Are you accidentally exposing confidential data with Microsoft Power BI?

Are you accidentally exposing confidential data with Microsoft Power BI? You may if you are misusing the Publish to Web functionality.

What is Publish to Web?

Publish to Web is a function that enables you to share your Microsoft Power BI content with the world. For example, if you are a government agency and you wanted to publish the latest Zika virus statistics or you are a company that wants to show your charitable efforts, you could use Publish to Web to do this. You can see the details here.

This Microsoft Power BI function creates an embed code that you can put into most websites and have it render the reports as needed. One thing that occurs under the covers is all security validation to access the content and detailed data is stripped away. It has to in order to enable anonymous access for internet users.

So what’s the problem?

Some folks, either to avoid the need to buy a Microsoft Power BI license or in trying to embed Microsoft Power BI content in an On-Premises site like Microsoft SharePoint 2013, published their content using this function.

The risk is that if the content is on a page that gets indexed by a major search engine, like Google, the embed code will likely live in Google’s index forever. Then anyone can search for your data.

Really, I need licenses for all data consumers?

Yes, you do. Microsoft Power BI requires both content creator and consumer to be licensed in some fashion. This is true even if you embed the report in Microsoft SharePoint or Microsoft Teams. If you attempt to avoid it using some automated means, you could be creating a multiplexing licensing violation with Microsoft, which can very expensive to resolve.

There are three ways to license Microsoft Power BI. You can license individuals using Microsoft Power BI Pro. Pro is also included in Microsoft Office 365 E5 license. You can also license capacity using Microsoft Power BI Premium, which covers all consumers without having to license them individually. You can also license by usage, using Microsoft Power BI Embedded.

To justify Pro licensing expense, you have to deliver more than $120/year of value per person. Premium/Embedded may lower this bar. These are very low bars.

Using Microsoft Power BI to automate one manual effort heavy, copy/paste operation usually crosses this value bar. We did a one week effort that resulted in a 120 hour per week savings of time, eliminating the need to hire more people. The internal rate for an employee was $65/hour so this one project freed up $405,600 of time to be allocated to higher value activities. Licensing was $8400 for the year so this project returned a 14x benefit for the cost.

The alternative is to risk a data leak, as some folks are doing. The legal cost of a leak will greatly overshadow any license cost for Power BI.

I still need to embed so now what?

Please use the secure embed option if you are on-premises or are using a non-Office 365 platform. You can read more about it here. If you need to embed Microsoft Power BI content in Microsoft Office 365, use the new Power BI web part for Modern pages. You can read about it here.

Power BI Administrator Recommendations

We strongly recommend you either disallow Publish to Web or you restrict it’s use to specific report creators. Having it open to all report creators could lead to accidental use, resulting in a costly data leak.

The easiest method is to manage this with an Active Directory group that has the ability to Publish to Web. Then you can add and subtract members as needed.

You should also consider doing the following:

  • Review the Publish to Web tenant setting documentation here.
  • Review all embed codes in use within your tenant by referring to this doc.
  • Monitor the “PublishToWebReport” audit log event and setup an alert so you can review newly published embed codes for confidentiality

Let us know what you think in the comments below.

One Reply to “Are you accidentally exposing confidential data with Microsoft Power BI?”

Comments are closed.