Tell us about your PDF experience.

Microsoft Fabric documentation for

admins
Learn about the Microsoft Fabric admin settings, options, and tools.

Fabric in your organization

ｅ OVERVIEW

What is Microsoft Fabric admin?

What is the admin portal?

ｂ GET STARTED

Enable Fabric for your organization

Region availability

Find your Fabric home region

Governance in Fabric

Security in Fabric

ｃ HOW-TO GUIDE

Understand Fabric admin roles

Tools and settings

ｅ OVERVIEW

About tenant settings

ｃ HOW-TO GUIDE

Set up git integration

Set up item certification

Configure notifications

Set up metadata scanning

Enable content certification

Enable service principal authentication

Configure Multi-Geo support

Workspace administration

ｅ OVERVIEW

Manage workspaces

Workspace tenant settings

Monitoring and management

ｅ OVERVIEW

What is the admin monitoring workspace?

Feature usage and adoption report

Use the Monitoring hub

What is Microsoft Fabric admin?
Article • 11/15/2023

Microsoft Fabric admin is the management of the organization-wide settings that

control how Microsoft Fabric works. Users that are assigned to admin roles configure,
monitor, and provision organizational resources. This article provides an overview of
admin roles, tasks, and tools to help you get started.

Admin roles related to Microsoft Fabric

There are several roles that work together to administer Microsoft Fabric for your
organization. Most admin roles are assigned in the Microsoft 365 admin portal or by
using PowerShell. The capacity admin roles are assigned when the capacity is created. To
learn more about each of the admin roles, see About admin roles. To learn how to
assign admin roles, see Assign admin roles.

Microsoft 365 admin roles

This section lists the Microsoft 365 admin roles and the tasks they can perform.

Global administrator
Unlimited access to all management features for the organization
Assign roles to other users

Billing administrator
Manage subscriptions
Purchase licenses

License administrator
Assign or remove licenses for users

User administrator
Create and manage users and groups
Reset user passwords

Power Platform and Fabric admin roles

As a Power Platform or a Fabric admin, you have full access to all the Microsoft Fabric
management tasks.

Power Platform administrator or Fabric administrator

 Enable and disable Microsoft Fabric features
Report on usage and performance
Review and manage auditing

Capacity admin roles

As a capacity admin, you can perform these tasks on the capacity you're an admin of.

Capacity administrator
Assign workspaces to the capacity
Manage user permission to the capacity
Manage workloads to configure memory usage

Admin tasks and tools

Microsoft Fabric admins work mostly in the Microsoft Fabric admin portal, but you
should still be familiar with related admin tools. To find out which role is required to
perform the tasks listed here, cross reference them with the admin roles listed in Admin
roles related to Microsoft Fabric.

Microsoft Fabric admin portal

Acquire and work with capacities
Ensure quality of service
Manage workspaces
Publish visuals
Verify codes used to embed Microsoft Fabric in other applications
Troubleshoot data access and other issues

Microsoft 365 admin portal

Manage users and groups
Purchase and assign licenses
Block users from accessing Microsoft Fabric

Microsoft 365 Security & Microsoft Purview compliance portal

Review and manage auditing
Data classification and tracking
Data loss prevention policies
Microsoft Purview Data Lifecycle Management

Azure Active Directory in the Azure portal

Configure conditional access to Microsoft Fabric resources
 PowerShell cmdlets
Manage workspaces and other aspects of Microsoft Fabric using scripts

Administrative APIs and SDK

Build custom admin tools.

Related content
What is the admin portal?
What is the admin monitoring workspace?
Understand Microsoft Fabric admin roles

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

What is the admin portal?
Article • 11/16/2023

The Microsoft Fabric admin portal includes settings that govern Microsoft Fabric. For
example, you can make changes to tenant settings, access the Microsoft 365 admin
portal, and control how users interact with Microsoft Fabric.

To access the admin portal you need a Fabric license. The admin portal can be accessed
by admins with the following roles:

Global administrator

Power Platform administrator

Fabric administrator

If you're not in one of these roles, you only see Capacity settings in the admin portal.

What can I do in the admin portal

The many controls in the admin portal are listed in the table below with links to relevant
documentation for each one.

Feature Description

Tenant settings Enable, disable, and configure Microsoft Fabric.

Usage metrics View usage metrics related to your organization.

Users Manage users in the Microsoft 365 admin portal.

Premium Per User Configure auto refresh and semantic model workload settings.

Audit logs Audit Microsoft Fabric activities in the Microsoft Purview compliance portal.

Capacity settings Manage Microsoft Fabric F, Power BI Premium P, and Power BI Embedded
EM and A capacities.

Refresh summary Schedule refresh on a capacity and view the details of refreshes that
occurred.

Embed codes View and manage the embed codes that have been generated for your
organization to share reports publicly.

Organizational View, add, and manage which type of Power BI visuals users can access
visuals across the organization.
 Feature Description

Azure connections Configure and manage connections to Azure resources.

Workspaces View and manage the workspaces that exist in your organization.

Custom branding Change the look and feel of the Microsoft Fabric to match your
organization's own branding.

Protection metrics Monitor and track sensitivity label usage and adoption in your organization.

Featured content Manage the reports, dashboards, and apps that were promoted to the
Featured section on your Home page.

How to get to the admin portal

To get to the admin portal, follow these steps:

1. Sign in to Microsoft Fabric using your admin account credentials.

2. Select Fabric settings and then from the menu select Admin portal.

Next steps
What is the admin monitoring workspace?

Workspace tenant settings

Manage workspaces
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Enable Microsoft Fabric for your
organization
Article • 11/15/2023

The Microsoft Fabric admin switch lets organizations that use Power BI enable Microsoft
Fabric.

７ Note

Microsoft Fabric availability is restricted in some regions. For more information, see
Fabric region availability.

You can enable Microsoft Fabric for:

Your tenant - Use this option to enable Microsoft Fabric for everyone in the tenant.

A specific capacity - Use this option if you want to enable Microsoft Fabric for
users in a specific capacity.

In both cases, you can use security groups to provide Microsoft Fabric access to a
specified list of users.

Prerequisites
To enable Microsoft Fabric, you need to have one of the following admin roles:

Microsoft 365 Global admin

Power Platform admin

Fabric admin

Enable for your tenant

When you enable Microsoft Fabric using the tenant setting, users can create Fabric items
in that tenant, unless capacity admins turned it off for a specific capacity. Depending on
the configuration you select, Microsoft Fabric becomes available for everyone in the
tenant, or to a selected group of users.

７ Note
 You, or other admins, can override the Microsoft Fabric setting at the capacity level.

In your tenant, you can enable Microsoft Fabric for:

The entire organization - In most cases your organization has one tenant, so
selecting this option enables it for the entire organization. In organizations that
have several tenants, if you want to enable Microsoft Fabric for the entire
organization, you need to enable it in each tenant.

Specific security groups - Use this option to enable Microsoft Fabric for specific
users. You can either specify the security groups that Microsoft Fabric will be
enabled for, or the security groups that Microsoft Fabric won't be available for.

Follow these steps to enable Microsoft Fabric for your tenant.

1. Navigate to the tenant settings in the admin portal and in Microsoft Fabric, expand
Users can create Fabric items.

2. Enable the Users can create Fabric items switch.

3. (Optional) Use the Specific security groups option to enable Microsoft Fabric for
specific users. You can also use the Except specific security groups option, to
exclude specific users.

4. Select Apply.

７ Note

The Delegate settings to other admins option, isn't available because it's
automatically delegated to capacity admins.

Enable for a capacity

Consider the Microsoft Fabric setting at the tenant level a recommendation for the
entire organization. Capacity admins can override this setting, depending on their
needs. For example, Fabric can be enabled for all the users in your organization.
However, for security reasons your organization decided to disable Fabric for a specific
capacity. In such cases, Microsoft Fabric can be disabled for that capacity.

Follow these steps to enable Microsoft Fabric for a specific capacity.

1. Navigate to the capacity settings in the admin portal.

 2. Select the capacity you want to enable Microsoft Fabric for.

3. Select the Delegate tenant settings tab, and under Microsoft Fabric (Preview),
expand the Users can create Fabric items setting.

4. Check the Override tenant admin selection checkbox and verify that the Users can
create Fabric items setting is enabled.

5. (Optional) Use the Specific security groups option to enable Microsoft Fabric for
specific users. You can also use the Except specific security groups option, to
enable Microsoft Fabric for the capacity, and exclude specific users.

6. Select Apply.

Can I disable Microsoft Fabric?

To disable Microsoft Fabric, you can turn off the Microsoft Fabric admin switch. After
disabling Microsoft Fabric, users will have view permissions for Microsoft Fabric items. If
you disable Microsoft Fabric for a specific capacity while Microsoft Fabric is available in
your organization, your selection will only affect that capacity.

Considerations
In some cases, users that don't have Microsoft Fabric enabled will be able to view
Microsoft Fabric items and icons.

Users that don't have Microsoft Fabric enabled, can:

View Microsoft Fabric items created by other users in the same workspace, as long
as they have at least read-only access to that workspace.

View Microsoft Fabric icons in capacities where other users have Microsoft Fabric
enabled, as long as they have at least read-only access to that capacity.

Next steps
Admin overview

Enable Data Activator

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Enable Data Activator
Article • 11/15/2023

Data Activator is preview Microsoft Fabric feature. To enable this feature for your
organization, use the Data Activator admin switch.

You can enable Data Activator for:

Your tenant - Use this option to enable Data Activator for everyone in the tenant.

A specific capacity - Use this option if you want to enable Data Activator for users
in a specific capacity.

In both cases, you can use security groups to provide access to a specified list of users.

Prerequisites
To enable Data Activator, you need to have one of the following admin roles:

Microsoft 365 Global admin

Power Platform admin

Fabric admin

Enable for your tenant

When you enable Data Activator using the tenant setting, users can use Data Activator
in that tenant. Depending on the configuration you select, Data Activator becomes
available for everyone in the tenant, or to a selected group of users.

７ Note

You, or other admins, can override the the Data Activator setting at the capacity
level.

In your tenant, you can enable Data Activator for:

The entire organization - In most cases your organization has one tenant, so
selecting this option enables Data Activator for the entire organization. In
organizations that have several tenants, if you want to enable Data Activator for
the entire organization, you need to enable it in each tenant.
 Specific security groups - Use this option to enable Data Activator for specific
users. You can either specify the security groups that Data Activator will be enabled
for, or the security groups that Data Activator won't be available for.

Follow these steps to enable Data Activator for your tenant.

1. Navigate to the tenant settings in the admin portal and in Microsoft Fabric, expand
Data Activator (preview).

2. Enable the Data Activator (preview) switch.

3. (Optional) Use the Specific security groups option to enable Data Activator for
specific users. You can also use the Except specific security groups option, to
enable Data Activator for the tenant, and exclude specific users.

4. Select Apply.

７ Note

The Delegate settings to other admins option, isn't available.

Enable for a capacity

Consider the Data Activator setting a recommendation for the entire organization.
Capacity admins can override this setting, depending on their needs. For example,
because Data Activator is in preview, your organization decided not to enable it.
However, your organization also has a group of highly advanced developers who want
to experiment with Data Activator. In such cases, Data Activator can be enabled at the
capacity level.

Follow these steps to enable Data Activator for a specific capacity.

1. Navigate to the capacity settings in the admin portal.

2. Select the capacity you want to enable Data Activator for.

3. Select the Delegate tenant settings tab.

4. Expand the Data Activator (Preview) setting.

5. Check the Override tenant admin selection checkbox and verify that the Data
Activator (preview) setting is enabled.
 6. (Optional) Use the Specific security groups option to enable Data Activator for
specific users. You can also use the Except specific security groups option, to
enable Data Activator for the capacity, and exclude specific users.

7. Select Apply.

Can I disable Data Activator?

To disable Data Activator, you can turn off the Data Activator (Preview) admin switch. If
you disable Data Activator for a specific capacity while it's available in your organization,
your selection will only affect that capacity.

Next steps
Enable Microsoft Fabric for your organization

Admin overview

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Fabric region availability
Article • 11/21/2023

Microsoft Fabric Public Preview is available in the Azure regions listed in this article. If
your Microsoft Fabric home region isn't listed, you can still create a Microsoft Fabric
capacity in a region that is supported. For more information, see Buy a Microsoft Fabric
subscription.

To find out what your Fabric home region is, see Find your Fabric home region.

Asia Pacific

AustraliaEast
AustraliaSoutheast
CentralIndia
EastAsia
JapanEast
KoreaCentral
SoutheastAsia
SouthIndia

Europe

NorthEurope
WestEurope
FranceCentral
NorwayEast
SwedenCentral
SwitzerlandNorth
SwitzerlandWest
UKSouth
UKWest

Americas

BrazilSouth
CanadaCentral
CanadaEast
EastUS
EastUS2
NorthCentralUS
SouthCentralUS
 WestUS
WestUS2
WestUS3

Middle East and Africa

SouthAfricaNorth
UAENorth

Related content
Buy a Microsoft Fabric subscription
Find your Fabric home region

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Find your Fabric home region
Article • 11/21/2023

To find your Fabric home region, follow these steps:

1. Sign in to Fabric.

2. Open the Help pane and choose About Microsoft Fabric.

3. Look for the value next to Your data is stored in. The location shown is the default
region where your data is stored. You may also be using capacities in different
regions for your workspaces.
Related content
Buy a Microsoft Fabric subscription
Region availability

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Understand Microsoft Fabric admin
roles
Article • 11/21/2023

To be a Microsoft Fabric admin for your organization, you must be in one of the
following roles:

Global administrator

Power Platform administrator

Fabric administrator

Microsoft 365 user admins assign users to the Fabric administrator or Power Platform
administrator roles in the Microsoft 365 admin portal, or by using a PowerShell script.
For more information, see Assign roles to user accounts with PowerShell.

Users in Fabric administrator and Power Platform administrator roles have full control
over org-wide Microsoft Fabric settings and admin features, except for licensing. Once a
user is assigned an admin role, they can access the admin portal. There, they have
access to org-wide usage metrics and can control org-wide usage of Microsoft Fabric
features. These admin roles are ideal for users who need access to the Fabric admin
portal without also granting those users full Microsoft 365 administrative access.

Assign users to an admin role in the Microsoft

365 admin portal
To assign users to an admin role in the Microsoft 365 admin portal, follow these steps.

1. In the Microsoft 365 admin portal , select Users > Active Users.

2. Select the user that you want to assign the role to.

3. Under Roles, select Manage roles.

4. Expand Show all by category, then select Fabric administrator or Power Platform
administrator.

5. Select Save changes.

Assign users to the admin role with PowerShell

You can also assign users to roles by using PowerShell. Users are managed in Azure
Active Directory (Azure AD). If you don't already have the Azure AD PowerShell module,
download and install the latest version .

1. Connect to Azure AD:

PowerShell

Connect-AzureAD

2. Get the ObjectId for the Fabric administrator role. You can run Get-
AzureADDirectoryRole to get the ObjectId.

PowerShell

Get-AzureADDirectoryRole

Output

ObjectId DisplayName
Description
-------- -----------
-----------
6ebd1a24-c502-446f-94e5-fa2997fd26c3 Fabric Administrator
Manages all aspects of Microsoft Fabric.
70fd9723-a627-48ef-8b2c-82c22b65211e SharePoint Administrator
Can manage all aspects of the SharePoint service.
727aeffc-89db-4d43-a680-8b36f56b38c5 Windows Update Deployment
Administrator Can create and manage all aspects of Windows Update
deployments through the Windows Update for Business deployment service.
7297504b-c536-41f6-af7c-d742d59b2541 Security Operator
Creates and manages security events.
738e1e1e-f7ec-4d99-b6b4-1c190d880b4d Application Administrator
Can create and manage all aspects of app registrations and enterprise
apps.
782450d2-5aae-468e-a4fb-1103e1be6833 Service Support Administrator
Can read service health information and manage support tickets.
80f7e906-2e72-4db0-bd50-3b40545685a5 Attribute Assignment Administrator
Assign custom security attribute keys and values to supported Azure AD
objects.
831d152c-42b8-4dc9-826e-42f8419afc9c Partner Tier2 Support
Do not use - not intended for general use.

In this case, the role's ObjectId is 6ebd1a24-c502-446f-94e5-fa2997fd26c3.

3. Next, get the user's ObjectId. You can find that by running Get-AzureADUser.

PowerShell
 Get-AzureADUser -ObjectId '[email protected]'

Output

ObjectId DisplayName UserPrincipalName

UserType
-------- ----------- -----------------
--------
6a2bfca2-98ba-413a-be61-6e4bbb8b8a4c Tim [email protected]
Member

4. To add the member to the role, run Add-AzureADDirectoryRoleMember.

Parameter Description

ObjectId The Role ObjectId.

RefObjectId The members ObjectId.

PowerShell

Add-AzureADDirectoryRoleMember -ObjectId 6ebd1a24-c502-446f-94e5-

fa2997fd26c3 -RefObjectId 6a2bfca2-98ba-413a-be61-6e4bbb8b8a4c

To learn more about using PowerShell to assign admin roles, see AzureAD Directory
Roles.

Related content
What is the admin portal?
What is the admin monitoring workspace?

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

What is the admin monitoring
workspace?
Article • 11/15/2023

The Admin monitoring workspace is designed to provide admins with monitoring

capabilities for their organization. Using the admin monitoring workspace resources,
admins can perform security and governance tasks such as audits and usage checks.

Prerequisites
To use the admin monitoring workspace, you need to be an admin with one of these
roles.

Microsoft 365 Global administrator

Fabric administrator

Access the admin monitoring workspace

The admin monitoring workspace is enabled for Microsoft Fabric admins that have the
Global administrator or Fabric administrator role. Admins can also share its content with
other users. Users with viewer permissions that are not admins, can view the admin
monitoring workspace by navigating to the workspace URL.

Admin monitoring workspace view

Only admins with the Global administrator or Fabric administrator roles, can see the
admin monitoring workspace at the top of their list of workspaces. Admins can access
the monitoring workspace by selecting it from the list.

Users that are not admins, and do not have a Global administrator or Fabric
administrator role, can't see the admin monitoring workspace at the top of their list of
workspaces. Such users can only view the admin monitoring workspace by navigating to
it's URL after they've been given viewer permissions by an admin.

Installing the admin monitoring workspace

The admin monitoring workspace is automatically installed during the first time any
Microsoft Fabric admin accesses it. To access the admin monitoring workspace, follow
these steps:

1. Log into Microsoft Fabric with your account.

2. From the left pane, select Workspaces.

3. Select Admin monitoring. When you select this option for the first time, the
required items are automatically installed.

Reports and semantic models

In the monitoring workspace, you can use the Feature Usage and Adoption report as is.
You can also connect to this report's semantic model, and create a solution that's
optimized for your organization.

Manage access
There are several ways you can manage access to content of the admin monitoring
workspace. If you're the admin of the workspace, you have a member workspace role
and you can grant access to any of its items with or without share and build
permissions.

Workspace - Learn how to to give users access to the workspace in manage

workspace. You can only grant other users a viewer role. Once a viewer role is
provided, it can't be taken away.

Report - You can share a report with other users.

Semantic model - You can share access to a semantic model with other users.
Once a semantic model is shared, you can't unshare it.

Refreshes
The admin monitoring workspace is automatically refreshed once a day. The refresh
takes place about 10 minutes after the admin workspace was accessed for the first time.

For the refresh to work, the admin that accessed the workspace for the first time, has to:

Keep his Global administrator or Fabric administrator role. If the role of the admin
who first accessed the workspace changes, the admin monitoring workspace will
not be refreshed.
 If the workspace creator uses Privileged Identity Management (PIM), it has to be
enabled during the scheduled refresh.

Considerations and limitations

The admin monitoring workspace is a read-only workspace. Workspace roles don't
have the same capabilities as they do in other workspaces. Users, including admins,
are not able to edit or view properties of items such as semantic models and
reports in the workspace.

Sovereign clouds are not supported.

Users granted build permissions to a semantic model in the monitoring workspace,

show as having read permissions."

Next steps
Admin overview

Feature usage and adoption report

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Feature usage and adoption report
Article • 11/02/2023

The Feature Usage and Adoption Report is a comprehensive analysis of usage and
adoption of different features in your Microsoft Fabric tenant. As a Fabric admin you can
share this report with others in your organization. You can also share the report's
semantic model, and use it to customize the report, or build a new report that relies on
the same data.

You can access the report from the admin monitoring workspace. To see this workspace
you need to be a Fabric administrator.

Navigation
The report is built to allow admins to analyze specific scenarios. Use the report date
slicer to filter data for each page across the report. You can also use the filter pane to
filter out information on the page, using available filters based on different scenarios.

Report pages
The feature usage and adoption report has three pages:

Activity Overview - Provides a bird's eye view of activities and usage across the
entire organization

Analysis - Visualizes data across multiple activity dimensions

Activity Details - Displays detailed information on specific or multiple capacity or

workspace activities

Activity Overview page

Use the Activity Overview page to find out:

What are the daily activities and user trends?

Which capacities and workspaces are the most active?

View activities in your organization.

View activities in your organization by users or top active user.

For example, if you're working in a large retail organization, you may want to use the
Activity Overview page to find out what capacities were utilized during December. You
use the Date fields to filter the results for December, and notice that the sales and
marketing capacity has almost 1,000 activities, while other capacities have under 200
activities each. You decide to further investigate this, and go to the Analysis page to try
and understand why this is happening.

Analysis page
In the Analysis page, you can see a daily count of activities and users by date and a
decomposition tree that automatically aggregates data and enables drilling down into
dimensions in any order. Use the decomposition tree, to decompose the activities
according to operation and user. You can use the additional available fields to
decompose activities.

To view the details of a specific activity, drill through to the Activity Details:

1. Right-click the activity you want to drill through from.

2. Select Drill through.

3. Select Activity Details.

Continuing the example from the Activity Overview page, you turn to the Analysis page
to understand why in December, the sales and marketing capacity has almost five times
more activities than any other capacity. Using the Date fields, you filter the results for
December. By reviewing the Decomposition tree, you see that almost all of the activities
are for viewing a Power BI report. You decide to drill through to the Activity details page
to understand which report is being extensively viewed.

Activity Details page

The Activity Details page shows information related to specific or multiple capacity or
workspaces activities. You can only get to the Activity Details page by drilling through
from the Activity Overview or Analysis pages. To drill through, right-click a result and
then select the Activity Details page. After drilling through, you see the following
information for the selected activities:

Creation time - The time the activity was registered

Capacity name - The name of the capacity that the activity took place in

Capacity ID - The ID of the capacity that the activity took place in

 Workspace name - The name of the workspace that the activity took place in

Workspace ID - The ID of the workspace that the activity took place in

User (UPN) - The user principal name (UPN) of the user who created the activity

Operation - The name of the operation

Total of activities - The number of times the activity was registered

To conclude the example given in the Activity Overview and Analysis pages, after drilling
through from the View Reports log, in the Analysis page, you realize that a report titled
unclosed deals has been heavily reviewed during December. After further inquiries, you
learn that this is a new report and that many people in the organization reviewed in
during December, to try and understand how sales could have been improved.

Considerations and limitations

This section lists the report's considerations and limitations.

Display
The single data point across the zoom slider, displays a misleading date range for
the total activities and users.

When drilling down to a workspace, the Expand All feature doesn't update the
Most Active Capacities visual title.

Capacities with the same name and capacities that were deleted and recreated
with the same name, are displayed as one capacity.

NA represents data that isn't available in the Audit table. This can happen when an
event doesn't have the dimension information, or when that information isn't
applicable for the event.

The report retains information for 30 days.

Counting logic
All MyWorkspaces are counted as different records as part of the Active Workspaces
total.

When a capacity, workspace or item is deleted, its activities are counted in the
report but appear as (Blank).
 Capacities with the same name but different IDs are counted as separate records.

Next steps
What is the admin monitoring workspace?

Admin overview

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Use the Monitoring hub
Article • 11/15/2023

Monitoring hub enables users to monitor various Microsoft Fabric activities, such as
semantic model refresh and Spark Job runs and many others, from a central location.
You can access Monitoring hub by selecting its icon from the left pane.

Monitoring hub is available for Power BI, Data Factory, Data Engineering and Data
Science during the Microsoft Fabric public preview.

Prerequisites
Verify that the new workspace experience is enabled.

Permissions required
All items for which a user has read permissions semantic model permissions will appear
in the Monitoring Hub.

Using the Monitoring hub

Monitoring hub shows activities based on which service is being used when Monitoring
hub is selected. For example, if you're using Data Factory when you select Monitoring
hub, a list of Data Factory activities is displayed. If you're using Power BI and then select
Monitoring hub from the left pane, a list of Power BI related activities is displayed.

Because there might be many records in Monitoring hub, filters are applied by default to
limit the number of items initially displayed. For example, the following image shows
Monitoring hub for Power BI, where filters are applied to only show semantic model,
Dataflow Gen2, and Datamart items.

You can dismiss filters by selecting the x beside the filter button, and you can select
different filters by using the filter drop-down in the upper right corner of the window.
You can also filter by keyword.
The first seven columns in the list of items are shared across all Monitoring hub views.
The columns after the first seven are specific to the viewing context, such as Power BI.

Getting detailed item information

When you select an item from the list, Monitoring hub displays detailed information
about that item.

When you hover over an item's name, any available quick actions for the item type are
displayed, such as stop, start, re-run, or other quick actions. You can also open a detail
pane for the item itself when you hover, for example, View run history for semantic
models that are in Monitoring hub, to display their refresh activities.

Next steps
Admin overview
Browse the Apache Spark applications in the Fabric monitoring hub
View refresh history and monitor your dataflows
Feature usage and adoption report
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Track user activities in Fabric
Article • 11/21/2023

Knowing who is taking what action on which item in Fabric can be critical in helping
your organization fulfill its requirements, such as meeting regulatory compliance and
records management.

In Fabric, user activities are logged in the Power BI activity log and in the unified audit
log. You can retrieve them for tracking purposes in the same way as in Power BI, as
described in Track user activities in Power BI. The following operations can be retrieved:

For Power BI items: All currently available operations

For all other Fabric items: Currently, only create, read, update, and delete
operations.

Related content
Track user activities in Power BI

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Find users who have signed in
Article • 11/01/2023

If you're an admin for your organization, and want to see who has signed in to Fabric,
use Azure Active Directory (Azure AD) access and usage reports, which are also known
as the sign-in logs.

７ Note

The Sign-in logs report provides useful information, but it doesn't identify the type
of license for each user. Use the Microsoft 365 admin center to view licenses.

Requirements
Any user can view a report of their own sign-ins. To see a report for all users, you must
be in one of the following roles: Global Administrator, Security Administrator, Security
Reader, Global Reader, or Report Reader.

Use the Azure AD admin center to view sign-ins

To view sign-in activity, follow these steps:

1. Sign in to the Azure AD admin center , and then select Azure Active Directory
from the portal menu.

2. From the resource menu, select Monitoring > Sign-in logs.

 3. By default, all sign-ins from the last 24 hours for all users and all applications are
shown. To select a different time period, select Date in the working pane and
choose from the available time intervals. Only information from the last seven days
is available. To see only sign-ins to Power BI, add filters:

a. Select Add filter > pick Application as the field to filter by, and select Apply.

b. From the top of the working pane, select Application contains.

To see only sign-in activity that's related to Power BI, enter Microsoft Power
BI

To see only sign-in activity that's specific to the on-premises data gateway,
enter Power BI Gateway

4. Select Apply.

Microsoft Power BI filters to sign-in activity related to the service. Power BI Gateway
filters to sign-in activity specific to the on-premises data gateway.

Export the data

You can download a sign-in report in either of two formats: a CSV file, or a JSON file.
Use the following steps to download your report:

1. From the command bar for the Sign-in logs report, select Download and then
select one of the following options:

Download JSON to download a JSON file for the currently filtered data

Download CSV to download a CSV file for the currently filtered data

2. Decide what type of sign-ins you want to export, and then select Download.
Data retention
Sign-in-related data is available for up to seven days, unless your organization has an
Azure AD premium license. If you use Azure AD Premium P1 or Azure AD Premium P2,
you can see data for the past 30 days. For more information, see How long does Azure
AD store reporting data?.

Next steps
Use the Monitoring hub
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Add custom branding to the Power BI
service
Article • 11/02/2023

As a Fabric admin, you can change the look and feel of the Power BI service to match
your organization's own branding. With custom branding, you can change the theme
color that appears in the top navigation bar, add your company logo, and bring your
default landing page to life by adding a cover image.

Custom branding changes the look of Power BI for your whole organization. Users can't
override your custom branding with their own theme. Custom branding also appears to
any external users who have access to your reports in B2B scenarios, helping to easily
distinguish your organization.

Before you begin

Make sure you're a Fabric administrator.
Prepare your images for upload. You need these files:
A logo file that's saved in .png format, is 10 KB or smaller, and is at least 200 x
30 pixels. Choosing a PNG file makes sure your logo has a high-resolution
appearance on all screens and at all zoom levels. The logo appears on every
page.
A cover image that's saved in .jpg or .png format, is 1 MB or smaller, and is at
least 1920 x 160 pixels. Get creative with your choice with an image that
complements your theme color and feels welcoming. The cover image appears
only at the top of Home.
Identify the hex or decimal code for your theme color. Your theme color appears
on every page and provides the background for your logo. Choose a color that
complements your logo and cover image or that matches other custom branding
in your organization.

The following image indicates where each of these elements appears in the Power BI
service:

1. Logo
2. Cover image
3. Theme color
 

Add custom branding

Follow these steps to customize the look of Power BI for your whole organization:

1. Sign in to the Power BI service as a Fabric admin.

2. From the navigation bar, select Settings > Admin portal > Custom branding.

3. Upload a logo file.

4. Upload a cover image file, then crop as needed to adjust how the image appears
on the page.
5. Select your theme color by using the color picker or by typing the hex or decimal

code.

6. Select Preview to see how your custom branding looks before you publish.

7. When you're happy with your settings, select Publish to make the custom
branding the default appearance for all users in your organization. The custom
 branding appears when you refresh your browser window.

Remove custom branding

Follow these steps to return the look of Power BI to the default settings:

1. Sign in to the Power BI service as a Fabric administrator.

2. From the navigation bar, select Settings > Admin portal > Custom branding.
3. Select Remove custom branding, then select Publish to go back to the Power BI
default look.

Next steps
Give your users a consistent online experience by applying custom branding to other
services. Custom branding settings aren't shared between Microsoft 365 and Power BI,
but your users will see branding that you apply to your organization's Azure Active
Directory sign-in page.

Add branding to your organization's Azure Active Directory sign-in page

Customize the Microsoft 365 theme for your organization
Add featured content to Power BI Home

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Manage Azure connections
Article • 11/21/2023

The Azure connections admin settings connect Azure services to Fabric. Using these
settings, you can store your dataflows in your organization's Azure Data Lake Storage
Gen2 (ADLS Gen2) account. You can review the benefits of this approach in Reasons to
use the ADLS Gen 2 workspace or tenant connection.

The Azure connections admin settings have the following options:

Tenant-level storage - Use to store dataflows in your organizations tenant settings.

This setting can be configured if you want a central Data Lake storage place, or as
a default storage place in addition to workspace level storage.

Workspace-level storage permissions - Use to store dataflows in specific ADLS Gen

2 accounts, organized per workspace.

To learn how to access the Fabric admin portal settings, see What is the admin portal?

Tenant-level storage
By default, data used with Power BI is stored in internal storage provided by Power BI.
With the integration of dataflows and Azure Data Lake Storage Gen2 (ADLS Gen2), you
can store your dataflows in your organization's Azure Data Lake Storage Gen2 account.
Storing dataflows in Azure Data Lake allows you to access them using the Azure portal,
Azure Storage Explorer, and Azure APIs. For more information, see Configuring dataflow
storage to use Azure Data Lake Gen 2.

Workspace-level storage permissions

By default, workspace admins can't connect their own storage account. This feature lets
Fabric administrators turn on a setting that allows workspace admins to connect their
own storage account.

To activate this feature, go to Admin portal > Azure connections > Connect to Azure
resources > Workspace-level storage permissions, and check the Allow workspace
admins to connect their own storage account checkbox.
Related content
What is the admin portal?
Configuring dataflow storage to use Azure Data Lake Gen 2

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Manage capacity settings
Article • 11/21/2023

Capacity is a dedicated set of resources reserved for exclusive use. Premium and
Embedded capacities offer a dependable and consistent performance for your content.
Here are some settings that you can configure when managing your organization's
capacity settings:

Create new capacities

Delete capacities
Manage capacity permissions
Change the size of the capacity

To learn how to access the Fabric admin portal settings, see What is the admin portal?

Power BI Premium
The Power BI Premium tab enables you to manage any Power BI Premium capacities
(EM or P SKU) that have been purchased for your organization. All users within your
organization can see the Power BI Premium tab, but they only see contents within it if
they're assigned as either a Capacity admin or a user that has assignment permissions. If
a user doesn't have any permissions, the following message appears:

To understand more about the concepts of capacity management, see Managing

Premium capacities.

The capacity management process is described in Configure and manage capacities in

Power BI Premium.

Power BI Embedded
The Power BI Embedded tab enables you to view your Power BI Embedded (A SKU)
capacities that you've purchased for your customer. Because you can only purchase A
SKUs from Azure, you manage embedded capacities in Azure from the Azure portal.

For more information about Power BI Embedded, see:

Power BI Embedded SKUs - Capacity and SKUs in Power BI embedded analytics

Create a Power BI Embedded capacity in Azure - Create Power BI Embedded

capacity in the Azure portal

Scale a capacity in Azure - Scale your Power BI Embedded capacity in the Azure
portal

Pause and start a capacity Azure - Pause and start your Power BI Embedded
capacity in the Azure portal

Related content
What is the admin portal?

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Manage embed codes
Article • 11/21/2023

As a Fabric administrator, you can view the embed codes that are generated for sharing
reports publicly, using the Publish to web from Power BI feature. You can also disable or
delete embed codes.

To learn how to access the Fabric admin portal settings, see What is the admin portal?

Disable embed codes

You can disable the Publish to web feature, or allow embed codes to work only in your
organization. If you disable Publish to web, the existing embed codes aren't deleted.
When you reenable Publish to web, the existing embed codes become active again.

Disabling the embed codes is described in Publish to web.

Delete embed codes

To delete embed codes, select the codes you want to delete and then select Delete.

Related content
Publish to web
What is the admin portal?
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Manage featured content
Article • 11/21/2023

If the featured content feature is enabled in your organization, users can feature content
in the Featured section of the Power BI Home page. See Feature content on colleagues'
Power BI Home page for details.

As a Fabric admin, you can monitor this featured content and remove it from the
Featured section, if necessary. You can also disable the featured content feature entirely,
in which case users will no longer be able to feature content. See the Enable/disable
featured content section.

Monitor and manage featured content

In the admin portal, select Featured content.

Here you see a list of all featured items along with their relevant metadata. If something
looks suspicious, or you want to clean up the Featured section, you can delete featured
items as needed.

To delete an item, mouse over and select the item, and then click the trash can that
appears in the top ribbon, or choose More options (...) > Delete. It's possible to select
multiple items and then delete.

Enable/disable featured content

The featured content feature is enabled, disabled, and configured (for example,
specifying who can feature content) via an admin setting. To learn more, see Featured
content.
Related content
Feature content on colleagues' Power BI Home page
What is the admin portal?

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Manage organizational visuals
Article • 11/21/2023

The organizational visuals admin setting allows you to manage the list of Power BI
visuals available in your organization. For more information and detailed instructions,
see Organizational visuals.

Other Power BI visuals admin settings

All the Power BI visuals admin settings, including Power BI visuals tenant settings, are
described in Manage Power BI visuals admin settings.

Related content
What is the admin portal?
Manage Power BI visuals admin settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Manage Power BI visuals admin settings
Article • 11/02/2023

As a Fabric administrator for your organization, you can control the type of Power BI
visuals that users can access across the organization and limit the actions users can
perform.

To manage Power BI visuals, you must be a Global Administrator in Office 365, or have
been assigned the Fabric administrator role. For more information about the Fabric
administrator role, see Understand Microsoft Fabric admin roles.

Power BI visuals tenant settings

To manage the tenant settings for Power BI visuals from the admin portal, go to Tenant
settings and scroll down to Power BI visuals.
The UI tenant settings only affect the Power BI service. If you want these settings to take
effect in Power BI Desktop, use group policies. A table at the end of each section
provides details for enabling the setting in Power BI Desktop.

７ Note

Changes to tenant settings don't affect Power BI visuals listed in the organizational
visuals tab.

Visuals from AppSource or a file

Manage organizational access for the following type of Power BI visuals:

Custom visuals developers create by using the Power BI SDK and saved as a .pbiviz
file.

Visuals downloaded from AppSource.

Use the following instructions to enable users in your organization to upload .pbiviz
files, and add visuals from AppSource to their reports and dashboards:

1. Expand the Allow visuals created using the Power BI SDK settings.

2. Select Enabled.

3. Choose who can upload .pbiviz and AppSource visuals:

Select The entire organization option to allow everyone in your organization

to upload .pbiviz files, and add visuals from AppSource.

Select the Specific security groups option to manage uploading .pbiviz files,
and adding visuals from AppSource using security groups. Add the security
groups you want to manage to the Enter security groups text bar. The security
groups you specify are excluded by default. If you want to include these
security groups and exclude everyone else in the organization, select the
Except specific security groups option.

4. Select Apply.

UI changes to tenant settings apply only to the Power BI service. To enable users in your
organization to upload .pbiviz files, and add visuals from AppSource to their
visualization pane in Power BI Desktop, use AD Group Policy.
 Key Value name Value

Software\Policies\Microsoft\Power BI Desktop\ EnableCustomVisuals 0 - Disable

1 - Enable (default)

Certified Power BI visuals

Certified Power BI visuals are visuals that meet the Microsoft Power BI team code
requirements. They're tested to verify that they don't access external services or
resources and that they follow secure coding patterns and guidelines.

When this setting is enabled, only certified Power BI visuals render in your organization's
reports and dashboards. Power BI visuals from AppSource or files that aren't certified
return an error message.

1. From the admin portal, select Add and use certified visuals only.

2. Select Enabled.

3. Select Apply.

UI changes to tenant settings apply only to the Power BI service. To manage the certified
visuals tenant setting in Power BI Desktop, use AD Group Policy.

Key Value name Value

Software\Policies\Microsoft\Power BI Desktop\ EnableUncertifiedVisuals 0 - Disable

1 - Enable (default)

Export data to file

When this setting is enabled, users can download data from a custom visual into a file
on their storage device. This setting is separate from and not affected by download
restrictions applied in your organization's export and sharing tenant settings.

７ Note

When this setting is enabled, a custom visual can export to files of the following
types:

.txt
.csv
 .json
.tmplt
.xml
.pdf
.xlsx

1. Expand the Allow downloads from custom visuals settings.

2. Select Enabled.

3. Choose who can download files:

Select The entire organization option to allow everyone in your organization

to download data from a visual into a file.
Select the Specific security groups option to limit downloading files to
specific security groups. Enter the security groups you want in the Enter
security groups text bar. The security groups you specify are included by
default. If you want to exclude these security groups and include everyone
else in the organization, select the Except specific security groups option.

4. Select Apply.

UI changes to tenant settings apply only to the Power BI service. To enable users in your
organization to download data from custom visuals in Power BI Desktop, use AD Group
Policy.

Key Value name Value

Software\Policies\Microsoft\Power BI AllowCVToExportDataToFile 0 - Disable

Desktop\ 1 - Enable
(default)

When AllowCVToExportDataToFile is set to 1, the custom visual can export data to a file
only if:

The feature switch in the admin portal is enabled.

The user is logged on.

Organizational visuals
As a Fabric admin, you can manage the list of Power BI visuals available in your
organization's organizational store. The Organizational visuals tab, in the Admin portal,
allows you to add and remove visuals and decide which visuals will automatically display
in the visualization pane of your organization's users. You can add to the list any type of
visual including uncertified visuals and .pbiviz visuals, even if they contradict the tenant
settings of your organization.

Organizational visuals settings are automatically deployed to Power BI Desktop.

７ Note

Organizational visuals are not supported in Power BI Report Server.

Add a visual from a file

Use this method to add a new Power BI visual from a .pbiviz file.

２ Warning

A Power BI visual uploaded from a file could contain code with security or privacy
risks. Make sure you trust the author and the source of the visual before deploying
to the organization's repository.

1. Select Add visual > From a file.

2. Fill in the following fields:

Choose a .pbiviz file - Select a visual file to upload.

Name your visual - Give a short title to the visual, so that report authors can
easily understand what it does.

Icon - Upload an icon file to be displayed in the visualization pane.

Description - Provide a short description of the visual to give more context
for the user.

Access - This section has two options:

Select whether users in your organization can access this visual. This
setting is enabled by default.

Select whether this visual will appear in the visualization pane of the users
in your organization. This setting is disabled by default. For more
information, see add a visual to the visualization pane.
 3. To initiate the upload request, select Add. After it's uploaded, the visual displays in
the organizational visuals list.

Add a visual from AppSource

Use this method to add a new Power BI visual from AppSource.

AppSource Power BI visuals are automatically updated. Users in your organization will
always have the latest version of the visual.

1. Select Add visual > From AppSource.

2. In the Power BI visuals window, find the AppSource visual you want to add, and
select Add. After it's uploaded, the visual displays in the organizational visuals list.

Add a visual to the visualization pane

You can pick visuals from the organizational visuals page to automatically show on the
visualization pane of all the users in your organization.

1. In the row of the visual you want to add, select settings.

2. Enable the visualization pane setting and select Update.

Delete a visual uploaded from a file
To permanently delete a visual, select the trash bin icon for the visual in the repository.

） Important

Deletion is irreversible. After the visual is deleted, it immediately stops rendering in

existing reports. Even if you upload the same visual again, it won't replace the one
 that was deleted. However, users can import the new visual again and replace the
instance they have in their reports.

Disable a .pbiviz visual

You can disable a .pbiviz visual from being available through the organizational store,
while keeping it on the organizational visuals list.

1. In the row of the .pbiviz visual you want to disable, select settings.

2. In the Access section, disable the setting: Users in the organization can access,
view, share, and interact with this visual.

After you disable the .pbiviz visual, the visual won't render in existing reports, and it
displays the following error message:

This custom visual is no longer available. Contact your administrator for details.

７ Note

.pbiviz visuals that are bookmarked continue working even after they've been
disabled.

Update a visual
AppSource visuals are updated automatically. After a new version is available from
AppSource, it will replace an older version deployed via the organizational visuals list.

To update a .pbiviz visual, follow these steps to replace the visual.

1. In the row of the visual you want to add, select settings.

2. Select Browse, and select the .pbiviz you want to replace the current visual with.

3. Select Update.

Replace a visual from a file with a visual from AppSource

Sometimes an organization develops its own Power BI visual and distributes it internally.
After some time, the organization might decide to make this visual public by uploading
it to AppSource. To replace the visual uploaded from a file with the one from
AppSource, use the following steps:
 1. Add the visual from AppSource into the organizational store.

2. Open the report that contains this visual. Both the visual uploaded from a file and
the AppSource visual are visible in the visualization pane.

3. In the report, highlight the visual uploaded from a file and in the visualization
pane, select the AppSource visual to replace it. The visuals are swapped
automatically. To verify that you're using the AppSource visual, in the visualization
pane right-click the visual and select about.

4. Complete step 3 for all the reports that contain the visual in your organization.

5. Delete the visual that was uploaded from a file.

Next steps
What is the admin portal?

Visuals in Power BI

Organizational visuals in Power BI

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Manage Premium Per User
Article • 11/21/2023

Premium Per User (PPU) is a way to license Premium features on a per user basis. After
the first user is assigned a PPU license, associated features can be turned on in any
workspace. Admins can manage the auto refresh and semantic model workload settings
that are shown to users and their default values. For example, access to the XMLA
endpoint can be turned off, set to read only, or set to read and write.

PPU settings
You can configure the following PPU settings in the admin portal on the Premium Per
User tab. To learn how to access the Fabric admin portal settings, see What is the admin
portal?

Auto refresh
Automatic refresh enables your active report page to query for new data, during
predefined intervals. By default, these settings are turned on. If you turn them off, PPU
reports that use automatic refresh and change detection don't get updated
automatically.

Use the following settings to override the automatic refresh settings in individual reports
that reside on the PPU capacity. For example, when the minimum refresh interval setting
is configured to refresh every 30 minutes, if you have a report that's set to refresh every
five minutes, its setting will be overridden and the report is refreshed every 30 minutes
instead.

Minimum refresh interval - Use to specify a minimum value for the automatic
refresh for all the reports in the PPU capacity. The Power BI service overrides any
automatic refresh settings that are higher than this setting.

Change detection measure - Use to specify a minimum value for all the reports in
the PPU capacity that use change detection. The Power BI service overrides any
change detection settings that are higher than this setting.

Semantic model workload settings

XMLA endpoints allow Microsoft and third-party apps and tools to connect to Power BI
semantic models. Use this setting to determine if in the PPU capacity XMLA endpoints
are turned off, or configured for read only or read and write.

Related content
What is the admin portal?
Power BI Premium Per User FAQ
Automatic page refresh in Power BI

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Manage users
Article • 11/21/2023

Go to the Fabric admin portal to access this feature. For information about how to get to
and use the admin portal, see What is the admin portal?

You manage Power BI users, groups, and admins in the Microsoft 365 admin center .
The Users tab in the Fabric admin portal provides a link to the admin center.

Related content
What is the admin portal?

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

View audit logs
Article • 11/21/2023

Go to the Fabric admin portal to access this feature. For information about how to get to
and use the admin portal, see What is the admin portal?

You manage Power BI audit logs in the Microsoft Purview compliance portal. The Audit
logs tab provides a link to the Microsoft Purview compliance portal. To learn more, see
Track user activities in Power BI.

To use audit logs, make sure the Create audit logs for internal activity auditing and
compliance setting is enabled.

Related content
What is the admin portal?

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

View information protection metrics
Article • 11/21/2023

After you enable information protection for Power BI, data protection metrics can be
displayed in the admin portal. The report shows how sensitivity labels help protect your
content.

Opening the protection metrics report

You must have a Fabric administrator role to open and view the report. To view the
report, go to Settings > Admin portal, and choose Protection metrics. To learn how to
access the Fabric admin portal settings, see What is the admin portal?

See Data protection metrics report for details about the report.

Related content
Sensitivity labels in Power BI
What is the admin portal?

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

View refresh summary
Article • 11/21/2023

The refresh summary admin settings page lets you view your capacity's refresh history.
You can also export the refresh history, and view details related to a specific refresh. The
information in this page can help you investigate refresh errors, and establish a refresh
schedule for the Power BI items that reside on your capacities.

To learn how to access the Fabric admin portal settings, see What is the admin portal?

Schedule
The schedule tab lists all the refreshes that took place in a specific capacity. Select the
capacity you want to review from the choose a capacity dropdown menu. Use the refresh
button to refresh the table's results, and the export button to export a .csv file.

To view details for a specific refresh instance, select the instance and then select Details.

History
The history tab lists all the refreshes that took place in all the capacities you're an admin
of. The table headers allow you to sort the information and apply filters. Use the refresh
button to refresh the table's results, and the export button to export a .csv file.

Related content
What is the admin portal?

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

View usage metrics
Article • 11/02/2023

The usage metrics page in the Fabric admin settings allows you to monitor Power BI
usage for your organization. It also shows which users and groups in your organization
are the most active in Power BI. With this information, you can get real insights into how
people are using Power BI across your organization.

To learn how to access the Fabric admin portal settings, see What is the admin portal?

Usage metrics dashboard

The first time you access the dashboard, or when you revisit after a long period of not
viewing the dashboard, you might see a loading screen before the dashboard appears.
After the dashboard loads, you see two sections of tiles. The first section, at the top of
the page, includes usage data for individual users. The second section, at the bottom of
the page, has similar information for groups. This section lets you see which groups in
your organization are most active and what kind of content they're consuming.

The following sections of the article show a breakdown of what you can see in each tile.

Number of users
This tile is in the first section of the report. It shows a distinct count of all dashboards,
reports, and datasets in a workspace, and it refers to users. The second section of the
report contains a similar tile that refers to groups.

Consumed dashboards
This tile shows a list of the most consumed dashboards. The tile in the first section refers
to the number of users who consumed the dashboards. The report's second section has
a similar tile that refers to the number of groups. For example, if you have a dashboard
that you shared with three users and you also added it to an app that two different
users connected to, the dashboard's count would be six: you, three shared users, and
two app users.

Consumed packages
This tile shows a breakdown of the most popular content. The tile in the first section
shows content users connected to. The report the second section shows a tile that
displays content groups connected to. The content includes anything the users could
reach using the Get Data process, such as SaaS template apps, files, or databases.

Top users or groups based on dashboards

This tile shows a view of your top users based on how many dashboards they have. Each
entry includes dashboards they created themselves and dashboards shared with them.
The report in the second section shows a tile that displays top groups based on the
number of dashboards they have.
Top users or groups based on reports
This tile shows a view of your top users based on how many reports they have. The
report in the second section shows a tile that displays top groups based on the number
of reports they have.

Considerations and limitations

Due to the move to Microsoft Fabric, some tiles in the Admin Portal Usage Metrics are
rendered blank.

Next steps
What is the admin portal?

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Manage workspaces
Article • 11/15/2023

As a Fabric administrator, you can govern the workspaces that exist in your organization
on the Workspaces tab in the Admin portal. For information about how to get to and
use the Admin portal, see About the Admin portal.

On the Workspaces tab, you see a list of all the workspaces in your tenant. Above the
list, a ribbon provides options to help you govern the workspaces. These options also
appear in the More options (...) menu of the selected workspace. The list of options
varies depending on workspace type and status. All the options are described under
workspace options.

The columns of the list of workspaces are described below

Column Description

Name The name given to the workspace.

Description The information that is given in the description field of the workspace settings.

Type The type of workspace. There are two types of workspaces:

Workspace (also known as "app workspace")

Personal Group ("My workspaces")

State The state lets you know if the workspace is available for use. There are five states,
Active, Orphaned, Deleted, Removing, and Not found. For more information, see
 Column Description

Workspace states.

Capacity Name given to the workspace's capacity.

name

Capacity SKU The type of license used for the workspace's capacity. Capacity SKU Tiers include
Tier Premium and Premium Per User (PPU). For more information about capacity
tiers, see Configure and manage capacities in Premium.

Upgrade The upgrade status lets you know if the workspace is eligible for a Microsoft
status Fabric upgrade.

The table columns on the Workspaces tab correspond to the properties returned by the
admin Rest API for workspaces. Personal workspaces are of type PersonalGroup, all
other workspaces are of type Workspace. For more information, see Workspaces.

Workspace states
The possible workspace states are described below.

State Description

Active A normal workspace. It doesn't indicate anything about usage or what's inside, only
that the workspace itself is "normal".

Orphaned A workspace with no admin user. You need to assign an admin.

Deleted A deleted workspace. When a workspace is deleted, it enters a retention period.

During the retention period, a Microsoft Fabric administrator can restore the
workspace. See Workspace retention for detail. When the retention period ends, the
workspace enters the Removing state.

Removing At the end of a deleted workspace's retention period, it moves into the Removing
state. During this state, the workspace is permanently removed. Permanently
removing a workspace takes a short while, and depends on the service and folder
content.

Not If the customer's API request includes a workspace ID for a workspace that doesn't
found belong to the customer's tenant, "Not found" is returned as the status for that ID.

Workspace options
The ribbon at the top of the list and the More options (...) menus of the individual
workspaces provide options that to help you manage the workspaces. The Refresh and
the Export options are always present, while the selection of other options that appear
depends on the workspace type and status. All the options are described below.

Option Description

Refresh Refreshes the workspace list.

Export Exports the table as a .csv file.

Details Lists the items that are contained in the workspace.

Edit Enables you to edit the workspace name and description.

Access Enables you to manage workspace access. You can use this feature to delete
workspaces by first adding yourself to a workspace as an admin then opening
the workspace to delete it.

Get access Grants you temporary access to another user's MyWorkspace. See Gain access to
any user's My workspace for detail.

Capacity Enables you to assign the workspace to Premium capacity or to remove it from
Premium capacity.

Recover Enables you to restore an orphaned workspace.

Restore Enables you to restore the MyWorkspace of a user that has left the organization,
or a deleted collaborative workspace. For MyWorkspaces, see Restore a deleted
My workspace as an app workspace. For collaborative workspaces, see Restore a
deleted collaborative workspace

Permanently Enables you to permanently delete a deleted collaborative workspace before the
delete end of its retention period. See Permanently delete a deleted collaborative
workspace during the retention period.

７ Note

Admins can also manage and recover workspaces using PowerShell cmdlets.

Admins can also control users' ability to create new workspace experience
workspaces and classic workspaces. See Workspace settings in this article for
details.

Workspace retention
By default, when a workspace is deleted, it isn't permanently and irrevocably deleted
immediately. Instead, it enters a retention period during which it's possible to restore it.
At the end of the retention period, it's removed permanently, and it will no longer be
possible to recover it or its contents.

The retention period for personal workspaces (My workspaces) is 30 days.

The retention period for collaborative workspaces is configurable. The default retention
period is seven days. However, Fabric administrators can change the length of the
retention period by turning on the Define workspace retention period setting in the
admin portal and specifying the desired retention period (from 7 to 90 days).

During the retention period, Fabric administrators can restore the workspace.

At the end of the retention period, the workspace is deleted permanently and it and its
contents are irretrievably lost.

While a workspace is in the retention period, Fabric administrators can permanently

delete it before the end of the retention period.

Configure the retention period for deleted collaborative

workspaces
By default, deleted collaborative workspaces are retained for seven days. Fabric
administrators can change the length of the retention period (from 7 to 90 days) using
the Define workspace retention period tenant setting.

1. In the Fabric admin portal, go to Workspace settings > Define workspace

retention period.
2. Turn on the setting and enter the number of days for desired retention period. You
can choose anywhere from 7 to 90 days.
3. When done, select Apply.

７ Note

When the Define workspace rentention period setting is off, deleted collaborative
workspaces automatically have a retention period of 7 days.

This setting does not affect the retention period of My workspaces. My workspaces
always have a 30-day retention period.

Restore a deleted collaborative workspace

While a deleted collaborative workspace is in a retention period, Fabric administrators
can restore it and its contents.

1. In the Fabric admin portal, open the Workspaces page and find the deleted
collaborative workspace you want to restore. Collaborative workspaces are of type
Workspace. A workspace that is in a retention period has the status Deleted.
2. Select the workspace and then choose Restore from the ribbon, or select More
options (...) and choose Restore.
3. In the Restore workspaces panel that appears, give a new name to the workspace
and assign at least one user the Admin role in the workspace.
4. When done, select Restore.

Permanently delete a deleted collaborative workspace

during the retention period
While a deleted collaborative workspace is in a retention period, Fabric administrators
permanently delete it before the end of its retention period.

1. In the Fabric admin portal, open the Workspaces page and find the deleted
collaborative workspace you want to restore. Collaborative workspaces are of type
Workspace. A workspace that is in a retention period has the status Deleted.
2. Select the workspace and then choose Permanently delete from the ribbon, or
select More options (...) and choose Permanently delete.

You're asked to confirm the permanent deletion. After you confirm, the workspace and
its contents are no longer recoverable.

Govern My workspaces
Every Fabric user has a personal workspace called My workspace where they can work
with their own content. While generally only My workspace owners have access to their
My workspaces, Fabric admins can use a set of features to help them govern these
workspaces. With these features, Fabric admins can:

Gain access to the contents of any user's My workspace

Designate a default capacity for all existing and new My workspaces
Prevent users from moving My workspaces to a different capacity that might reside
in noncompliant regions
Restore deleted My workspaces as app workspaces

These features are described in the following sections.

Gain access to any user's My workspace
To gain access to a particular My workspace

1. In the Fabric Admin portal, open the Workspaces page and find the personal
workspace you want to get access to.
2. Select the workspace and then choose Get Access from the ribbon, or select More
options (...) and choose Get Access.

７ Note

Once access is obtained, the ribbon and the More options (...) menu will show
Remove Access for the same My workspace. If you do not remove access by
selecting one of these options, access will automatically be revoked for the admin
after 24-hours. The My workspace owner's access remains intact.

Once you have access, the My workspace will show up in the list of workspaces
accessible from the navigation pane. The icon indicates that it's a My workspace.

Once you go inside the My workspace, you can perform any actions as if it's your own
My workspace. You can view and make any changes to the contents, including sharing
or unsharing. But you can't grant anyone else access to the My workspace.

Designate a default capacity for My workspaces

A Fabric admin or capacity admin can designate a capacity as the default capacity for
My workspaces. For details, see Designate a default capacity for My workspaces

Prevent My workspace owners from reassigning their My

workspaces to a different capacity
Fabric admins can designate a default capacity for My workspaces. However, even if a
My workspace has been assigned to Premium capacity, the owner the workspace can
still move it back to Pro, which is in Shared capacity. Moving a workspace from Premium
capacity to Shared capacity might cause the content contained in the workspace to be
become noncompliant with respect to data-residency requirements, since it might move
to a different region. To prevent this situation, the Fabric admin can block My workspace
owners from moving their My workspace to a different capacity by turning off the Users
can reassign personal workspaces tenant admin setting. See Workspace settings for
detail.
Restore a deleted My workspace as an app workspace
When users are deleted from the company's Active Directory, their My workspaces show
up as Deleted in the State column on the Workspaces page in the Admin portal. Fabric
admins can restore deleted My workspaces as app workspaces that other users can
collaborate in.

During this restoration process, the Fabric admin needs to assign at least one
Workspace admin in the new app workspace, as well as give the new workspace a name.
After the workspace has been restored, it will show up as Workspace in the Type column
on the Workspaces page in the Admin portal.

To restore a deleted My workspace as an app workspace

1. In the Fabric Admin portal, open the Workspaces page and find the deleted
personal workspace you want to restore.
2. Select the workspace and then choose Restore from the ribbon, or select More
options (...) and choose Restore.
3. In the Restore workspaces panel that appears, give a new name to the workspace
and assign at least one user the Admin role in the workspace.
4. When done, select Restore.

After the deleted workspace has been restored as an app workspace, it's just like any
other app workspace.

Moving data around

Workspaces and the data they contain reside on capacities, and can be moved around
by assigning them to different capacities. Such movement might be between capacities
in different regions, or between different capacity types, such as Premium and shared.

In Microsoft Fabric, such movement currently has the following restrictions:

Non Power BI Fabric items can't move from Premium to shared capacity.

Non Power BI Fabric items can't move between regions.

This means the following:

Moving a workspace from one capacity to another within the same region

If the workspace has non Power BI Fabric items, you can only move it from one
Premium capacity to another Premium capacity. If you want to move the
 workspace from Premium to shared capacity, you won't be able to do so unless
you delete all non-Power BI Fabric items first.

If the workspace has no non Power BI Fabric items (that is, it has only Power BI
items) moving the workspace from Premium to shared is supported.

Moving a workspace from one capacity to a capacity in a different region

You won't be able to move a workspace if it has non-Power BI Fabric items in it. If
the workspace once had non-PowerBI Fabric items, but all items have since been
deleted, you also won't be able to move the workspace to a capacity in a different
region.

If the workspace has no non-Power BI Fabric items (that is, it has only Power BI
items) moving the workspace to another capacity in a different region is
supported.

Related content
About the admin portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Workspace tenant settings
Article • 11/15/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Create workspaces (new workspace experience)

Workspaces are places where users collaborate on dashboards, reports, and other
content. Microsoft Fabric admins can use the Create workspaces (new workspace
experience) setting to designate which users in the organization can create workspaces.
Admins can let everybody or nobody in an organization create workspaces. Workspace
creation can also be limited to members of specific security groups. Learn more about
workspaces.

For classic workspaces based on Microsoft 365 Groups, administration continues to

occur in admin portal and Azure Active Directory.

７ Note

The Create workspaces (new workspace experience) setting defaults to allowing

only users who can create Microsoft 365 Groups to create the new Microsoft Fabric
workspaces. Be sure to set a value in the Microsoft Fabric admin portal to ensure
appropriate users can create them.
List of workspaces

The admin portal has another section of settings about the workspaces in your tenant.
In that section, you can sort and filter the list of workspaces and display the details for
each workspace. See Manage workspaces for details.

Publish apps

In the admin portal, you also control which users have permissions to distribute apps to
the organization. See Publish apps to the entire organization for details.

Use semantic models across workspaces

Admins can control which users in the organization can use semantic models across
workspaces. When this setting is enabled, users still need the required Build permission
for a specific semantic model.

For more information, see Intro to semantic models across workspaces.

Identify your workspace ID

The easiest way to find your workspace ID is in the URL of the Fabric site for an item in a
workspace. As in Power BI, the Fabric URL contains the workspace ID, which is the
unique identifier after /groups/ in the URL, for example:
https://powerbi.com/groups/11aa111-a11a-1111-1abc-aa1111aaaa/... . Alternatively, you
can find the workspace ID in the Power BI Admin portal settings by selecting Details
next to the workspace name.

Block users from reassigning personal

workspaces (My Workspace)
Personal workspaces are the My workspaces that every user has for their personal
content. Microsoft Fabric and capacity admins can designate a preferred capacity for My
workspaces. By default, however, My workspace owners can still change the capacity
assignment of their workspace. If a Microsoft Fabric or capacity admin designates a
Premium capacity as the default capacity for My workspaces, but a My workspace owner
then changes that capacity assignment back to shared capacity, this could result in non-
compliance with data residency requirements.

To prevent such a scenario, the Microsoft Fabric admin can turn on the Block users from
reassigning personal workspaces (My Workspace) tenant setting. When this setting is
on, My workspace owners can't change the capacity assignment of their My workspace.

To turn on the setting:

1. Go to the Microsoft Fabric Admin portal and select Tenant settings.

2. In the tenant settings, scroll down to the Workspace settings section.
3. Find the setting called Block users from reassigning personal workspaces (My
Workspace).

For more information, see Prevent My workspace owners from reassigning their My
workspaces to a different capacity.

Next steps
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Git integration tenant settings
Article • 11/15/2023

The git integration tenant admin settings are configured in the tenant settings section of
the Admin portal. For information about how to get to and use tenant settings, see
About tenant settings.

） Important

The switches that control git integration are part of Microsoft Fabric and only work
if the Fabric admin switch is turned on. If Fabric is disabled, git integration can't
work regardless of the status of these switches.

Users can synchronize workspace items with

their Git repositories (Preview)
Users can synchronize a workspace with a git repository, edit their workspace, and
update their git repos using the git integration tool. You can enable git integration for
the entire organization, or for a specific group. Turn off this setting to prevent users
from syncing workspace items with their Git repositories.

To learn more, see Introduction to Git integration.

To get started with Git integration, see Manage a workspace with Git.

Users can export items to Git repositories in

other geographical locations (Preview)
If a workspace capacity is in one geographic location (for example, Central US) while the
Azure DevOps repo is in another location (for example, West Europe), the Fabric admin
can decide whether to allow users to commit metadata (or perform other git actions) to
another geographical location. Only the metadata of the item is exported. Item data and
user related information are not exported.
Enable this setting to allow all users, or a specific group or users, to export metadata to
other geographical locations.
Users can export workspace items with applied
sensitivity labels to Git repositories (Preview)
Sensitivity labels aren't included when exporting an item. Therefore, the Fabric admin
can choose whether to block the export of items that have sensitivity labels, or to allow
it even though the sensitivity label won't be included.

Enable this setting to allow all users, or a specific group of users, to export items without
their sensitivity labels.

Learn more about sensitivity labels.

Next steps
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Set up item certification
Article • 11/15/2023

Your organization can certify selected items to identify them an as authoritative sources
for critical information. Currently, all Fabric items except Power BI dashboards can be
certified.

As a Fabric admin, you're responsible for enabling and setting up the certification
process for your organization. This means:

Enabling certification on your tenant.

Defining a list of security groups whose members will be authorized to certify
items.
Providing a URL that points to the documentation for the organization's item
certification process, if such documentation exists.
Deciding whether to delegate certification setup to domain administrators, so that
they can set up certification specifically for their domain. When you delegate
certification setup to domain administrators, the administrators of each domain
can override any or all tenant-level certification settings, including enable/disable,
for their domain.

Certification is part of Power BI's endorsement feature. For more information, see the
endorsement overview.

Set up certification
1. In the Admin portal, go to Tenant settings.

2. Under the Export and sharing settings section, expand the Certification section.
3. Set the toggle to Enabled.

4. If your organization has a published certification policy, provide its URL here. This
becomes the Learn more link in the certification section of the endorsement
settings dialog. If you don't supply a link, users who want to request certification of
their item will be advised to contact their Fabric administrator.

5. Specify one or more security groups whose members will be authorized to certify
items. These authorized certifiers will able to use the Certification button in the
certification section of the endorsement settings dialog. This field accepts security
groups only. You can't enter named users.

If a security group contains subsecurity groups that you don't want to give
certification rights to, you can check the Except specific security groups box and
enter the name(s) of those group(s) in a text box that will appear.

6. Check the Domain admins can enable/disable checkbox if you want domain
administrators to be able to override any or all tenant-level certification settings.
 ７ Note

Selecting the checkbox enables domain admins to override any or all tenant-
level certification settings, including enable/disable, even though the
checkbox description only mentions enable/disable.

7. Select Apply.

Next steps
Read about endorsement in Fabric
Promote Fabric items
Certify Fabric items

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Configure notifications
Article • 11/02/2023

Power BI Premium allows you to configure email notifications for your capacity. The
emails are sent to the people you specify in the notifications settings.

To calculate when to send emails, Power BI checks the capacity every 15 minutes. During
the check, the last 15 to 30 minutes of capacity activity are examined.

７ Note

To configure email notifications, you must be a capacity administrator.

Configure capacity notifications

To configure the capacity notification emails, follow these steps:

1. In the Power BI service, go to Settings > Settings > Admin portal.

2. In the Admin portal, select Capacity settings.

3. Select the capacity you want to configure notifications for.

4. Expand the Notifications section.

5. In the section Send notifications when, configure your required notifications as

follows:

You're using ___% of your available capacity - A notification is sent after the
capacity reaches the threshold you enter.

You've exceeded your available capacity and might experience slowdowns -

A notification is sent after you reach your capacity limit. After the limit is
reached, if you have autoscale enabled, autoscale starts. If you don't have
autoscale enabled, throttling is applied to your capacity.

An Autoscale v-core has been added - A notification is sent after autoscale

starts and every time a v-core is added.

You've reached your Autoscale maximum - A notification is sent when all the
autoscale v-cores are fully utilized. Throttling is applied to your capacity if it
continues to be overloaded.

6. In the section Send notifications to, select who you want the notifications to be
emailed to:

Capacity admins - Email notifications are sent to all the admins of this
capacity.

These contacts - Enter the emails of the contacts you want to receive
notifications.
 7. Select Apply.

Considerations and limitations

Timestamps aren't included in notification emails.

Notification emails don't list by how much a threshold was crossed.

After a notification is sent, there's a three hour period in which new notifications
won't be sent, even if your capacity crosses thresholds that are set to trigger these
notifications. For example, if you configure your capacity to send a notification
after you cross the 75% usage threshold, after that threshold is met you'll receive a
notification. If the capacity goes below this threshold to 60%, and then right back
over it in the next hour, you won't get another notification for crossing the 75%
mark. If you have the autoscale notification turned on, and your capacity crosses
the 100% threshold during these three hours, you get a notification that autoscale
started.

A 30-seconds window is applied to calculate your capacity usage. Due to a less

granular calculation, capacity usage might appear differently in the Power BI
Premium utilization and metrics app. As a result, you might not see the event your
notification points to in the app. For example, a short spike in capacity activity that
triggers a notification might not be seen at all in the Power BI Premium utilization
and metrics app.

Next steps
What is Power BI Premium?

What is Microsoft Fabric admin?

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Set up metadata scanning in your
organization
Article • 11/15/2023

Before metadata scanning can be run over an organization's Microsoft Fabric

workspaces, it must be set up by a Fabric administrator. Setting up metadata scanning
involves two steps:

1. Enabling service principal authentication for read-only admin APIs.

2. Enabling tenant settings for detailed semantic model metadata scanning.

Enable service principal authentication for

read-only admin APIs
Service principal is an authentication method that can be used to let an Azure AD
application access Power BI APIs. With this authentication method, you don’t have to
maintain a service account with an admin role. Rather, to allow your app to use the
Admin APIs, you just have to give your approval once as part of the tenant settings
configuration.

To see how to enable service principal access to read-only Admin APIs, see Enable
service principal authentication for read-only admin APIs.

If you don't want to enable service principal authentication, metadata scanning can be
performed with standard delegated admin access token authentication.

Enable tenant settings for metadata scanning

Two tenant settings control metadata scanning:

Enhance admin APIs responses with detailed metadata: This setting turns on
Model caching and enhances API responses with low-level semantic model
metadata (for example, name and description) for tables, columns, and measures.
Enhance admin APIs responses with DAX and mashup expressions: This setting
allows the API response to include DAX expressions and Mashup queries. This
setting can only be enabled if the first setting is also enabled.

To enable these settings, go to Admin portal > Tenant settings > Admin API settings.
Next steps
Metadata scanning overview
Enable service principal authentication for read-only admin APIs
Run metadata scanning
Power BI REST Admin APIs

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Enable content certification
Article • 11/01/2023

Your organization can certify selected content to identify it an as authoritative source for
critical information. Currently, the following content types can be certified:

Datasets
Dataflows
Reports
Apps

As a Fabric admin, you're responsible for enabling and setting up the certification
process for your organization. This means:

Enabling certification on your tenant.

Defining a list of security groups whose members are authorized to certify content.
Providing a URL that points to the documentation for the organization's content
certification process, if such documentation exists.

Certification is part of Power BI's endorsement feature. See Endorsement: Promoting and
certifying Power BI content for more information.

Set up certification
1. In the Admin portal, go to Tenant settings.

2. Under the Export and sharing settings section, expand the Certification section.
 3. Set the toggle to Enabled.

4. If your organization has a published certification policy, provide its URL here. This
becomes the Learn more link in the certification section of the endorsement
settings dialog. If you don't supply a link, users who want to request certification of
their content will be advised to contact their Fabric administrator.

5. Specify one or more security groups whose members are authorized to certify
content. These authorized certifiers will able to use the Certification button in the
certification section of the endorsement settings dialog. This field accepts security
groups only. You can't enter named users.

If a security group contains subsecurity groups that you don't want to give
certification rights to, you can check the Except specific security groups box and
enter the name(s) of those group(s) in a text box that appears.

6. Select Apply.

Next steps
Promote or certify content

Read about endorsement in Power BI

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Enable service principal authentication
for read-only admin APIs
Article • 11/02/2023

Service principal is an authentication method that can be used to let an Azure Active
Directory (Azure AD) application access Microsoft Fabric content and APIs.

When you create an Azure AD app, a service principal object is created. The service
principal object, also known simply as the service principal, allows Azure AD to
authenticate your app. Once authenticated, the app can access Azure AD tenant
resources.

Method
To enable service principal authentication for Power BI read-only APIs, follow these
steps:

1. Create an Azure AD app. You can skip this step if you already have an Azure AD
app you want to use. Take note of the App-Id for later steps.

） Important

Make sure the app you use doesn't have any admin-consent required
permissions for Power BI set on it in the Azure portal. See how to check
whether your app has any such permissions.

2. Create a new Security Group in Azure Active Directory. Read more about how to
create a basic group and add members using Azure Active Directory. You can skip
this step if you already have a security group you would like to use. Make sure to
select Security as the Group type.
3. Add your App-Id as a member of the security group you created. To do so:
a. Navigate to Azure portal > Azure Active Directory > Groups, and choose the
security group you created in Step 2.
b. Select Add Members.

） Important

Make sure the app doesn't have any admin-consent required permissions for
Power BI set on it in the Azure portal. See how to check whether your app
has any such permissions.

4. Enable the Fabric admin settings:

a. Log in to the Fabric admin portal. You need to be a Fabric admin to see the
tenant settings page.

b. Under Admin API settings, you'll see Allow service principals to use read-only
Power BI admin APIs. Set the toggle to Enabled, and then select the Specific
security groups radio button and add the security group you created in Step 2
in the text field that appears below it.
 5. Start using the read-only admin APIs. See the list of supported APIs below.

） Important

An app using service principal authentication that calls read-only admin APIs must
not have any admin-consent required permissions for Power BI set on it in the
Azure portal. See how to check whether your app has any such permissions.

Supported APIs
Service principal authentication is currently supported for the following read-only admin
APIs.

GetGroupsAsAdmin with $expand for dashboards, semantic models, reports, and

dataflows
GetGroupUsersAsAdmin
GetDashboardsAsAdmin with $expand tiles
GetDashboardUsersAsAdmin
GetAppsAsAdmin
GetAppUsersAsAdmin
 GetDatasourcesAsAdmin
GetDatasetToDataflowsLinksAsAdmin
GetDataflowDatasourcesAsAdmin
GetDataflowUpstreamDataflowsAsAdmin
GetCapacitiesAsAdmin
GetCapacityUsersAsAdmin
GetActivityLog
GetModifiedWorkspaces
WorkspaceGetInfo
WorkspaceScanStatus
WorkspaceScanResult
GetDashboardsInGroupAsAdmin
GetTilesAsAdmin
ExportDataflowAsAdmin
GetDataflowsAsAdmin
GetDataflowUsersAsAdmin
GetDataflowsInGroupAsAdmin
GetDatasetsAsAdmin
GetDatasetUsersAsAdmin
GetDatasetsInGroupAsAdmin
Get Power BI Encryption Keys
Get Refreshable For Capacity
Get Refreshables
Get Refreshables For Capacity
GetImportsAsAdmin
GetReportsAsAdmin
GetReportUsersAsAdmin
GetReportsInGroupAsAdmin

How to check if your app has admin-consent

required permissions
An app using service principal authentication that calls read-only admin APIs must not
have any admin-consent required permissions for Power BI set on it in the Azure portal.
To check the assigned permissions:

1. Sign into the Azure portal as a Global Administrator, an Application Administrator,

or a Cloud Application Administrator.
2. Select Azure Active Directory, then Enterprise applications.
3. Select the application you want to grant access to Power BI.
 4. Select Permissions. There must be no admin-consent required permissions of type
Application registered for the app.

Considerations and limitations

The service principal can make rest API calls, but you can't open Fabric with service
principal credentials.
Fabric admin rights are required to enable service principal in the Admin API
settings in the Fabric admin portal.

Next steps
Metadata scanning overview
Set up metadata scanning
Run metadata scanning

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Configure Multi-Geo support for Fabric
Premium
Article • 11/23/2023

Multi-Geo is a Fabric Premium feature that helps multinational customers address

regional, industry-specific, or organizational data residency requirements. As a Fabric
Premium customer, you can deploy content to data centers in regions other than the
home region of the Fabric tenant. A geo (geography) can contain more than one region.
For example, the United States is a geo, and West Central US and South Central US are
regions in the United States. You might choose to deploy content to any of the following
geographies (geos) defined in the Azure geography map .

Sovereign clouds support Multi-Geo across regions within that cloud.

７ Note

China North currently does not support Multi-Geo as it resides on the old version
of Premium.

Multi-Geo is now also available in Power BI Embedded. Read more at Multi-Geo support
for Power BI Embedded.

７ Note

Power BI Premium Per User (PPU) is not supported for Multi-Geo.

Enable and configure

Enable Multi-Geo by selecting a region other than the default region when you're
creating a new capacity. Once a capacity's created, it shows the region where it's
currently located.

Follow these steps to change the default capacity region when you're creating a new
capacity.

1. In the Power BI service, select settings and from the menu select Admin portal.

2. In the Admin portal, select Capacity settings.

3. Select Set up new capacity.

 4. From the Region dropdown menu, select the region you want to use for this
capacity.

After you create a capacity, it remains in that region, and any workspaces created under
it will have their content stored in that region. You can migrate workspaces from one
region to another through the dropdown on the workspace settings screen.

You see this message to confirm the change.

During migration, certain operations might fail, such as publishing new semantic models
or scheduled data refresh.

The following items are stored in the Premium region when Multi-Geo is enabled:

Models (.ABF files) for import and DirectQuery semantic models

Query cache
R images

These items remain in the home region for the tenant:

Push datasets
 Excel workbooks
Dashboard/report metadata: tile names, tile queries, and any other data
Service buses for gateway queries or scheduled refresh jobs
Permissions
Semantic model credentials
Power BI Embedded Analytics Playground saved state
Metadata linked to Purview Data Map

View capacity regions

In the Admin portal, you can view all the capacities for your tenant and the regions
where they're currently located.

Change the region for existing content

If you need to change the region for existing content, you have two options:

Create a second capacity and move workspaces. Free users won't experience any
downtime as long as the tenant has spare v-cores.
If creating a second capacity isn't an option, you can temporarily move the content
back to shared capacity from Premium. You don't need extra v-cores, but free users
will experience some downtime.

Move content out of Multi-Geo

You can take workspaces out of Multi-Geo capacity in one of two ways:

Delete the current capacity where the workspace is located. This action moves the
workspace back to shared capacity in the home region.
Migrate individual workspaces back to Premium capacity located in the home
tenant.

Large-storage format semantic models shouldn't be moved from the region where they
were created. Reports based on a large-format semantic model won't be able to load
the semantic model and return a Cannot load model error. Move the large-storage
format semantic model back to its original region to make it available again.

Considerations and limitations

Confirm that any movement you initiate between regions follows all corporate and
government compliance requirements prior to initiating data transfer.
Cached data and queries stored in a remote region stays in that region at rest.
Additionally, the data at rest is replicated to another region in the same Azure
geography for disaster recovery if the Azure geography contains more than one
region. Data in transit might go back and forth between multiple geographies.
The source data might remain in the region from which the data was moved for up
to 30 days when moving data from one region to another in a Multi-Geo
environment. During that time end users don't have access to it. It's removed from
this region and destroyed during the 30-day period.
Query text and query result traffic for imported and DirectQuery data models
doesn't transit through the home region. The report metadata does still come from
the home region, and certain DNS routing states might take such traffic out of the
region.
Certain features such as screenshots, data alerts and others will still process data in
the home region.
The detailed semantic model metadata that is cached as part of enhanced
metadata scanning is always stored in the home region, even if the scanned
semantic model is located in a remote region.
The dataflows feature isn't supported on Multi-Geo at this time.
It's possible to create and maintain large-storage format semantic models in
remote regions to meet data residency requirements. However, you can't move
storage format semantic models to another region. Moving large-storage format
semantic models from the region where they were created results in reports failing
to load the semantic model. Move the large-storage semantic model back to its
original region to make it available. If you must move such a model, deploy it as if
it was a new model, and then delete the old model from the undesired region.
Multi-Geo doesn't support Metrics in Power BI.

Related content
What is Power BI Premium?
Multi-Geo support for Power BI Embedded
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

About tenant settings
Article • 11/21/2023

Tenant settings enable fine-grained control over the features that are made available to
your organization. If you have concerns around sensitive data, some of our features
might not be right for your organization, or you might only want a particular feature to
be available to a specific group.

Tenant settings that control the availability of features in the Power BI user interface can
help to establish governance policies, but they're not a security measure. For example,
the Export data setting doesn't restrict the permissions of a Power BI user on a semantic
model. Power BI users with read access to a semantic model have the permission to
query this semantic model and might be able to persist the results without using the
Export data feature in the Power BI user interface.

For a list and brief description of all the tenant settings, see the tenant settings index.

７ Note

It can take up to 15 minutes for a setting change to take effect for everyone in your
organization.

New tenant settings

To help you quickly identify changes and respond, a message at the top of the tenant
settings page appears when there's a change. The message lists new tenant settings and
changes to existing ones.

You can identify new settings according to their new icon.

How to get to the tenant settings

Go to the admin portal and select Tenant settings.
How to use the tenant settings
Many of the settings can have one of three states:

Disabled for the entire organization: No one in your organization can use this
feature.

Enabled for the entire organization: Everyone in your organization can use this
feature.
Enabled for the entire organization except for certain groups: Everyone in your
organization can use this feature except for users who belong to the specified
groups.

Enabled for a subset of the organization: Specific security groups in your

organization are allowed to use this feature.
Enabled for specific groups except for certain groups: Members of the specified
security groups are allowed to use this feature, unless they also belong to an
excluded group. This approach ensures that certain users don't have access to the
feature even if they're in the allowed group. The most restrictive setting for a user
applies.
Related content
What is the admin portal?
Tenant settings index

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Tenant settings index
Article • 11/23/2023

This article lists all Fabric tenant settings, along with a brief description of each. For
more information about tenant settings in general, see About tenant settings.

Microsoft Fabric
Setting Description
name

Data Turn on Data Activator Preview to allow users to define a specific set of conditions
Activator about their data, and then receive notifications when those conditions are met.
(preview) After they receive notifications, users can take action to correct the change in
conditions. This setting can be managed at both the tenant and the capacity levels.
Data Activator is currently available in these regions . When you turn on Data
Activator, you agree to the Data Activator Preview terms . Learn more

Users can Users can use production-ready features to create Fabric items. Turning off this
create setting doesn't impact users’ ability to create Power BI items. This setting can be
Fabric items managed at both the tenant and the capacity levels. Learn More

Help and support settings

Setting name Description

Publish "Get Help" information Users in the organization can go to internal help and support
resources from the Power BI help menu.

Receive email notifications for Mail-enabled security groups will receive email notifications if
service outages or incidents this tenant is impacted by a service outage or incident.

Users can try Microsoft Fabric When users sign up for a Microsoft Fabric trial, they can try
paid features Fabric paid features for free for 60 days from the day they
signed up. Learn More

Show a custom message When people attempt to publish a report, they'll see a custom
before publishing reports message before it gets published.

Workspace settings
Setting name Description

Create workspaces Users in the organization can create app workspaces to collaborate on
(new workspace dashboards, reports, and other content. Even if this setting is disabled,
experience) an upgraded workspace will be created when a template app is installed.

Use datasets across Users in the organization can use datasets across workspaces if they
workspaces have the required Build permission.

Block users from Turn on this setting to prevent users from reassigning their personal
reassigning personal workspaces (My Workspace) from Premium capacities to shared
workspaces (My capacities. Learn More
Workspace)

Define workspace Turn on this setting to define a retention period during which you can
retention period restore a deleted workspace and recover items in it. At the end of the
retention period, the workspace is permanently deleted. By default,
workspaces are always retained for a minimum of 7 days before they're
permanently deleted.

Turn off this setting to accept the minimum retention period of 7 days.
After 7 days the workspace and items in it will be permanently deleted.

Enter the number of days to retain a workspace before it's permanently

deleted. My Workspace workspaces will be retained for 30 days
automatically. Other workspaces can be retained for up to 90 days.

Information protection
Setting name Description

Allow users to apply With this setting enabled, Microsoft Purview Information Protection
sensitivity labels for content sensitivity labels published to users by your organization can be
applied. All prerequisite steps must be completed before
enabling this setting.

Note: Sensitivity label settings, such as encryption and content

marking for files and emails, are not applied to content. Learn
More

Visit the Microsoft Purview compliance portal to view sensitivity

label settings for your organization.

Note: Sensitivity labels and protection are only applied to files

exported to Excel, PowerPoint, or PDF files, that are controlled by
"Export to Excel" and "Export reports as PowerPoint presentation or
PDF documents" settings. All other export and sharing options do
not support the application of sensitivity labels and protection.
Setting name Description

Apply sensitivity labels from Only sensitivity labels from supported data sources will be applied.
data sources to their data in Please see the documentation for details about supported data
Power BI sources and how their sensitivity labels are applied in Power BI.
Learn about supported data sources

Automatically apply With this setting enabled, whenever a sensitivity label is changed or
sensitivity labels to applied to Fabric content, the label will also be applied to its
downstream content eligible downstream content. Learn More

Allow workspace admins to With this setting enabled, workspace admins can change or remove
override automatically sensitivity labels that were applied automatically by Fabric, for
applied sensitivity labels example, as a result of label inheritance. Learn More

Restrict content with This setting will prevent content with protection settings in the
protected labels from being sensitivity label from being shared via link with everyone in your
shared via link with organization. Learn More
everyone in your
organization

Export and sharing settings

Setting name Description

Allow Azure Active Azure Active Directory business-to-business (B2B) guest users can
Directory guest users access Microsoft Fabric and Fabric contents that they have permissions
to access Microsoft to.
Fabric

Invite external users to Users can invite external users to the organization through Power BI
your organization sharing and permission experiences for reports, dashboards, and apps.
Once invited, external users will become Azure Active Directory
business-to-business (B2B) guest users. Learn More

Allow Azure Active Users can invite Azure Active Directory business-to-business (B2B) guest
Directory guest users users to have the browse experience and request access to content.
to edit and manage Learn More .
content in the
organization

Show Azure Active When searching for people in Microsoft Fabric, you see a list of
Directory guests in lists suggested people that includes Azure Active Directory (Azure AD)
of suggested people members and guests. When disabled, guests aren't shown in the
suggested people list (it's still possible to share with guests by
providing their full email address).

Publish to web People in your org can publish public reports on the web. Publicly
published reports don't require authentication to view them.
Setting name Description

Go to Embed codes in the admin portal to review and manage public

embed codes. If any of the codes contain private or confidential content
remove them.

Review embed codes regularly to make sure no confidential information

is live on the web. Learn more about Publish to web

Copy and paste visuals Users in the organization can copy visuals from a tile or report visual
and paste them as static images into external applications.

Export to Excel Users in the organization can export the data from a visualization or
paginated report to an Excel file. Learn More

Export to .csv Users in the organization can export data from a tile, visualization, or
paginated report to a .csv file. Learn More

Download reports Users in the organization can download .pbix files and paginated
reports. Learn More

Users can work with Users can export data to Excel from a report visual or dataset, or export
datasets in Excel using a dataset to an Excel workbook with Analyze in Excel, both options with
a live connection a live connection to the XMLA endpoint. Learn More

Export reports as Users in the organization can export reports as PowerPoint files or PDF
PowerPoint documents.
presentations or PDF
documents

Export reports as Users in the organization can export Paginated reports as MHTML
MHTML documents documents.

Export reports as Word Users in the organization can export Paginated reports as Word
documents documents.

Export reports as XML Users in the organization can export Paginated reports as XML
documents documents.

Export reports as Users in the organization can use the export report to file API to export
image files reports as image files.

Print dashboards and Users in the organization can print dashboards and reports.
reports

Certification Choose whether people in your org or specific security groups can
certify items (like apps, reports, or datamarts) as trusted sources for the
wider organization.

Note: When a user certifies an item, their contact details will be visible
along with the certification badge.
Setting name Description

Users can set up email Users can create email subscriptions to reports and dashboards.
subscriptions

B2B guest users can set Authorized B2B guest users can set up and be subscribed to email
up and be subscribed subscriptions. Authorized B2B guest users are external users you've
to email subscriptions added to your Azure Active Directory. Turn off this setting to prevent
B2B users from setting up or being subscribed to email subscriptions.

Users can send email Users can send email subscriptions to external users. External users are
subscriptions to users you've not added to your Azure Active Directory. Turn off this
external users setting to prevent users from subscribing external users to subscription
emails.

Featured content Users in the organization can promote their published content to the
Featured section of Power BI Home.

Allow connections to Users in the organization can access and perform calculations on data
featured tables from featured tables. Featured tables are defined in the modeling view
in Power BI Desktop and made available through data types gallery of
Excel.

Allow shareable links This setting will grant access to anyone in your organization with the
to grant access to link. It won't work for external users. Learn More
everyone in your
organization

Enable Microsoft This setting allows people in the organization to access features
Teams integration associated with the Microsoft Teams and Power BI integration. This
includes launching Teams experiences from the Power BI service like
chats, the Power BI app for Teams, and receiving Power BI notifications
in Teams. To completely enable or disable Teams integration, work with
your Teams admin.

Install Power BI app for The Power BI app for Microsoft Teams is installed automatically for
Microsoft Teams users when they use Microsoft Fabric. The app is installed for users if
automatically they have Microsoft Teams and the Power BI app is allowed in the
Teams Admin Portal. When the app is installed, users receive
notifications in Teams and can more easily discover and collaborate with
colleagues. The Power BI app for Teams provides users with the ability
to open all Fabric content. Learn More .

Enable Power BI add-in Let people in your org embed Power BI data into their PowerPoint
for PowerPoint presentations. This integration requires that your organization's
Microsoft Office admin has enabled support for add-ins.

Allow DirectQuery DirectQuery connections allow users to make changes to existing

connections to Power datasets or use them to build new ones. Learn More
BI datasets
Setting name Description

Guest users can work Authorized guest users can discover datasets shared with them in the
with shared datasets in OneLake data hub (in Power BI Desktop), and then work with these
their own tenants datasets in their own Power BI tenants.

Allow specific users to Turn off this setting to prevent all users from turning on external data
turn on external data sharing. If this setting is on, all or specific users can turn on the external
sharing data sharing option, allowing them to share data with authorized guest
users. Authorized guest users can then discover, connect to, and work
with these shared datasets in their own Power BI tenants.

Discovery settings
Setting name Description

Make promoted Allow users in this org who can promote content to make content they
content discoverable promote discoverable by users who don't have access to it. Learn More

Make certified content Allow users in the org who can certify content to make content they
discoverable certify discoverable by users who don't have access to it. Learn More

Discover content Allow users to find and request access to content they don't have
access to if it was made discoverable by its owners. Learn More

Content pack and app settings

Setting name Description

Create template organizational Users in the organization can create template content packs
content packs and apps and apps that use datasets built on one data source in Power
BI Desktop.

Push apps to end users Users can share apps directly with end users without requiring
installation from AppSource.

Publish content packs and apps Users in the organization can publish content packs and apps
to the entire organization to the entire organization.

Integration settings
Setting name Description

Allow XMLA endpoints and Users in the organization can use Excel to view and interact with
Analyze in Excel with on- on-premises Power BI datasets. This also allows connections to
Setting name Description

premises datasets XMLA endpoints.

Dataset Execute Queries REST Users in the organization can query datasets by using Data
API Analysis Expressions (DAX) through Power BI REST APIs.

Use ArcGIS Maps for Power BI Users in the organization can use the ArcGIS Maps for Power BI
visualization provided by Esri.

Use global search for Power BI NO DESCRIPTION IN UI

Use Azure Maps visual Users in the organization can use the Azure Maps visualization.

Map and filled map visuals Allow people in your org to use the map and filled map
visualizations in their reports.

Integration with SharePoint Users in the organization can launch Power BI from SharePoint
and Microsoft Lists lists and Microsoft Lists. Then they can build Power BI reports on
the data in those lists and publish them back to the lists.

Dremio SSO Enable SSO capability for Dremio. By enabling, user access token
information, including name and email, will be sent to Dremio
for authentication.

Snowflake SSO Enable SSO capability for Snowflake. By enabling, user access
token information, including name and email, will be sent to
Snowflake for authentication. Learn More

Redshift SSO Enable SSO capability for Redshift. By enabling, user access
token information, including name and email, will be sent to
Redshift for authentication.

Google BigQuery SSO Enable SSO capability for Google BigQuery. By enabling, user
access token information, including name and email, will be sent
to Google BigQuery for authentication.

Oracle SSO Enable SSO capability for Oracle. By enabling, user access token
information, including name and email, will be sent to Oracle for
authentication.

Azure AD Single Sign-On Enable Azure AD SSO via the on-premises data gateway for
(SSO) for Gateway applicable data sources. By enabling user access token
information including name and email will be sent to these data
sources for authentication via the on-premises data gateway.
Learn More

Power Platform Solutions Allow integration with Power Platform solutions. Learn More
Integration (preview)

Users can view Power BI files Users in the organization can view Power BI files saved in
saved in OneDrive and OneDrive for Business or SharePoint document libraries. The
Setting name Description

SharePoint (preview) permissions to save and share Power BI files in OneDrive and
SharePoint document libraries are controlled by permissions
managed in OneDrive and SharePoint. Learn More

Users can share links to Power Users who have saved Power BI files (.pbix) to OneDrive and
BI files stored in OneDrive and SharePoint can share links to those files using Power BI Desktop.
SharePoint through Power BI Learn More
Desktop

Enable granular access control Enforce strict access control for all data connection types. When
for all data connections this is turned on, shared items will be disconnected from data
sources if they’re edited by users who don’t have permission to
use the data connections. Learn More

Datasets can export data to Datasets configured for OneLake integration can send import
OneLake (preview) tables to OneLake. Once the data is in OneLake, users can
include the exported tables in Fabric items, including lakehouses
and warehouses.

Users can store dataset tables When users turn on OneLake integration for their datasets, data
in OneLake (preview) imported into dataset tables can be stored in OneLake. To allow
users to turn on OneLake integration for their datasets, you'll
also need to turn on the "Datasets can export data to OneLake"
tenant setting.

Dataset owners can choose to Dataset owners can choose to allow datasets to be automatically
automatically update datasets updated with changes made to the corresponding Power BI files
from files imported from (.pbix) stored in OneDrive or SharePoint. File changes can
OneDrive or SharePoint include new and modified data connections.

Turn off this setting to prevent automatic updates to datasets.

Learn More

Power BI visuals
Setting name Description

Allow visuals Users in the organization can add, view, share, and interact with visuals
created using the imported from AppSource or from a file. Visuals allowed in the
Power BI SDK "Organizational visuals" page are not affected by this setting. Learn More

Add and use Users in the organization with permissions to add and use visuals can add
certified visuals only and use certified visuals only. Visuals allowed in the "Organizational
(block uncertified) visuals" page are not affected by this setting, regardless of certification.
Learn More
Setting name Description

Allow downloads Enabling this setting will let custom visuals download any information
from custom visuals available to the visual (such as summarized data and visual configuration)
upon user consent. It is not affected by download restrictions applied in
your organization's Export and sharing settings. Learn More

R and Python visuals settings

Setting name Description

Interact with and share R and Users in the organization can interact with and share visuals
Python visuals created with R or Python scripts.

Audit and usage settings

Setting name Description

Usage metrics for content Users in the organization can see usage metrics for
creators dashboards, reports and datasets that they have appropriate
permissions to. Learn More

Per-user data in usage metrics Usage metrics for content creators will expose display names
for content creators and email addresses of users who are accessing content.

Azure Log Analytics connections NO DESCRIPTION IN UI

for workspace administrators

Dashboard settings
Setting name Description

Web content on Users in the organization can add and view web content tiles on Power BI
dashboard tiles dashboards. Note: This may expose your org to security risks via malicious
web content.

Developer settings
Setting name Description

Embed content in Users in the organization can embed Power BI dashboards and reports in
apps Web applications using "Embed for your customers" method. Learn More
Setting name Description

Allow service Web apps registered in Azure Active Directory (Azure AD) will use an
principals to use assigned service principal to access Power BI APIs without a signed in
Power BI APIs user. To allow an app to use service principal authentication its service
principal must be included in an allowed security group. Learn More

Allow service Allow service principals in your organization to create and use profiles.
principals to create
and use profiles

Block ResourceKey For extra security, block using resource key based authentication. This
Authentication means users not allowed to use streaming datasets API using resource
key.

Admin API settings

Setting name Description

Allow service Web apps registered in Azure Active Directory (Azure AD) will use an
principals to use assigned service principal to access read-only admin APIs without a signed in
read-only admin user. To allow an app to use service principal authentication, its service
APIs principal must be included in an allowed security group. By including the
service principal in the allowed security group, you're giving the service
principal read-only access to all the information available through admin APIs
(current and future). For example, user names and emails, dataset and report
detailed metadata. Learn More

Enhance admin Users and service principals allowed to call Power BI admin APIs may get
APIs responses detailed metadata about Power BI items. For example, responses from
with detailed GetScanResult APIs will contain the names of dataset tables and columns.
metadata Learn More

Note: For this setting to apply to service principals, make sure the tenant
setting allowing service principals to use read-only admin APIs is enabled.
Learn More

Enhance admin Users and service principals eligible to call Power BI admin APIs will get
APIs responses detailed metadata about queries and expressions comprising Power BI items.
with DAX and For example, responses from GetScanResult API will contain DAX and mashup
mashup expressions. Learn More
expressions
Note: For this setting to apply to service principals, make sure the tenant
setting allowing service principals to use read-only admin APIs is enabled.
Learn More
Gen1 dataflow settings
Setting name Description

Create and use Gen1 Users in the organization can create and use Gen1 dataflows. Learn
dataflows More

Template app settings

Setting name Description

Publish template apps Users in the organization can publish template apps for distribution to
clients outside of the organization. Learn More .

Install template apps Users in the organization can install template apps created outside the
organization. When a template app is installed, an upgraded workspace
is created. Learn More

Install template apps Users in the organization who have been granted permission to install
not listed in AppSource template apps which were not published to Microsoft AppSource. Learn
More .

Q&A settings
Setting name Description

Review questions Allow dataset owners to review questions people asked about their data.

Synonym sharing Allow people to share Q&A synonyms with your organization. Learn More

Dataset Security
Setting name Description

Block republish and disable Disable package refresh, and only allow the dataset owner
package refresh to publish updates.

Advanced networking
Setting Description
name

Azure Increase security by allowing people to use a Private Link to Set-up

Private Link access your Power BI tenant. Someone will need to finish the set- instructions
up process in Azure. If that's not you, grant permission to the
right person or group by entering their email. Learn More

Block For extra security, block access to your Power BI tenant via the
Public public internet. This means people who don't have access to the
Internet Private Link won't be able to get in. Keep in mind, turning this on
Access could take 10 to 20 minutes to take effect. Learn More Set-up
instructions

Metrics settings
Setting name Description

Create and use Metrics Users in the organization can create and use Metrics

User experience experiments

Setting name Description

Help Power BI Users in this organization will get minor user experience variations that
optimize your the Power BI team is experimenting with, including content, layout, and
experience design, before they go live for all users.

Share data with your Microsoft 365 services

Setting name Description

Users can see Turn on this setting to store and display certain Microsoft Fabric metadata in
Microsoft Fabric Microsoft 365 services. Users might see Microsoft Fabric metadata (including
metadata in content titles and types or open and sharing history) in Microsoft 365
Microsoft 365 services like search results and recommended content lists. Metadata from
Microsoft Fabric datasets will not be displayed.

Users can browse or get recommendations only for content they have access
to. Learn More

This setting is automatically enabled only if your Microsoft Fabric and

Microsoft 365 tenants are in the same geographical region. You may disable
this setting. Where is my Microsoft Fabric tenant located?
Insights settings
Setting name Description

Receive notifications for top Users in the organization can enable notifications for top
insights (preview) insights in report settings

Show entry points for insights Users in the organization can use entry points for
(preview) requesting insights inside reports

Datamart settings
Setting name Description

Create Datamarts (preview) Users in the organization can create Datamarts

Data model settings

Setting name Description

Users can edit data Turn on this setting to allow users to edit data models in the service.
models in the Power BI This setting doesn't apply to DirectLake datasets or editing a dataset
service (preview) through an API or XMLA endpoint. Learn More

Quick measure suggestions

Setting name Description

Allow quick measure Allow users to use natural language to generate suggested measures.
suggestions (preview) Learn More

Allow user data to Quick measure suggestions are currently processed in the US. When
leave their geography this setting is enabled, users will get quick measure suggestions for
data outside the US. Learn More

Scale-out settings
Setting name Description

Scale out queries for For datasets that use the large dataset storage format, Power BI
large datasets Premium can automatically distribute queries across additional dataset
(preview) replicas when query volume is high.
OneLake settings
Setting name Description

Users can access Users can access data stored in OneLake with apps external to the Fabric
data stored in environment, such as custom applications created with Azure Data Lake
OneLake with apps Storage (ADLS) APIs, OneLake File Explorer, and Databricks. Users can
external to Fabric already access data stored in OneLake with apps internal to the Fabric
environment, such as Spark, Data Engineering, and Data Warehouse. Learn
More

Users can sync Turn on this setting to allow users to use OneLake File Explorer. This app will
data in OneLake sync OneLake items to Windows File Explorer, similar to OneDrive. Learn
with the OneLake More
File Explorer app

Git integration
Setting name Description

Users can synchronize Users can import and export workspace items to Git
workspace items with their Git repositories for collaboration and version control. Turn off this
repositories (preview) setting to prevent users from syncing workspace items with
their Git repositories. Learn More

Users can export items to Git The workspace and the Git repository may reside in different
repositories in other geographies. Turn on this setting to allow users to export
geographical locations (preview) items to Git repositories in other geographies.

Users can export workspace Turn on this setting to allow users to export items with applied
items with applied sensitivity sensitivity labels to their Git repositories.
labels to Git repositories
(preview)

Related content
What is the admin portal?
About tenant settings

Feedback
Was this page helpful?  Yes  No
Provide product feedback | Ask the community
Enable Microsoft Fabric for your
organization
Article • 11/15/2023

The Microsoft Fabric admin switch lets organizations that use Power BI enable Microsoft
Fabric.

７ Note

Microsoft Fabric availability is restricted in some regions. For more information, see
Fabric region availability.

You can enable Microsoft Fabric for:

Your tenant - Use this option to enable Microsoft Fabric for everyone in the tenant.

A specific capacity - Use this option if you want to enable Microsoft Fabric for
users in a specific capacity.

In both cases, you can use security groups to provide Microsoft Fabric access to a
specified list of users.

Prerequisites
To enable Microsoft Fabric, you need to have one of the following admin roles:

Microsoft 365 Global admin

Power Platform admin

Fabric admin

Enable for your tenant

When you enable Microsoft Fabric using the tenant setting, users can create Fabric items
in that tenant, unless capacity admins turned it off for a specific capacity. Depending on
the configuration you select, Microsoft Fabric becomes available for everyone in the
tenant, or to a selected group of users.

７ Note
 You, or other admins, can override the Microsoft Fabric setting at the capacity level.

In your tenant, you can enable Microsoft Fabric for:

The entire organization - In most cases your organization has one tenant, so
selecting this option enables it for the entire organization. In organizations that
have several tenants, if you want to enable Microsoft Fabric for the entire
organization, you need to enable it in each tenant.

Specific security groups - Use this option to enable Microsoft Fabric for specific
users. You can either specify the security groups that Microsoft Fabric will be
enabled for, or the security groups that Microsoft Fabric won't be available for.

Follow these steps to enable Microsoft Fabric for your tenant.

1. Navigate to the tenant settings in the admin portal and in Microsoft Fabric, expand
Users can create Fabric items.

2. Enable the Users can create Fabric items switch.

3. (Optional) Use the Specific security groups option to enable Microsoft Fabric for
specific users. You can also use the Except specific security groups option, to
exclude specific users.

4. Select Apply.

７ Note

The Delegate settings to other admins option, isn't available because it's
automatically delegated to capacity admins.

Enable for a capacity

Consider the Microsoft Fabric setting at the tenant level a recommendation for the
entire organization. Capacity admins can override this setting, depending on their
needs. For example, Fabric can be enabled for all the users in your organization.
However, for security reasons your organization decided to disable Fabric for a specific
capacity. In such cases, Microsoft Fabric can be disabled for that capacity.

Follow these steps to enable Microsoft Fabric for a specific capacity.

1. Navigate to the capacity settings in the admin portal.

 2. Select the capacity you want to enable Microsoft Fabric for.

3. Select the Delegate tenant settings tab, and under Microsoft Fabric (Preview),
expand the Users can create Fabric items setting.

4. Check the Override tenant admin selection checkbox and verify that the Users can
create Fabric items setting is enabled.

5. (Optional) Use the Specific security groups option to enable Microsoft Fabric for
specific users. You can also use the Except specific security groups option, to
enable Microsoft Fabric for the capacity, and exclude specific users.

6. Select Apply.

Can I disable Microsoft Fabric?

To disable Microsoft Fabric, you can turn off the Microsoft Fabric admin switch. After
disabling Microsoft Fabric, users will have view permissions for Microsoft Fabric items. If
you disable Microsoft Fabric for a specific capacity while Microsoft Fabric is available in
your organization, your selection will only affect that capacity.

Considerations
In some cases, users that don't have Microsoft Fabric enabled will be able to view
Microsoft Fabric items and icons.

Users that don't have Microsoft Fabric enabled, can:

View Microsoft Fabric items created by other users in the same workspace, as long
as they have at least read-only access to that workspace.

View Microsoft Fabric icons in capacities where other users have Microsoft Fabric
enabled, as long as they have at least read-only access to that capacity.

Next steps
Admin overview

Enable Data Activator

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Help and support tenant settings
Article • 11/02/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Publish "Get Help" information

Admins can specify internal URLs to override the destination of links on the Power BI
help menu and for license upgrades. If custom URLs are set, users in the organization go
to internal help and support resources instead of the default destinations. The following
resource destinations can be customized:

Learn. By default, this help menu link targets a list of all our Power BI learning
paths and modules. To direct this link to internal training resources instead, set a
 custom URL for Training documentation.

Community. To take users to an internal forum from the help menu, instead of to
the Power BI Community , set a custom URL for Discussion forum.

Licensing upgrades. Users with a Power BI (free) license or a Power BI Pro license
can be presented with the opportunity to upgrade their account to a Power BI
Premium Per User license. If you specify an internal URL for Licensing requests,
you redirect users to an internal request and purchase flow and prevent self-
service purchase. If you want to prevent users from buying licenses, but are okay
with letting users start a Power BI Premium Per User trial, see Users can try
Microsoft Fabric paid features to separate the buy and try experiences.

Get help. To take users to an internal help desk from the help menu, instead of to
Microsoft Fabric Support , set a custom URL for Help Desk.

Receive email notifications for service outages

or incidents
Mail-enabled security groups receive email notifications if this tenant is impacted by a
service outage or incident. Learn more about Service interruption notifications.

Users can try Microsoft Fabric paid features

The setting to Users can try Microsoft Fabric paid features is enabled by default. This
setting increases your control over how users get license upgrades. In scenarios where
you have blocked self-service purchase, this setting lets users use more features free for
60 days. Users who have a Power BI (free) license and users with a Power BI Pro license
can start a Power BI Premium Per User trial. Changing Users can try Microsoft Fabric
paid features from enabled to disabled blocks self-service purchase of new licenses. It
doesn't impact purchases that were already made.

The user's license upgrade experience depends on how you combine license settings.
The following table shows how the upgrade experience is affected by different setting
combinations:

Self-service Users can try Microsoft End-user experience

purchase setting Fabric paid features

Enabled Disabled User can buy an upgraded license, but

can't start a trial

Enabled Enabled User can start a free trial and can upgrade
to a paid license

Disabled Disabled User sees a message to contact the IT

admin to request a license

Disabled Enabled User can start a trial, but must contact the
IT admin to get a paid license

７ Note

You can add an internal URL for licensing requests in Help and support settings. If
you set the URL, it overrides the default self-service purchase experience. It doesn't
redirect signup for a trial license. Users who can buy a license in the scenarios
described in the table are redirected to your internal URL.

To learn more, see Enable or disable self-service sign-up and purchasing.

Show a custom message before publishing

reports
Admins can provide a custom message that appears before a user publishes a report
from Power BI Desktop. After you enable the setting, you need to provide a custom
message. The custom message can be plain text or follow markdown syntax, as in the
following example:
 markdown

### Important Disclaimer

Before publishing the report to a workspace, be sure to validate that the

appropriate users or groups have access to the destination workspace. If
some users or groups should *not* have access to the content and underlying
artifacts, remove or modify their access to the workspace, or publish the
report to a different workspace. Learn about [giving access to workspaces]
(/power-bi/collaborate-share/service-give-access-new-workspaces).

The custom message text area supports scrolling, so you can provide a message up to
5,000 characters.

When your users publish reports to workspaces in Power BI, they see the message
you've written.
As with other tenant settings, you can choose who the custom message applies to:

The entire organization.

Specific security groups.
Or Except specific security groups.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Workspace tenant settings
Article • 11/15/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Create workspaces (new workspace experience)

Workspaces are places where users collaborate on dashboards, reports, and other
content. Microsoft Fabric admins can use the Create workspaces (new workspace
experience) setting to designate which users in the organization can create workspaces.
Admins can let everybody or nobody in an organization create workspaces. Workspace
creation can also be limited to members of specific security groups. Learn more about
workspaces.

For classic workspaces based on Microsoft 365 Groups, administration continues to

occur in admin portal and Azure Active Directory.

７ Note

The Create workspaces (new workspace experience) setting defaults to allowing

only users who can create Microsoft 365 Groups to create the new Microsoft Fabric
workspaces. Be sure to set a value in the Microsoft Fabric admin portal to ensure
appropriate users can create them.
List of workspaces

The admin portal has another section of settings about the workspaces in your tenant.
In that section, you can sort and filter the list of workspaces and display the details for
each workspace. See Manage workspaces for details.

Publish apps

In the admin portal, you also control which users have permissions to distribute apps to
the organization. See Publish apps to the entire organization for details.

Use semantic models across workspaces

Admins can control which users in the organization can use semantic models across
workspaces. When this setting is enabled, users still need the required Build permission
for a specific semantic model.

For more information, see Intro to semantic models across workspaces.

Identify your workspace ID

The easiest way to find your workspace ID is in the URL of the Fabric site for an item in a
workspace. As in Power BI, the Fabric URL contains the workspace ID, which is the
unique identifier after /groups/ in the URL, for example:
https://powerbi.com/groups/11aa111-a11a-1111-1abc-aa1111aaaa/... . Alternatively, you
can find the workspace ID in the Power BI Admin portal settings by selecting Details
next to the workspace name.

Block users from reassigning personal

workspaces (My Workspace)
Personal workspaces are the My workspaces that every user has for their personal
content. Microsoft Fabric and capacity admins can designate a preferred capacity for My
workspaces. By default, however, My workspace owners can still change the capacity
assignment of their workspace. If a Microsoft Fabric or capacity admin designates a
Premium capacity as the default capacity for My workspaces, but a My workspace owner
then changes that capacity assignment back to shared capacity, this could result in non-
compliance with data residency requirements.

To prevent such a scenario, the Microsoft Fabric admin can turn on the Block users from
reassigning personal workspaces (My Workspace) tenant setting. When this setting is
on, My workspace owners can't change the capacity assignment of their My workspace.

To turn on the setting:

1. Go to the Microsoft Fabric Admin portal and select Tenant settings.

2. In the tenant settings, scroll down to the Workspace settings section.
3. Find the setting called Block users from reassigning personal workspaces (My
Workspace).

For more information, see Prevent My workspace owners from reassigning their My
workspaces to a different capacity.

Next steps
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Information protection tenant settings
Article • 11/15/2023

Information protection tenant settings help you to protect sensitive information in your
Power BI tenant. Allowing and applying sensitivity labels to content ensures that
information is only seen and accessed by the appropriate users. These settings are
configured in the tenant settings section of the Admin portal. For information about
how to get to and use tenant settings, see About tenant settings.

Allow users to apply sensitivity labels for

content
With this setting enabled, specified users can apply sensitivity labels from Microsoft
Purview Information Protection.

All prerequisite steps must be completed before enabling this setting.

Sensitivity label settings, such as encryption and content marking for files and emails,
aren't applied to content. Sensitivity labels and protection are only applied to files
exported to Excel, PowerPoint, or PDF files that are controlled by Export to Excel and
Export reports as PowerPoint presentation or PDF documents settings. All other export
and sharing options don't support the application of sensitivity labels and protection.

To learn more, see Sensitivity labels in Power BI.

To view sensitivity label settings for your organization, visit the Microsoft Purview
compliance portal .

Apply sensitivity labels from data sources to

their data in Power BI
When this setting is enabled, Power BI semantic models that connect to sensitivity-
labeled data in supported data sources can inherit those labels, so that the data remains
classified and secure when brought into Power BI.

To learn more about sensitivity label inheritance from data sources, see Sensitivity label
inheritance from data sources (preview).
Automatically apply sensitivity labels to
downstream content
When a sensitivity label is applied to a semantic model or report in the Power BI service,
it's possible to have the label trickle down and be applied to content that's built from
that semantic model or report.

To learn more, see Sensitivity label downstream inheritance.

Allow workspace admins to override

automatically applied sensitivity labels
Fabric admins can enable the Allow workspace admins to override automatically
applied sensitivity labels tenant setting. This makes it possible for workspace admins to
override automatically applied sensitivity labels without regard to label change
enforcement rules.

To learn more, see Relaxations to accommodate automatic labeling scenarios.

Restrict content with protected labels from

being shared via link with everyone in your
organization
When this setting is enabled, users can't generate a sharing link for People in your
organization for content with protection settings in the sensitivity label.

７ Note

This setting is disabled if you haven't enabled both the Allow users to apply
sensitivity labels for Power BI content setting and the Allow shareable links to
grant access to everyone in your organization setting.

Sensitivity labels with protection settings include encryption or content markings. For
example, your organization might have a Highly Confidential label that includes
encryption and applies a Highly Confidential watermark to content with this label.
Therefore, when this tenant setting is enabled and a report has a sensitivity label with
protection settings, then users can't create sharing links for People in your organization:
To learn more about protection settings for sensitivity labels, see Restrict access to
content by using sensitivity labels to apply encryption.

Next steps
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Export and sharing tenant settings
Article • 11/02/2023

The export and sharing settings allow the Fabric administrator the flexibility to
determine and allow Power BI content to export to formats within their organization’s
security and compliance guidelines. These settings also allow you to keep unauthorized
export formats from being exported by users.

Sharing settings are also managed through these settings. You can determine how and
who can share Power BI content in your organization, as well as determine settings for
sharing content with users outside your organization. These settings are configured in
the tenant settings section of the Admin portal. For information about how to get to
and use tenant settings, see About tenant settings.

Allow Azure Active Directory guest users to

access Microsoft Fabric
When you turn on this setting, Azure Active Directory Business-to-Business (Azure AD
B2B) guest users can access Power BI. If you turn off this setting, B2B guest users receive
an error when trying to access Power BI. Disabling this setting for the entire organization
also prevents users from inviting guests to your organization. Use the specific security
groups option to control which B2B guest users can access Power BI.

To learn more, see Distribute Power BI content to external guest users with Azure AD
B2B.

Invite external users to your organization

This setting helps organizations choose whether new external users can be invited to the
organization through Fabric sharing, permissions, and subscription experiences.

To invite external users to your organization, the user must also have the Azure AD
Guest Inviter role. Once invited, external users become Azure AD B2B guest users. This
setting only controls the ability to invite through Fabric.

To learn more, see Invite guest users.

） Important
 This setting was previously called Share content with external users.

Allow Azure Active Directory guest users to

edit and manage content in the organization
This setting allows Azure AD B2B guest users to have full access to the browsing
experience using the left-hand navigation pane in the organization. Guest users who
have been assigned workspace roles or specific item permissions continue to have those
roles and/or permissions, even if this setting is disabled.

To learn more about sending Fabric content to Azure AD B2B guest users, read
Distribute Power BI content to external guest users with Azure AD B2B.

Show Azure Active Directory guests in lists of

suggested people
This setting helps organizations limit visibility of external users in sharing experiences.
When disabled, Azure AD guest users aren't shown in people picker suggested users
lists. This helps prevent accidental sharing to external users and seeing which external
users have been added to your organization through Power BI sharing UIs.

） Important

When the setting is set to disabled, you can still give permission to a guest user by
providing their full email address in people pickers.

Publish to web
People in your organization can publish public reports on the web. Publicly published
reports don't require authentication to view them.

Only admins can allow the creation of new publish-to-web embed codes. Go to Embed
codes in the admin portal to review and manage public embed codes. If any of the
codes contain private or confidential content remove them. Review embed codes
regularly to make sure no confidential information is live on the web.

The Publish to web setting in the admin portal gives options for which users can create
embed codes. Admins can set Publish to web to Enabled and Choose how embed
codes work to Allow only existing embed codes. In that case, users can create embed
codes, but they have to contact the admin to allow them to do so.

Users see different options in the UI based on the Publish to web setting.

Feature Enabled for entire Disabled for Specific security groups

organization entire
organization

Publish to web under Enabled for all Not visible for all Only visible for authorized
report More options users or groups.
(...) menu

Manage embed Enabled for all Enabled for all Enabled for all
codes under Settings
- Delete option only for
authorized users or groups.
- Get codes enabled for all.

Embed codes within Status has one of Status displays Status has one of the
admin portal the following Disabled following values:
values: - Active
- Active - Not supported
- Not supported - Blocked
- Blocked
If a user isn't authorized
based on the tenant setting,
status displays infringed.

Existing published All enabled All disabled Reports continue to render

reports for all.

Learn more about publishing to the web.

Copy and paste visuals

Turn on this setting to allow users in the organization to copy visuals from a tile or
report visual and paste them as static images into external applications.

Export to Excel
Users in the organization can export the data from a visualization to an Excel file.

To learn more, see Export the data that was used to create a visualization.

７ Note
 Fabric automatically applies a sensitivity label on the exported file and protects it
according to the label's file encryption settings.

Export to .csv
Users in the organization can export data from a tile, visualization, or paginated report
to a .csv file.

To learn more, see Export Power BI paginated report to a CSV file.

７ Note

Fabric automatically applies a sensitivity label on the exported file and protects it
according to the label's file encryption settings.

Download reports
Users in the organization can download .pbix files and paginated reports.

To learn more, see Download a report from the Power BI service to Power BI Desktop.

Users can work with Power BI semantic models

in Excel using a live connection
Turn this setting on to allow users to export data to Microsoft Excel from a Power BI
visual or semantic model, or export a semantic model to an Excel workbook with
Analyze in Excel, both options with a live connection to the XMLA endpoint.

To learn more, see Create Excel workbooks with refreshable Power BI data.

Export reports as PowerPoint presentations or

PDF documents
This setting lets users export reports as PowerPoint presentations or PDF documents.

Learn how to export PowerPoint presentations.

Learn how to export PDF documents.
Export reports as MHTML documents
Users in the organization can export paginated reports as MHTML documents when this
setting is turned on.

Export reports as Word documents

This setting lets users in the organization export paginated reports as Microsoft Word
documents.

To learn more, see Export Power BI paginated report to Microsoft Word.

Export reports as XML documents

This setting lets users in the organization export paginated reports as XML documents.

To learn more, see Export Power BI paginated report to XML.

Export reports as image files

Users in the organization can use the export report to file API to export reports as image
files.

To learn more, see Export Power BI paginated report to an Image File.

Print dashboards and reports

This setting lets users in the organization print dashboards and reports.

To learn more, see Print from the Power BI service.

Certification
Choose whether people in your organization or specific security groups can certify items
like apps, reports, or datamarts as trusted sources for the wider organization.

） Important

When a user certifies an item, their contact details are visible along with the
certification badge.
Read Enable content certification for more details.

Users can set up email subscriptions

This setting lets users create email subscriptions to reports and dashboards. Read Email
subscriptions for reports and dashboards in the Power BI service to learn more.

B2B guest users can set up and be subscribed

to email subscriptions
There may be instances that admin may want B2B guest users to receive email
subscriptions but not other external users. Use this setting to allow B2B guest users to
set up and subscribe themselves to email subscriptions.

If this setting is off, only users in your organization can create and receive email
subscriptions.

） Important

The Allow email subscriptions to be sent to external users users switch will be
automatically turned off if the B2B guest users can set up and be subscribed to
email subscriptions switch is turned off. This is because B2B users are external
users that have been granted elevated permissions to get content. Since B2B guest
users have higher permissions than other external users, if they can't get the email
subscription neither can the other external users.

Users can send email subscriptions to external

users
This setting helps organizations choose whether external users can be included as
recipients of email subscriptions.

External users are users outside of the organization that haven't been added as Azure
AD B2B guest users. If this setting is turned off, an external user who isn't already a
guest user in the organization can't be included as a recipient of an email subscription.

Featured content
This setting lets you enable or disable the ability of users in your organization to
promote their published content to the Featured section of the Power BI Home page. By
default, anyone with the Admin, Member, or Contributor role in a workspace in your
organization can feature content on Power BI Home.

To learn more, see Feature content on colleagues' Power BI Home page.

You can also manage featured content on the Featured content page in the Admin
portal. Go to Manage featured content for more details.

Allow connections to featured tables

This setting lets Fabric admins control who in the organization can use featured tables in
the Excel Data Types Gallery. Read more about Power BI featured tables in Excel.

７ Note

Connections to featured tables are also disabled if the Allow live connections
setting is set to Disabled.

Allow shareable links to grant access to

everyone in your organization
This tenant setting is available for admins looking to disable creating shareable links to
People in your organization.

If this setting is turned off for a user with permissions to share a report, that user can
only share the report via link to Specific people or People with existing access. The
following image shows what that user sees if they attempt to share the report via link:
To learn more, see Link settings.

Enable Microsoft Teams integration

This setting allows organizations to access features that work with Microsoft Teams and
the Power BI service. These features include launching Teams experiences from Power BI
like chats, the Power BI app for Teams, and getting Power BI notifications from Teams. To
completely enable or disable Teams integration, work with your Teams admin.

Read more about collaborating in Microsoft Teams with Power BI.

Install Power BI app for Microsoft Teams

automatically
Automatic installation makes it easier to install the Power BI app for Microsoft Teams,
without needing to change Microsoft Teams app setup policies. This change speeds up
the installation and removes admin hassles of configuring and maintaining
infrastructure needed by an app setup policy.
When the app is installed, users receive notifications in Teams and can more easily
discover and collaborate with colleagues. The Power BI app for Teams provides users
with the ability to open all Fabric content.

Automatic installation happens for a user under the following conditions:

The Power BI app for Microsoft Teams is set to Allowed in the Microsoft Teams
admin portal.
The Power BI tenant setting Install Power BI app for Microsoft Teams
automatically is Enabled.
The user has a Microsoft Teams license.
The user opens the Power BI service in a web browser.

When the app is installed, users receive notifications in Teams and can more easily
discover and collaborate with colleagues. The Power BI app for Teams provides users
with the ability to open all Fabric content.

To learn more, see Add the Power BI app to Microsoft Teams.

Enable Power BI add-in for PowerPoint

The Power BI add-in for PowerPoint makes it possible for users to add live, interactive
data from Power BI to a PowerPoint presentation. See About the Power BI add-in for
PowerPoint for more detail.

When this setting is on (default), entry points for opening a new PowerPoint
presentation with the add-in already loaded are available in Power BI. When this setting
is off, the entry points in Power BI are unavailable.

This integration requires that your organization's Microsoft Office admin has enabled
support for add-ins.

７ Note

If you turn this setting off, that doesn't prevent people from using the add-in
starting from PowerPoint. To completely block adding live Power BI report pages to
PowerPoint slides using the add-in, the add-in must be turned off in both Power BI
and PowerPoint.

Allow DirectQuery connections to Power BI

semantic models
When this setting is turned on (default), users can use DirectQuery to connect to Azure
Analysis Services or Power BI datasets.

To learn more about DirectQuery, see Use DirectQuery in Power BI Desktop.

If you turn this switch off, it effectively stops users from publishing new composite
models on Power BI semantic models to the service. Existing reports that leverage a
composite model on a Power BI semantic model continue to work, and users are still
able to create composite models using Desktop, but they can't publish to the service.

To learn more about composite models, see Use composite models in Power BI Desktop.

７ Note

Live connections to Power BI semantic models aren't affected by this switch, nor are
live or DirectQuery connections to Azure Analysis Services. These continue to work
regardless of whether the setting is on or off. In addition, any published reports
that leverage a composite model on a Power BI semantic model continue to work
even if the setting has been turned off after they were published.

Guest users can work with shared semantic

models in their own tenants
When this setting is turned on, Azure AD B2B guest users of semantic models shared
with them by users in your organization can access and build on those semantic models
in their own tenant.

This setting is off by default for customers. If this setting is disabled, a guest user can
still access the semantic model in the provider tenant but not in their own tenant.

Allow specific users to turn on external data

sharing
As a Fabric admin, you can specify which users or user groups in your organization can
share semantic models externally with guests from a different tenant through the in-
place mechanism. Authorized guest users can then discover, connect to, and work with
these shared semantic models in their own tenants.

Disabling this setting prevents any user from sharing semantic models externally by
blocking the ability of users to turn on external sharing for semantic models they own or
manage.

Next steps
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Discovery tenant settings
Article • 11/21/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Discoverability is a feature that semantic model owners can use to make their endorsed
content discoverable by users who don't yet have access to it.

Make promoted content discoverable

Allow users in this organization who can promote content to make content they
promote discoverable by users who don't have access to it. You can also specify users
and/or groups to exclude from the permitted groups.

To learn more, see Semantic model discoverability.

Make certified content discoverable

Allow users in the organization who can certify content to make content they certify
discoverable by users who don't have access to it.

Discover content
Allow users to find and request access to content they don't have access to if it was
made discoverable by its owners.

To learn more, see Find recommended items.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

App tenant settings
Article • 11/21/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Create template organizational apps

Users in the organization can create template apps that use semantic models built on
one data source in Power BI Desktop.

To learn more, see Create a template app in Power BI.

Push apps to end users

Admins can allow report creators to share apps directly with end users, without
requiring installation from AppSource . In the admin portal, the setting is Push apps to
end users.

To learn more, see Automatically install apps for end users.

Publish apps to the entire organization

Admins use this setting to decide which users can publish apps to the entire
organization, rather than specific groups. The following image shows the Entire
organization option when creating an app.

To learn more, see Publish an app in Power BI.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Copilot tenant settings (preview)
Article • 11/21/2023

Fabric has a new tenant setting group, Copilot and Azure OpenAI Service (preview),
with following two settings:

Users can use a preview of Copilot and other features powered by Azure OpenAI.

Data sent to Azure OpenAI can be processed outside your tenant's geographic
region, compliance boundary, or national cloud instance.
By default, the Tenant settings for Fabric OpenAI are disabled. Ask your tenant admins
to enable them if they're willing and allowed to use the features powered by Azure
OpenAI.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Integration tenant settings
Article • 11/15/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Allow XMLA endpoints and Analyze in Excel

with on-premises datasets
When enabled, users in the organization can use Excel to view and interact with on-
premises Power BI semantic models. This also allows connections to XMLA endpoints.

To learn more, see Create Excel workbooks with refreshable Power BI data.

Dataset Execute Queries REST API

When enabled, users in the organization can query semantic models by using Data
Analysis Expressions (DAX) through Power BI REST APIs.

To learn more, see Datasets - Execute Queries.

Use ArcGIS Maps for Power BI

When enabled, users in the organization can use the ArcGIS Maps for Power BI
visualization provided by Esri.

To learn more, see Create ArcGIS maps in Power BI.

Use global search for Power BI

When enabled, users in the organization can use external search features that rely on
Azure Search.

To learn more, see Navigation for Power BI business users: global search.

Use Azure Maps Visual

When enabled, users in the organization can use the Azure Maps visual for Power BI.
To learn more, see Get started with Azure Maps Power BI visual.

Map and filled map visuals

When enabled, users in the organization can use map and filled map visualizations in
their reports.
 ７ Note

In a future release, Power BI plans to deprecate older map visuals and migrate
existing reports to Azure Maps. Learn about converting to Azure Maps.

Integration with SharePoint and Microsoft Lists

Users in the organization can create Fabric reports directly from SharePoint and
Microsoft Lists. Then they can build Fabric reports on the data in those lists and publish
them back to the lists, to be visible to others who can access the list.

This setting is enabled by default. Even if the feature is disabled, in SharePoint and
Microsoft Lists users can still see Power BI > Visualize the list, and any existing reports,
on the Integrate menu. If they select Visualize the list, they go to an error page
explaining that their admin has disabled the feature.

Learn more about creating reports from SharePoint and Microsoft Lists.

Dremio SSO
Enable SSO capability for Dremio. By enabling, user access token information, including
name and email, will be sent to Dremio for authentication.

To learn more, see Azure AD-based Single Sign-On for Dremio Cloud and Power BI .

Snowflake SSO
For semantic model owners to be able to enable single sign-on for DirectQuery
connections to Snowflake in semantic model settings, a Fabric admin must enable the
Snowflake SSO setting. This setting approves sending Azure AD credentials to
Snowflake for authentication for the entire organization.

To learn more, see Connect to Snowflake in the Power BI Service.

Redshift SSO
Enable SSO capability for Redshift. By enabling, user access token information, including
name and email, will be sent to Redshift for authentication.

To learn more, see Overview of single sign-on for on-premises data gateways in Power
BI.

Google BigQuery SSO

Enable SSO capability for Google BigQuery. By enabling, user access token information,
including name and email, will be sent to Google BigQuery for authentication.

To learn more, see Google BigQuery (Azure AD).

Oracle SSO
Enable SSO capability for Oracle. By enabling, user access token information, including
name and email, will be sent to Oracle for authentication.

To learn more, see Overview of single sign-on for on-premises data gateways in Power
BI.

Azure AD Single Sign-On (SSO) for Gateway

This setting enables Azure Active Directory (Azure AD) SSO through on-premises data
gateways to cloud data sources that rely on Azure AD-based authentication. It gives
seamless Azure AD SSO connectivity to Azure-based data sources, such as Azure
Synapse Analytics (SQL DW), Azure Data Explorer, Snowflake on Azure, and Azure
Databricks through an on-premises data gateway.

This feature is important for users who work with reports that require SSO connectivity
in DirectQuery mode to data sources deployed in an Azure virtual network (Azure VNet).
When you configure SSO for an applicable data source, queries execute under the Azure
AD identity of the user that interacts with the Power BI report.

An important security-related consideration is that gateway owners have full control

over their on-premises data gateways. This means that it's theoretically possible for a
malicious gateway owner to intercept Azure AD SSO tokens as they flow through an on-
premises data gateway (this isn't a concern for VNet data gateways because they're
maintained by Microsoft).

Because of this possible threat, the Azure AD SSO feature is disabled by default for on-
premises data gateways. As a Fabric admin, you must enable the Azure AD Single Sign-
On (SSO) for Gateway tenant setting in the Fabric admin portal before data sources can
be enabled for Azure AD SSO on an on-premises data gateway. Before enabling the
feature, make sure to restrict the ability to deploy on-premises data gateways in your
organization to appropriate administrators.

To learn more, see Azure Active Directory SSO.

Power Platform Solutions Integration (Preview)

This setting enables the Power BI/Power Platform Solutions integration from the Power
BI side. Admin settings also have to be turned on in Power Platform.

When the integration is enabled, when Power BI components are created in a Power
Apps solution, a special Power BI workspace dedicated to the Power Apps environment
is created in Power BI to store copies of the Power BI report and semantic model that
are being to create the component.

To learn more, see Power BI content management in Power Apps solutions and About
Power BI in Power Apps Solutions.

Users can view Power BI files saved in OneDrive

and SharePoint (Preview)
This setting allows users to view Power BI files saved in OneDrive for Business and
SharePoint Online document libraries in their browser without needing to download the
file and open in Power BI Desktop on their local machine. When enabled, the setting
applies to all users in your organization. This setting is on by default.

Learn more about viewing Power BI files saved in OneDrive and SharePoint.

Users can share links to Power BI files stored in

OneDrive and SharePoint through Power BI
Desktop
Users can share links to Power BI Desktop files (.pbix) saved to OneDrive and SharePoint
through Power BI Desktop. Sharing uses standard OneDrive and SharePoint sharing
functionality. When enabled, this setting applies to all users in your organization.

During public preview, if a user has enabled share through the Power BI Desktop menu,
but the admin setting is disabled for the tenant, a Share button still appears in Power BI
Desktop, but the user is notified that the capability is disabled when they attempt to
share.
Learn more about sharing links through Power BI Desktop.

Next steps
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Power BI visuals tenant settings
Article • 11/02/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

All the Power BI visuals admin settings, including Power BI visuals tenant settings, are
described in Manage Power BI visuals admin settings.

Allow visuals created using the Power BI SDK

Users in the organization can add, view, share, and interact with visuals imported from
AppSource or from a file. Visuals allowed in the Organizational visuals page aren't
affected by this setting.

To learn more, see Visuals from AppSource or a file.

Add and use certified visuals only (block

uncertified)
Users in the organization with permissions to add and use visuals can add and use
certified visuals only. Visuals allowed in the Organizational visuals page aren't affected
by this setting, regardless of certification.

To learn more, see Certified Power BI visuals.

Allow downloads from custom visuals

Enabling this setting lets custom visuals download any information available to the
visual (such as summarized data and visual configuration) upon user consent. It's not
affected by download restrictions applied in your organization's Export and sharing
settings.

To learn more, see Export data to file.

Next steps
About tenant settings
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

R and Python visuals tenant settings
Article • 11/21/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Interact with and share R and Python visuals

Users in the organization can interact with and share visuals created with R or Python
scripts.

Create and use R visuals in Power BI.

Create Power BI visuals with Python.

７ Note

This setting applies to the entire organization and can't be limited to specific
groups.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Audit and usage tenant settings
Article • 11/21/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Usage metrics for content creators

When this setting is on, users in the organization can see usage metrics for dashboards,
reports, and semantic models for which they have appropriate permissions.

To learn more, see Monitor usage metrics in the workspaces.

Per-user data in usage metrics for content

creators
Per-user data is enabled for usage metrics by default. Content creator account
information, such as user name and email address, is included in the metrics report. If
you don't wish to gather this information for all users, you can disable the feature for
specified security groups or for an entire organization. Account information for the
excluded users then shows in the report as Unnamed.

To learn more, see Exclude user information from usage metrics reports.

Azure Log Analytics connections for workspace

administrators
Power BI integration with Azure Log Analytics enables Fabric administrators and
Premium workspace owners to connect their Premium workspaces to Azure Log
Analytics to monitor the connected workspaces.

When the switch is on, administrators and Premium workspace owners can configure
Azure Log Analytics for Power BI.

Related content
About tenant settings
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Dashboard tenant settings
Article • 11/21/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Web content on dashboard tiles

Users in the organization can add and view web content tiles on Power BI dashboards.

To learn more, see Add images, videos, and more to your dashboard.

７ Note

This could expose your organization to security risks via malicious web content.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Developer tenant settings
Article • 11/02/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

To manage Power BI developer settings, you must be a Global Admin in Office 365, or
have been assigned the Fabric administrator role. For more information about the Fabric
administrator role, see Understand Microsoft Fabric admin roles.

７ Note

The developer settings in the Admin portal are different from and not related to the
developer mode setting for debugging visuals.

Embed content in apps

Users in the organization can embed Power BI dashboards and reports in software as a
service (SaaS) applications. Disabling this setting prevents users from being able to use
the REST APIs to embed Power BI content within their application.

To learn more, see What is Power BI embedded analytics?.

Learn about the Embed for your customers method to build an app that uses non-
interactive authentication against Power BI.

Allow service principals to use Power BI APIs

Web apps registered in Azure Active Directory (Azure AD) use an assigned service
principal to access Power BI APIs without a signed-in user. To allow an app to use service
principal authentication, its service principal must be included in an allowed security
group.

You can control who can access service principals by creating dedicated security groups
and using these groups in any Power BI tenant level-settings.

To learn more, see Embed Power BI content with service principal and an application
secret.
Allow service principals to create and use
profiles
An app owner with many customers can use service principal profiles as part of a
multitenancy solution to enable better customer data isolation and establish tighter
security boundaries between customers.

To learn more, see Service principal profiles for multitenancy apps.

Block ResourceKey Authentication

For extra security, you can block the use of resource key-based authentication. The
Block ResourceKey Authentication setting applies to streaming and PUSH datasets. If
disabled, users will not be allowed send data to streaming and PUSH datasets using the
API with a resource key.

This setting applies to the entire organization. You can't apply it only to a select security
group.

Next steps
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Admin API tenant settings
Article • 11/21/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Allow service principals to use read-only admin

APIs
Web apps registered in Azure Active Directory (Azure AD) use an assigned service
principal to access read-only admin APIs without a signed-in user. To allow an app to
use service principal authentication, its service principal must be included in an allowed
security group. By including the service principal in the allowed security group, you're
giving the service principal read-only access to all the information available through
admin APIs (current and future). For example, user names and emails, semantic model,
and report detailed metadata.

To learn more, see Allow service principals to use read-only admin APIs
Enhance admin APIs responses with detailed
metadata
Users and service principals allowed to call Power BI admin APIs might get detailed
metadata about Power BI items. For example, responses from GetScanResult APIs
contain the names of semantic model tables and columns.

To learn more, see Metadata scanning.

７ Note

For this setting to apply to service principals, make sure the tenant setting Allow
service principals to use read-only admin APIs is enabled. To learn more, see Set
up metadata scanning.

Enhance admin APIs responses with DAX and

mashup expressions
Users and service principals eligible to call Power BI admin APIs get detailed metadata
about queries and expressions comprising Power BI items. For example, responses from
GetScanResult API contain DAX and mashup expressions.

To learn more, see Metadata scanning.

７ Note

For this setting to apply to service principals, make sure the tenant setting Allow
service principals to use read-only admin APIs is enabled. To learn more, see Set
up metadata scanning.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Gen 1 dataflow tenant settings
Article • 11/02/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Create and use Gen1 dataflows

Users in the organization can create and use dataflows. For an overview of dataflows,
see Introduction to dataflows and self-service data prep. To enable dataflows in a
Premium capacity, see Configure workloads.

７ Note

This setting applies to the entire organization and can't be limited to specific
groups.

Next steps
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Template app tenant settings
Article • 11/21/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Publish template apps

Users in the organization can create template apps workspaces. Control which users can
publish template apps or distribute them to clients outside your organization by way of
Microsoft AppSource or other distribution methods.

To learn more about template apps, see What are Power BI template apps?.

Install template apps

Users in the organization can download and install template apps only from Microsoft
AppSource . Control which specific users or security groups can install template apps
from AppSource.

To learn about AppSource, see What is Microsoft AppSource?.

Install template apps not listed in AppSource

Control which users in the organization can download and install template apps not
listed on Microsoft AppSource.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Q&A tenant settings
Article • 11/21/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Review questions
When this setting is enabled, semantic model owners can review questions end-users
ask about their data.

To learn more, see Intro to Q&A tooling to train Power BI Q&A.

Synonym sharing
When this setting is enabled, users can share Q&A synonyms as suggested terms with
everyone in your organization.

To learn about synonyms, see Field synonyms.

７ Note

If you disable this setting and apply the changes, and then later re-enable synonym
sharing, it might take a few weeks to reshare all the synonyms within your
organization.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Semantic model security tenant setting
Article • 11/21/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Block republish and disable package refresh

Disable package refresh, and only allow the semantic model owner to publish updates.

To learn more about semantic model security, see Semantic model permissions.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Advanced networking tenant settings
Article • 11/02/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Azure Private Link

Increase security by allowing people to use a Private Link to access your Power BI tenant.
Someone will need to finish the set-up process in Azure. If that's not you, grant
permission to the right person or group by entering their email.

To learn how to set up Private Link, see Private endpoints for secure access to Power BI.

Block Public Internet Access

For extra security, block access to your Power BI tenant via the public internet. This
means people who don't have access to the Private Link won't be able to get in. Keep in
mind, turning this on could take 10 to 20 minutes to take effect.

To learn more, see Private endpoints for secure access to Power BI.

Next steps
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Metrics tenant settings
Article • 11/21/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Create and use Metrics

Users in the organization can create and use metrics in Power BI.

To learn more, see Get started with metrics in Power BI.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

User experience experiments tenant
settings
Article • 11/21/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Help Power BI optimize your experience

Enabling this feature allows the Power BI team to gather early feedback and to make
data-driven decisions as to which in-product experience is received more positively by
users.

When this feature is enabled, individual users in the same organization might get minor
variations in the user experience, including content, layout, and design, before these
variations go live for all users. This means that different users in the same tenant might
have slightly different experiences.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Share data with your Microsoft 365
services
Article • 11/02/2023

This article is aimed at Fabric administrators and decision makers who need to know
how and where Fabric metadata is being used.

Fabric metadata sharing with Microsoft 365 services is a feature that allows metadata
from Fabric to be shared with Microsoft 365 services (typically via Microsoft Graph) and
combined with data from across Microsoft 365, Windows, and Enterprise Mobility +
Security (EMS) to build apps for organizations and consumers that interact with millions
of users. The feature is enabled by default.

When shared with Microsoft 365 services, Fabric content will be listed in the Quick
Access list on the Office.com home page. The Fabric content affected includes reports,
dashboards, apps, workbooks, paginated reports, and workspaces. The information
required by the Quick Access functionality includes:

The display name of the content

When the content was last accessed
The type of content that was accessed (report, app, dashboard, scorecard, etc.)

See the complete list of Fabric metadata that is shared with Microsoft 365 services.

Data residency
Fabric and Microsoft 365 are distinct and separately operated Microsoft cloud services,
each deployed according to its own service-specific data center alignment rules, even
when purchased together. As a result, it's possible that your Microsoft 365 Services and
your Fabric service are not deployed in the same geographic region.

By default, Fabric metadata is available only in the region where the Fabric tenant is
located. However, you can allow Fabric to share metadata across regions by turning on a
toggle switch in the Users can see Microsoft Fabric metadata in Microsoft 365 tenant
setting. For more information, see How to turn sharing with Microsoft 365 services on
and off.

Where is Fabric data stored?

For more information about data storage locations, see Find the default region for your
organization and Product Availability by Geography .

Where is Microsoft 365 data stored?

For more information about data storage for Microsoft 365, see Where your Microsoft
365 customer data is stored and Multi-Geo Capabilities in Microsoft 365 .

How to turn sharing with Microsoft 365

services on and off
Sharing metadata with Microsoft 365 services is controlled by the Users can see
Microsoft Fabric metadata in Microsoft 365 tenant setting. The setting is Enabled by
default. To turn off the feature, or to turn it on again after it's been turned off, go to
Admin portal > Tenant settings > Users can see Microsoft Fabric metadata in
Microsoft 365 and set the toggle as appropriate. Once the setting is enabled or
disabled, it may take up to 24 hours for you to see changes.

By default, Fabric metadata is available only in the region where the Fabric tenant is
located. To allow Fabric to share metadata across regions, set the second toggle switch
to Enabled. When you enable the second toggle, you acknowledge that Fabric metadata
may flow outside the geographic region it's stored in.

７ Note

The second toggle is visible only when the main sharing toggle is enabled.
Data that is shared with Microsoft 365
The tables below list the data that is shared with Microsoft 365 services.

Item metadata that is mainly used when using the "search" mechanism to look for
Fabric content within your Microsoft 365 services

Property What is Shared Example

TenantID Azure AD Tenant 762049eb-7a69-4c39-bf19-75a5b7fcce1d

Identifier

ArtifactID Identifier for the 762049eb-7a69-4c39-bf19-75a5b7fcce1d

Content Item (report,
app, dashboard,
scorecard, etc.)

ACL Access Control List {"accessType": "grant", "id" : "aaaaaaaa-bbbb-cccc-

with permissions and dddd-eeeeeeeeeeee", "type" : "read" }
Azure AD User,
Security Group and
Distribution List
Identifiers

DisplayName Display name for the Retail Analysis Sample

report, app,
 Property What is Shared Example

dashboard,
scorecard, etc.

WorkspaceName Workspace name as Retail workspace

per Create a
workspace

WorkspaceURL Workspace URL https://powerbi-df.analysis-

df.windows.net/groups/8b5ac04e-89c1-4fc6-a364-
e8411dfd8d17

WorkspaceID Workspace identifier 8b5ac04e-89c1-4fc6-a364-e8411dfd8d17

URL Content Item URL for https://powerbi-df.analysis-

the report, app, df.windows.net/groups/8b5ac04e-89c1-4fc6-a364-
dashboard, e8411dfd8d17/reports/762049eb-7a69-4c39-bf19-
scorecard, etc. 75a5b7fcce1d/ReportSection2

SharingLinksURL Sharing Link as per ["https://app.powerbi.com/links/xyz123"]

Share a report using
a link

IconURL cdn.com/report.png

Description Content description Sample containing retail sales data

as per Report
settings

Owner/Creator Azure AD User [email protected]

Principal Name of the
User that Created the
Content as per Azure
AD user principal
name

CreatedDate Date the content was 2011-06-30T23:32:46Z

created

LastModifiedDate Last modified date 2011-06-30T23:32:46Z

for the content

LastModifiedUser Azure AD User [email protected]

Principal Name for
the last person who
modified the content

User activity that is leveraged for showing Fabric content within your "Recents" and
"Recommended" sections at Office.com
 Property What is Shared Example

LastRefreshDate Last refresh date for the content 2011-06-30T23:32:46Z

UserID Azure AD User Principal Name for the user [email protected]

who acted on the content

SignalType The type of action the user took on the Viewed

content (Viewed, Modified)

ActorID Users Azure AD ID for the user who acted aaaaaaaa-bbbb-cccc-dddd-

on the content eeeeeeeeeeee

StartTime/EndTime Date/Time the user performed the action 2011-06-30T23:32:46Z

on the content

Next steps
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Insights tenant settings
Article • 11/21/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Receive notifications for top insights (preview)

Users in the organization can enable notifications for top insights in report settings.

To learn more about insights, see Find Insights in your reports.

Show entry points for insights (preview)

Users in the organization can use entry points for requesting insights inside reports.

To learn more about insights, see Find Insights in your reports.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Datamart tenant settings
Article • 11/21/2023

Datamart tenant settings are configured in the tenant settings section of the Admin
portal. For information about how to get to and use tenant settings, see About tenant
settings.

Create Datamarts (Preview)

When this setting is on, specified users in the organization can create datamarts.

For more information, see Administration of datamarts.

Related content
About tenant settings
Administration of datamarts

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Data model tenant settings
Article • 11/21/2023

Fabric administrators can enable or disable data model editing in the service for the
entire organization or for specific security groups, using the setting described in this
article. This setting is configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Users can edit data models in the Power BI

service (preview)
Users can edit data models in the Power BI service (preview) tenant settings. This setting
doesn't apply to DirectLake datasets or editing a dataset through an API or XMLA
endpoint.

To learn more, see Enabling data model editing in the admin portal.

Related content
About tenant settings
Edit data models in the Power BI service(preview)

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Quick measure suggestions tenant
settings
Article • 11/02/2023

These settings are configured in the tenant settings section of the Admin portal. For
information about how to get to and use tenant settings, see About tenant settings.

Allow quick measure suggestions (preview)

When enabled, users use natural language to generate suggested measures. Quick
measure suggestions assist creation of DAX measures using natural language instead of
using templates or writing DAX from scratch.

To learn more, see Quick measure suggestions.

Allow user data to leave their geography

Quick measure suggestions are currently processed in the US. When this setting is
enabled, users get quick measure suggestions for data outside the US.

To learn more, see Limitations and considerations.

Next steps
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

Scale-out tenant settings
Article • 11/21/2023

Scale-out tenant settings are configured in the tenant settings section of the Admin
portal. For information about how to get to and use tenant settings, see About tenant
settings.

Scale out queries for large semantic models

(Preview)
For semantic models that use the large semantic model storage format, Power BI
Premium can automatically distribute queries across other semantic model replicas
when query volume is high. Scale-out is enabled on a tenant by default.

For more information, see Power BI semantic model scale-out.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community

OneLake tenant settings
Article • 11/21/2023

OneLake tenant settings are configured in the tenant settings section of the Admin
portal. For information about how to get to and use tenant settings, see About tenant
settings.

Users can access data stored in OneLake with

apps external to Fabric
Users can access data stored in OneLake with apps external to the Fabric environment,
such as custom applications created with Azure Data Lake Storage (ADLS) APIs, OneLake
File Explorer, and Databricks. Users can already access data stored in OneLake with apps
internal to the Fabric environment, such as Spark, Data Engineering, and Data
Warehouse.

To learn more, see Allow apps running outside of Fabric to access data via OneLake.

Users can sync data in OneLake with the

OneLake File Explorer app
Turn on this setting to allow users to use OneLake File Explorer. This app will sync
OneLake items to Windows File Explorer, similar to OneDrive.

To learn more, see OneLake File Explorer.

Related content
About tenant settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Ask the community