Data insights without limit, security without compromise | Microsoft Power BI Blog – Microsoft

The past year has confirmed that a digital-first strategy is not just a trend, but the new standard for business moving forward. What business calls “digital life” is just life for most people, as is the expectation that organizations will keep up with the accelerating volume of data and pace of change while protecting sensitive information. As data becomes more accessible for analysis, risk of accidental oversharing or misuse of business-critical information increases. It is more important than ever to answer the questions: “How secure is my data in the cloud? What end-to-end protection is available to prevent my sensitive data from leaking?”
Today we are announcing new and enhanced security capabilities for Microsoft Power BI to ensure the highest levels of data security while bringing data insights to everyone across the organization. As detailed in a new Microsoft Power BI security whitepaper, our point of view is that data security should no longer be about BI and its data permissions. Rather, it should be part of an integrated data security strategy that promotes the free flow of analytics in support of the creation of a sustainable data culture, while at the same time ensuring secure usage everywhere.
Power BI delivers security using a multi-layer, integrated model that leverages the same security stack in Microsoft Azure that government agencies and institutions around the world now depend on. Additionally, Power BI also integrates with existing data protection tools in Microsoft 365. The combination of this strategy allows Power BI to:
In addition to my summary of new and enhanced security capabilities in the rest of this post, I encourage you to explore the linked resources below to learn more. Now let’s get started.
As enterprises seek to protect their data environment from unauthorized and unwanted access, many businesses are turning to network isolation. Network isolation allows only specific clients or computers to connect to a particular endpoint based on a list of allowed IP addresses. Network security features in Power BI include:
The combination of network security features with previously announced support for BYOK ensures Power BI can meet the requirements of the most security conscious customers.
Tetra Pak, a Swedish-Swiss multinational food packaging and processing company, demands very high levels of protection for data—especially true for cloud-based solutions. Sergei Lechinsky, Director, Business Information Management, explains how Power BI security capabilities have impacted his team. “We are very pleased with what Microsoft has delivered in the areas of information protection and access control,” said Lechinsky. “The combination of Power BI Premium with BYOK, multi-factor authentication and now information protection sensitivity labels (IPSL) for Power BI artefacts opens Power BI platform for the analysis of confidential data in Tetra Pak. Additionally, cooperation between Microsoft and Tetra Pak is another very positive aspect. Microsoft worked with us to incorporate our feedback regarding IPSL and built some of them into the product.”
The combination of network security features with previously announced support for BYOK
In addition to security capabilities that protect Tetra Pak and thousands of organizations across industries, Power BI is optimized to meet the unique needs of government customers that must meet state and federal compliance and security standards.
Today, we are announcing that Power BI for Azure Government Secret is under review by our Third-Party Assessment Organization (3PAO) and will be submitted for Provisional Authorization to Operate (P-ATO) to support Department of Defense Impact Level 6 (IL6) workloads.
Power BI US Government Secret is designed for the unique requirements of critical national security workloads that cannot be served out of a single geographic location. To provide the geo-diversity required, Power BI US Government Secret delivers across three dedicated regions for US Federal Civilian, Department of Defense (DoD), Intelligence Community (IC), and US government partners working within Secret enclaves. These dedicated Azure regions are located over 500 miles apart to enable applications to stay running in the face of a disaster without a break in continuity of operations.
As part of empowering organizations to work securely with their business data, we have worked hard to ensure that Power BI is part of an end-to-end security platform that is easy to use, integrated with productivity solutions, and enables remote work. Power BI integrates Microsoft’s leading security productsproviding unparalleled data protection capabilities to help people securely uncover insights, collaborate, and share appropriately, no matter where data goes—even outside the organizational network or on unmanaged devices.
Last year we announced the general availability of Power BI data protection capabilities, being the only BI product leveraging Microsoft Information Protection sensitivity labels (MIP) and providing users a simple way to classify critical content in Power BI without compromising productivity or the ability to collaborate. Sensitivity labels can be applied on datasets, reports, dashboards, and dataflows, and those labels are persisted along with relevant protection when data is exported from Power BI to Excel, PowerPoint, or PDF files.
Moreover, we extended data label inheritance to Excel when connecting a Power BI dataset to a PivotTable.  Once again, the dataset’s sensitivity label will be inherited and applied to your Excel file along with its associated protection and will stay up to date upon refresh.
Imagine a user exporting sensitive BI data to Excel and sharing further within the company or externally, or alternatively a former worker accessing an old local Excel file: once the Excel includes respective sensitivity label and protection, only authorized users are able to access that content.  
Organizations can now rest assure that their sensitive data remains protected throughout its journey, according to company policies, no matter where the data lands or when it is being accessed. 
Announced for preview in December, sensitivity labels are now supported in Power BI Desktop. One of the most requested features from our community, this is the natural extension of our existing support for sensitivity labels, which is now supported both in the consumption as well as creation of Power BI assets.
Sensitivity labels are now supported in Power BI Desktop
Governance of data is critical, as is the ability to discover the right, high-quality data assets you can trust and reuse to make critical business decisions. Power BI has partnered with Azure Purview to make it simple to discover, understand, and govern your data assets. Leveraging this partnership, your Power BI assets metadata and connections can now be scanned into the Azure Purview data catalog. Once scanned, key features are enabled for users including effective data governance, deriving end-to-end data lineage and impact analysis, and ensuring data protection leveraging visibility of MIP sensitivity labels on the various assets.
UI of campaign analytics
To ensure your data remains classified and secured across its data journey, we are adding support for label inheritance. By August 2021, Power BI datasets connecting to classified data in source systemssuch as SQL, Microsoft Azure Synapse Analytics, or Excelwill inherit those labels such that data remains classified and secure when brought into Power BI, inherited downstream onto connected artifacts (such as reports or dashboards), and onwards when exported to Office. The result is secure, end-to-end inheritance and protection of your business data, from source to point of consumption.
Finally, the third pillar of our security point of view focuses on the management of content sharing, monitoring, and auditing. In June 2020, we announced the ability for admins to extend Data Loss Prevention policies as well as monitor in real time Power BI session and user activities within the Microsoft Cloud App Security (MCAS) portal.
MCAS can now analyze suspicious Power BI activities like the impossible travel scenario or unusual sharing behaviors and raise a security alert. Combined with the ability for admins to configure content sharing with external guest users through integration with Microsoft Azure Active Directory (Azure AD) B2B and tracking of user and system events in Office 365 audit log, organizations have both depth of capabilities and breadth of organizational reach to govern a Power BI deployment with unparalleled confidence. To go more in depth on our recommendation for governance, please review the Governance and Deployment whitepaper.

The Power BI team is committed to ensuring your data during the course of analysis is treated to a higher level of security. However, this is only the beginning. Join us at Microsoft Ignite—March 2-4, 2021—to virtually attend deep dive sessions that detail our roadmap for security in Power BI and explore the new Power BI security whitepaper to learn more.
Sign up below to get the latest from Power BI, direct to your inbox!
I would like to receive the Power BI newsletter. Privacy Statement.
Participation requires transferring your personal data to other countries in which Microsoft operates, including the United States. By submitting this form, you agree to the transfer of your data outside of China. Privacy Statement.
Power BI is a suite of business analytics tools to analyse data and share insights. Monitor your business and get answers quickly with rich dashboards available on every device.
© 2022 Microsoft
Follow Power BI