Security & Compliance
Risk Analysis
CISA Guidelines
Safeguarding your organization’s data, infrastructure, and users.
Risk Analysis
Power BI
Microsoft 365 (M365) Power BI is a cloud-based product that facilitates self-service business intelligence dashboards, reports, datasets, and visualizations. Power BI can connect to multiple different data sources, combine and shape data from those connections, then create reports and dashboards to share with others. This Secure Configuration Baseline (SCB) provides specific policies to strengthen Power BI security.
The Cybersecurity and Infrastructure Security Agency (CISA) score provides guidance and capabilities to secure federal civilian executive branch (FCEB) agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.
Assumptions
The License Requirements sections of this document assume the organization is using an M365 E3 license level at a minimum. Therefore, only licenses not included in E3 are listed.
Key Terminology
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.
Access to PowerBI can be controlled by the user type. In this baseline, the types of users are defined as follows:
Internal users: Members of the agency’s M365 tenant.
External users: Members of a different M365 tenant.
Business to Business (B2B) guest users: External users that are formally invited to view and/or edit Power BI workspace content and are added to the agency’s Microsoft Entra ID as guest users. These users authenticate with their home organization/tenant and are granted access to Power BI content by virtue of being listed as guest users in the tenant’s Microsoft Entra ID.
Note: These terms vary in use across Microsoft documentation.
Security Solutions
1. Publish to Web
Power BI has a capability to publish reports and content to the web. This capability creates an publicly accessible web URL that does not require authentication or status as a Microsoft Entra ID user to view it. While this may be needed for a specific use case or collaboration scenario, it is a best practice to keep this setting off by default to prevent unintended and potentially sensitive data exposure.
If it is deemed necessary to make an exception and enable the feature, administrators should limit the ability to publish to the web to only specific security groups, instead of allowing the entire agency to publish data to the web.
Policies
MS.POWERBI.1.1v1 – The Publish to Web feature SHOULD be disabled unless the agency mission requires the capability.
The Publish to Web feature SHOULD be disabled unless the agency mission requires the capability.
- Rationale: A publicly accessible web URL can be accessed by everyone, including malicious actors. This policy limits information available on the public web that is not specifically allowed to be published.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
Resources
License Requirements
- N/A
Security Solutions
2. Power BI Guest Access
This section provides policies helping reduce guest user access risks related to Power BI data and resources. An agency with externally shareable Power BI resources and data must consider its unique risk tolerance when granting access to guest users.
MS.POWERBI.2.1v1 – Guest user access to the Power BI tenant SHOULD be disabled unless the agency mission requires the capability.
- Rationale: Disabling external access to Power BI helps keep guest users from accessing potentially risky data and application programming interfaces (APIs). If an agency needs to allow guest access, this can be limited to users in specific security groups to curb risk.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
- N/A
Security Solutions
3. Power BI External Invitations
This section provides policies that help reduce guest user invitation risks related to Power BI data and resources. The settings in this section control whether Power BI allowsa inviting external users to the agency’s organization through Power BI’s sharing workflows and experiences. After an external user accepts the invite, they become an Microsoft Entra ID B2B guest user in the organization. They will then appear in user pickers throughout the Power BI user experience.
Policies
MS.POWERBI.3.1v1
The Invite external users to your organization feature SHOULD be disabled unless agency mission requires the capability.
- Rationale: Disabling this feature keeps internal users from inviting guest users. Therefore guest users can be limited from accessing potentially risky data/APIs. If an agency needs to allow guest access, the invitation feature can be limited to users in specific security groups to help limit risk.
- Last modified: June 2023
Note: If this feature is disabled, existing guest users in the tenant continue to have access to Power BI items they already had access to and continue to be listed in user picker experiences. After it is disabled, an external user who is not already a guest user cannot be added to the tenant through Power BI.
- MITRE ATT&CK TTP Mapping:
Resources
Distribute Power BI content to external guest users with Microsoft Entra B2B | Microsoft Learn
Power BI Security Baseline v2.0 | Microsoft benchmarks GitHub repo
License Requirements
- N/A
Security Solutions
4. Power BI Service Principals
Service principals are an authentication method that can be used to let an Microsoft Entra ID application access Power BI service content and APIs. Power BI supports using service principals to manage application identities. Service principals use APIs to access tenant-level features, controlled by Power BI service administrators and enabled for the entire agency or for agency security groups. Accessing service principals can be controlled by creating dedicated security groups for them and using these groups in any Power BI tenant level-settings. If service principals are employed for Power BI, it is recommended that service principal credentials used for encrypting or accessing Power BI be stored in a key vault, with properly assigned access policies and regularly reviewed access permissions.
Several high-level use cases for service principals:
Not possible to access a data source using service principals in Power BI (e.g., Azure Table storage).
A user’s service principal for accessing the Power BI service (e.g., app.powerbi.com and app.powerbigov.us).
Power BI Embedded and other users of the Power BI REST APIs to interact with Power BI content.
Service principals with access to APIs SHOULD be restricted to specific security groups.
- Rationale: With unrestricted service principals, unwanted access to APIs is possible. Allowing service principals through security groups, and only where necessary, mitigates this risk.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
Service principals creating and using profiles SHOULD be restricted to specific security groups.
- Rationale: With unrestricted service principals creating/using profiles, there is risk of an unauthorized user using a profile with more permissions than they have. Allowing service principals through security groups will mitigate that risk.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
Automate Premium workspace and dataset tasks with service principal | Microsoft Learn
Embed Power BI content with service principal and an application secret | Microsoft Learn
Embed Power BI content with service principal and a certificate | Microsoft Learn
Enable service principal authentication for read-only admin APIs | Microsoft Learn
Microsoft Power BI Embedded Developer Code Samples | Microsoft GitHub
- N/A
Security Solutions
5. Power BI ResourceKey Authentication
This setting pertains to the security and development of Power BI Embedded content. The Power BI tenant states “For extra security, block using ResourceKey-based authentication.” This baseline statement recommends, but does not mandate, setting ResourceKey-based authentication to the blocked state.
For streaming datasets created using the Power BI service user interface, the dataset owner receives a URL including a resource key. This key authorizes the requestor to push data into the dataset without using an Microsoft Entra ID OAuth bearer token, so please keep in mind the implications of having a secret key in the URL when working with this type of dataset and method.
This setting applies to streaming and PUSH datasets. If ResourceKey-based authentication is blocked, users with a resource key will not be allowed to send data to stream and PUSH datasets using the API. However, if developers have an approved need to leverage this feature, an exception to the policy can be investigated.
ResourceKey-based authentication SHOULD be blocked unless a specific use case (e.g., streaming and/or PUSH datasets) merits its use.
- Rationale: If resource keys are allowed, someone can move data without Microsoft Entra ID OAuth bearer token, causing possibly malicious or junk data to be stored. Disabling resource keys reduces risk that an unauthorized individual will make changes.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
- N/A
Security Solutions
6. Python and R Visual Sharing
Power BI can interact with Python and R scripts to integrate visualizations from these languages. Python visuals are created from Python scripts, which could contain code with security or privacy risks. When attempting to view or interact with a Python visual for the first time, a user is presented with a security warning message. Python and R visuals should only be enabled if the author and source are trusted, or after a code review of the Python/R script(s) in question is conducted and the scripts are deemed free of security risks.
Python and R interactions SHOULD be disabled.
- Rationale: External code poses a security and privacy risk as there is no good way to regulate what is done with the data or integrations. Disabling this will reduce the risk of a data leak or malicious actor.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
- N/A
Security Solutions
7. Power BI Sensitive Data
There are multiple ways to secure sensitive information, such as warning users, encryption, or blocking attempts to share. Use Microsoft Information Protection sensitivity labels on Power BI reports, dashboards, datasets, and dataflows guards sensitive content against unauthorized data access and leakage. This can also guard against unwanted aggregation and commingling.
Note: At this baseline’s time of writing, data loss prevention (DLP) profiles are in preview status for Power BI. Once released for general availability and government, DLP profiles represent another available tool for securing power Power BI datasets. Refer to the Defender for Office 365 Minimum Viable Secure Configuration Baseline for more on DLP.
Sensitivity labels SHOULD be enabled for Power BI and employed for sensitive data per enterprise data protection policies.
- Rationale: A document without sensitivity labels may be opened unknowingly, potentially exposing data to someone who is not supposed to have access to it. This policy will help organize and classify data, making it easier to keep data out of the wrong hands.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
Data loss prevention policies for Power BI | Microsoft Learn
Power BI Security Baseline v2.0 | Microsoft benchmarks GitHub repo
Microsoft Purview Information Protection Premium P1 or Premium P2 license is required to apply or view Microsoft Information Protection sensitivity labels in Power BI. Azure Information Protection can be purchased either standalone or through one of the Microsoft licensing suites. See Microsoft Purview Information Protection service description for details.
Microsoft Purview Information Protection sensitivity labels need to be migrated to the Microsoft Information Protection Unified Labeling platform to be used in Power BI.
To apply labels to Power BI content and files, a user must have a Power BI Pro or Premium Per User (PPU) license, in addition to one of the previously mentioned Azure Information Protection licenses.
Before enabling sensitivity labels on the agency’s tenant, ensure sensitivity labels have been defined and published for relevant users and groups. See Create and configure sensitivity labels and their policies for detail.
Our Expertise
Why Choose
Crimson Line?
01.
Crimson Line
Innovation
We stay ahead of the curve by embracing AI-driven tools like Copilot.
02.
Crimson Line
Expertise
Our experienced team architects and manages cloud-native solutions.
03.
Crimson Line
Cost-Effective
Enjoy the benefits of PaaS with minimal risk.
04.
Crimson Line
Flexibility
We tailor solutions to meet your unique needs.
Get Started
Create a Customized
Security Strategy
At Crimson Line, security is not just a product—it’s our commitment to your peace of mind.