple English. I don’t work for Microsoft and I don’t offer any guarantees to the accuracy of the information provided. If you take security seriously, I’m just going to direct you to the whitepaper anyway. In fact, here’s a direct link to the whitepaper.
On to the FAQs…
How do users connect to, and gain access to data sources while using Power BI?
Power BI credentials and domain credentials: Users login to PBI using an email address. When a user attempts to connect to a data resource, Power BI passes the login email address as credentials. For domain-connected resources (either on-premises or cloud-based), the login email is matched by the directory service to determine whether sufficient credentials exist to allow access. For organisations that use work-based email addresses to login to Power BI (the same email they use to login to work resources, such as firstname.lastname@example.org), the mapping can occur seamlessly.
Non-domain connections: For data connections that are not domain-joined and not capable of Row-Level Security (RLS), the user must provide credentials during the connection sequence. Power BI then passes these to the data source to establish the connection. If permissions are sufficient, data is loaded from the data source into the Power BI service.
When I enter a username and password into a Power BI Desktop file. Is that username and password saved in the (.pbix) file?
No. The connection string is (encrypted and) stored in the file, but the username and password are not. When you publish the file, assuming you’re not using windows authentication, you’ll have to re-enter the username and password in the PBI service before you can refresh the dataset.
What if a user within the organisation (who has access) shares a dashboard to someone outside of the organisation?
They will be able to see the dashboard/report. Users are responsible for the data they share. If a user connects to data sources using his or her credentials, then shares a report (or dashboard, or dataset) based on that data, users with whom the dashboard is shared are not authenticated against the original data source. The user will be granted access to the shared report as long as they are a Power BI Pro user within their respective organisation (due to the fact that sharing or receiving shared reports requires a Pro license).
What about when someone shares a report from within a Group or App Workspace?
The same as above applies. Somebody from within the group can share reports with other Power BI Pro users.
Can we stop users from sharing reports?
Yes. The Power BI Admin for your organisation can turn off sharing. This is all or nothing though, and can’t be turned on or off at report or dashboard level. This is done in the Admin Portal.
Can we secure reports/data for given users within the organisation?
Yes. Row-Level Security (RLS) can be used to restrict particular data access for given users. Filters restrict data at the row level. You can define filters within roles.
Where is data stored in Power BI?
Power BI and associated data is stored in an Azure Datacentre. The specific datacentre is usually the same datacentre associated with your Office365 tenant. In some cases, the first time you connect to PBI as an admin, you’ll be asked to select a location.
Azure Blob Storage – Actual data that is uploaded (using the import method) into Power BI by users and report authors is stored in Azure Blob Storage. Static data and/or images are also stored in Azure Blob Storage. DirectQuery data by its nature is queried from the source, so the actual data is not held in the Blob Storage.
Azure SQL Database – All other metadata (such as the report definitions) as well as the artefacts for Power BI itself are stored in Azure SQL Database.
How secure is my data and how is it transferred to Power BI?
All data is encrypted both at rest and in process.
Data at rest refers to the data that is being stored in Azure Blob Storage or Azure SQL database that isn’t being accessed by an authorised user.
Power BI uses the client-side encryption approach, using cipher block chaining (CBC) mode with advanced encryption standard (AES), to encrypt its Azure Blob storage.
Power BI provides data integrity monitoring in the following ways:
- For data at rest in Azure SQL, Power BI uses dbcc, TDE, and constant page checksum as part of the native offerings of SQL.
- For data at rest in Azure Blob storage, Power BI uses client-side encryption and HTTPS to transfer data into storage which includes integrity checks during the retrieval of the data.
Data in process (or in transit) is data when it is actively being used or accessed by a user.
- To monitor data integrity for data in process, Power BI uses HTTPS, TCP/IP and TLS to ensure data is encrypted. This maintains integrity during the transport.
I hope you have found this post useful. Let me know if you have questions in the comments below, and please take a moment to check out my other data and analytics blog posts.