On to the next topic, which is super important for global, enterprise grade solutions if you ask me. Security and information protection! The fifth blog in the series of transforming local into global Power BI solutions.
Good to know up front is that information protection is a feature that not specifically related to Power BI, but also applies to other Microsoft products and services. Though, in this blog I will explain the functionality of information protection, also known as sensitivity labels and how this applies to Power BI. Let’s first look at what the functionality is, where you can apply it and why it is important.
What are sensitivity labels in Power BI?
Sensitivity labels in Power BI is the ability to classify content using Microsoft Information Protection (MIP), which is a separate product/service. MIP helps organizations to protect data and prevent data loss. Sensitivity labels, as can be applied in Power BI, is only one of the aspects that MIP offers, and provides a single solution across apps and services across devices to visually label data. Power BI is one of the services where MIP is integrated. As Microsoft Information Protection is a separate service, there is also a different story around licensing. To see which license is required to use sensitivity labels in Power BI, please review this documentation.
Now, we know MIP is integrated in Power BI to set sensitivity labels, let’s have a look at what this means in Power BI. When sensitivity labels are applied within Power BI, data will be protected when it is saved outside the Power BI Service, such as export to Excel, PowerPoint or PDF. There is nothing changing inside the Power BI Service, other than the visual label that is applied to content. The encryption of Power BI content remains unchanged and will be as described in the Power BI Security whitepaper using Microsoft-managed keys. Optionally organizations with Power BI Premium can use their own keys to encrypt data at rest, using the BYOK principle.
But if it is only labeling my content in Power BI, how does this help me? A very relevant question, but there is definitely an use case to start using sensitivity labels. When labeled data leaves the Power BI Service, the exported file (Excel, PowerPoint, PDF, PBIX, etc) will be labeled and encrypted automatically matching the sensitivity label policy. With that, your data will be save, even when it is exported from Power BI and send via mail, for example that only users within your organization can open the file. Everything related to sensitivity labels in the context of access restrictions and encryption is managed in the Microsoft 365 compliance center.
Labels can be applied to nearly all artifacts in the Power BI Service, knowing dataflows, datasets, reports and dashboards (August 2021). In case data is exported from Power BI, or used in external tooling like Analyze in Excel, labels will automatically be added to the related artifacts. This way your sensitive data can remain protected, even when it leaves Power BI
Applying sensitivity labels
Sensitivity labels can be applied in both Power BI Desktop (preview) and the Power BI service, making it possible to protect your sensitive data from the moment you first start developing your content, to when it’s being accessed via Analyze in Excel or exported. Sensitivity labels are retained when you move your content back and forth between Desktop and the service, even while exporting .pbix files. In the top ribbon of Power BI Desktop, you will find an option (when the preview is enabled) to apply a sensitivity label. Note that this button might be greyed-out when you are not signed in with your Power BI account, do not have the right licenses assigned or in case you do not have sufficient permissions to apply labels.
When new reports and dashboards are created in the Power BI service, they automatically inherit the sensitivity label previously applied on parent dataset or report. For example, a new report created on top of a dataset that has a “Highly Confidential” sensitivity label will automatically receive the “Highly Confidential” label as well. Inheriting the labels makes sure that the context and sensitivity of the data does not get lost when someone forgets to apply the label. By default the downstream inheritance is based on a user consent, but as Power BI Service Administrator it can be fully automated and forced to apply to all linked artifacts.
Inheritance of sensitivity labels does not only apply to other Power BI artifacts, but can also be inherited from the data source. This feature (in preview in August 2021) currently only supports to inherit labels from Excel, Azure Synapse Analytics (former SQL DWH) and Azure SQL DB. To take-over the label from the data source, the source must be labeled in with the same Microsoft Information Protection labels as used for Power BI. The feature requires Azure Purview for labeling of sources and inheritance in Power BI. Good to know, the feature is currently limited to imported data. Live connections and direct query are not supported at this moment, neither are connections routed over gateways or VNets.
In the Microsoft 365 compliance center, there is one more setting that can be applied when it comes to sensitivity labels in Power BI. As an admin you can set a mandatory label policy, which ensures that users apply labels to all their Power BI content. Before users can save their work in the service, or publish new content to the service they must apply a label. If the Power BI Service administrator enabled the feature, workspace administrators can overwrite automatically applied labels.
Why is labeling important?
Data is your most important asset in today’s business. By collecting data, you can learn from the past to do better in the future and maybe even create a competitive advantage. Prudence is advised when it comes to your data. No company wants to be in the news because data leaked and personal, financial or other confidential data is out in the open. Especially in today’s world where hacks, phishing and other types of fraud are daily in the news.
I truly believe that not only large companies should care about information protection, but even the smallest companies should put data lost prevention on their priority list. By enabling sensitivity labels across all your products and services, which is not only Power BI but also all other services across the Power Platform, Azure services and Microsoft 365 suite. Using Microsoft Information Protection will help organizations to better monitor, apply policies and keep track of all their valuable data assets.
In specific for Power BI, I personally believe that at least large organizations should make sensitivity labels mandatory for every solution shared across the organization. Especially with the downstream inheritance, this helps to keep track of all additional reports, dashboards and extracts made from the dataset.
Though, I think there is one more step to be taken when we talk about policies and sensitivity labels. It would be valuable if Power BI Service Administrators together with the admin of the Microsoft 365 compliance center can disable specific Power BI features based on the label applied. For example, to block export from Excel, but allow Analyze in Excel for confidential data. You might think that this does not help, as it still leaves Power BI and becomes available in Excel, in that case I encourage you to read my earlier blog on why you should consider to disable export to Excel. Feature based policies assigned to sensitivity labels is not only useful for Power BI, but across all products and services in the ecosystem of course.