Controlling Workspace Creation in Power BI: How to Strike the Right Balance?

Working with many companies that implement Power BI, this is a question that comes along every single time; Should we enable workspace creation for all our users, or limit it to a specific security group?

In this blog post, we’ll explore the topic of workspace creation. Depending on who you talk to, you might get different opinions on this matter. While I’ve written about Power BI workspace setup in the past covering elements like naming conventions, permissions and workspace scopes, workspace creation was briefly touched upon. I’ll delve deeper into the pros and cons of allowing all users to create workspaces, restricting it to a limited group, or blocking it altogether. By the end of this post, you’ll be able to determine what works best for your organization. In case you haven’t read my previous blogs on workspaces, I’ll provide links to them so you can find relevant content discussed in those posts.

Understanding different types of workspaces

In case you’ve not read the previous blogs on workspaces, with below links you can easily navigate to them and find relevant content discussed in those posts.

Let’s first get a few basic concepts clear. In Power BI we can talk about two different types of workspaces.

  • Personal workspaces (My Workspace)
  • Shared workspaces

Every user with access to the Power BI Service (cloud) a personal workspace is available. There is no way for Power BI Service Administrators to disable personal workspaces from the admin portal. This personal workspace can be seen as a personal playground in which every user can do whatever they would like. Personal workspaces exist independent of licenses. So even with only Free licenses, every user will have this personal playground. As soon as the user starts to share a report from a personal workspace to another user, a paid license is required – being Pro or Premium per User.

Next to the personal workspaces, we have Shared Workspaces, or let’s say just Workspaces. These are collaborative areas where multiple users can have access to. Four different levels of workspace permissions exist being Admin, Member, Contributor and Viewer. As I don’t want to repeat Microsoft Documentation, I happily refer to the official docs which clearly details out the privileges of each of these workspace roles. From a shared workspace, a Power BI App can be published in which a view-only mode of content can be distributed to a wider group of users.

One of the first differences between personal and shared workspaces, is the artifacts that can live in these workspaces. For example, Power BI dataflows cannot exist in a personal workspace, but only in shared workspaces. Further, you cannot publish an app from personal workspaces to share content. These are the main two elements that stuck to mind, and I often hear clients about but probably there are a few more.

Shared workspaces do not exist by default. They have to be created by a user and a name has to be given to a workspace. This is only possible for users that have a paid license assigned, being Pro or Premium per User. Any of these licenses is required to actively collaborate and contribute in shared workspaces. When only viewer permissions are granted and the workspace resides in a Premium capacity, no per-user license is required to consume content from a shared workspace.

Creation of these shared workspaces brings us to the main topic of this blog. Who can create them? And how to govern and manage this?

Workspace creation

Who can create workspaces in the Power BI Service? By default that will be every user having the appropriate license assigned. However, your Power BI Service Administrator might have adjusted this. In the Power BI Admin portal, the service administrator can control the creation of workspaces by a tenant setting.

The default, as visualized in above screenshot, will allow every user to create new workspaces. Depending on who you talk to, they will say this is fine or a nightmare. Let’s have a look at workspace creation from different angles.

Workspace creation for all

If you talk to someone in your organization that is all for enablement and adoption, they will probably say that workspace creation should be open for all. Why? Well, why should you block them? For a long time, they had a valid argument by saying that everything in personal workspaces is not editable any longer when someone goes on holiday and errors occur, or when someone leaves the organization and the account is disabled. However, that is no longer the case. Since January 2023, Power BI Service Administrators can gain access to personal workspaces if necessary. With a few simple documented steps, they can grant themselves access to control content in personal workspaces of other users on the same tenant.

Another argument you could potentially come up with, is the enablement of your users. You want them to easily create new workspaces if they require one to do their job. You want to service your users as optimal as possible and avoid lengthy request processes or jumping through all sorts of loops.

Block workspace creation

If you talk to the typical IT person, they want to keep everything in control. Preferably they block workspace creation in total and spin up a process in Service Now, Topdesk or any other ticketing system of their choice. Power BI users can request a workspace and fill in many questions like:

  • Who is the owner of the solution
  • How is maintenance of the solution covered
  • Cost center
  • Business case behind building the solution

There could be many relevant questions, however it might scare away your users. Especially if a request form has required fields and overall is a lengthy process that potentially takes days – if not weeks. As a result, your users will most likely drop all their content in personal workspaces. Although we’ve just learned that Power BI Service administrators do have control over personal workspaces, it is sub-optimal. Lots of content in personal workspaces by-passes many best practices like sharing via apps, having multiple owners or a solution, naming conventions, and logical bundling of content in separate workspaces, etc.

It could even be worse. If they publish to personal workspaces, you’re still in luck as a Power BI Service administrator. Alternatively, they start sending Power BI files over mail, distribute via OneDrive or SharePoint. If this happens, you have no controls at all to monitor what is going on and the data will not be secured by anything like row- or object-level-security.

Limit workspace creation

As third option, we could consider a limited group of people that you allow to create workspaces. For example, when you run a hybrid Center of Excellence in your organization, in which you have a central team and representatives across the organization in different departments, you could allow every team to have one or a limited group of people to be allowed to create workspaces. This small group of people comply to your standards like naming conventions for workspaces, principle for the least privileges as possible and scopes of workspaces.

At this point, having a limited group of workspace creators might sound like the best solution. However, these people should be well known in the organization and easily be found. Not to forget, they might bore out when everyone asks them to create a workspace – it’s simply not the most exiting job. So, what alternatives do you have?

Let’s meet in the middle

I’m not fond of having everyone creating workspaces. It easily becomes one big mess. In all fairness, I have to blame myself for that as well. It’s done easily to spin up a new workspace to run that small test or proof of concept. But after that, you never clean up the mess you made. Is that a bad thing? You decide… in the end you don’t pay more when you have more workspaces. Not on Pro, nor on Premium as with the capacity licensing model you pay based on utilization instead of count or storage. So, how bad is it in the end?

Though, I think it is in everyone’s benefit to have a proper governance model around workspaces. A request process is fine, as long as you serve the user when they need to be served. In short: they request a workspace, and it will be automatically generated for them according to standards. It’s all about enablement!

Where to start? I would say, take advantage of tools you already have at hand. Think about MS Forms and Power Automate. Once a new form is submitted, generate the workspace instantly. For managed workspaces, work with Active Directory security groups. for self-service workspaces you can still work with named users but take less control and responsibility. Once the request has been made, the workspace can be generated, and the requester can be informed via mail that the workspace is in place. It’s that simple!

For those managed workspaces, you manage workspace permissions solely via security groups and not based on named users. That keeps a clean and neat overview in the workspace permissions. These security groups are ideally filled based on Identity Access Management (IAM) processes. This stretches the process a bit, given you have an external dependency. But for these scenarios that is acceptable as long as you inform your users up front and manage their expectations.

In all cases – self-service or not. you want workspaces to follow a certain naming convention like described in an earlier blog. This naming convention can obviously be generated based on a few simple dropdowns. Or even better, be automatically populated based on the requester of the workspace, to look up in Active Directory to which department or team this person belongs.

Inform your users about the process!

It is key to inform all your Power BI users about the process you expect them to follow. Building an active Power BI community is part of that. Within this community, you might have a teams channel, SharePoint or wiki page or anything else where you share best practices and ways of working. Right there, is where the form for workspace requests should be embedded and easily accessible.

It is up to you to decide whether you still leave the button in the Power BI Service to create a workspace enabled. This is basically what can be controlled by the earlier mentioned tenant setting. If you block workspace creation, clicking the button will simply return an error. At this point in time, there is still no way to put a custom URL behind the “New workspace” button and navigate your users to your request form for example.

Furthermore, monitoring is also important. Build your own monitoring tool or use out of the box solutions like Microsoft Purview to scan your Power BI tenant. Find those workspaces that do not follow your standards. Don’t use this information to tell the workspace owners they are wrong, because most likely they are not. Most likely, it is you not doing proper marketing and not reaching them via the right channels informing them about the standards and processes. (Okay, there is a slight chance they are just ignorant) Tell them about the standards, where to find the right content and make them part of the story. By making them part of it, you can turn them into new ambassadors within the organization to spread the way of working to others as well.

As I’ve briefly touched upon monitoring, that brings me a question for you all. Please fill in the poll below (anonymously)

Wrap up

I will end this blog as usual with a wrap up. This time not really a conclusion on what you should do. I will end with a big IT DEPENDS. There is no good or bad, right or wrong in this case. The most important thing is that you consider well which decisions you make as a Power BI tenant administrator and be aware of the side effects that come with it. E.g., blocking workspace creation most likely leads to more stuff in personal workspaces or different ways to distribute Power BI content across the organization.

My ideal situation would be to have control over workspace creation by working with a simple form, having a proper naming convention and ownership assigned, but still enable every Power BI user in the organization to the maximum possible. To enforce that, customizing the URL behind the “New workspace” button is required – but not possible today (May 2023).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s