Admin in a Day

Power BI Advanced

Doaa Eltahan

© 2021 Microsoft. All rights reserved.

 Agenda

• Day 1
• Understanding the Power BI Administrator Role
• Providing Governance in a Power BI Environment
• Establishing a Power BI Environment
• Tenant Settings walkthrough
• Day 2
• Facilitating Collaboration and Sharing
• Usage Monitoring and Auditing
• Establishing a Data Access Infrastructure
• Gateway
• Broadening the reach of Power BI
• Automating Power BI Administration

© 2021 Microsoft. All rights reserved.

Power BI
Admin in a Day

Introduction to Power BI

© 2021 Microsoft. All rights reserved.

Power BI – Experience Your Data

Any data, any way, anywhere

© 2021 Microsoft. All rights reserved.

 Tools

• Power BI Desktop
• Query Editor
• Data Modeling
• Visualization
• Power BI Service
• Datasets
• Reports
• Dashboards
• Workspaces (V2)
• Apps
• Dataflows
© 2021 Microsoft. All rights reserved.
Power BI
Admin in a Day

Understanding the Power BI

Administrator Role
© 2021 Microsoft. All rights reserved.
Are you a Steward or a Captain

Self Service Enterprise

Power BI steward Power BI captain

Monitors the users in a Power BI environment. Responsible for the safe and efficient operation of a
Power BI environment.
Establishes processes, policies, and guidelines Limits what users can do in a Power BI environment
to help users take the right actions in to ensures compliance with local and international
compliance with local and international laws as laws as well as organizational policies.
well as organizational policies.
Cares about all resources/solutions in the Power BI
Moves the organization towards a culture that
environment. It doesn’t matter what
views data as a competitive asset.
resources/solutions are shared with the admin’s user
account. © 2021 Microsoft. All rights reserved.
 Power BI Administrator Role

No admin perms needed to register Apps!

Administrator type Scope

Office 365 Global Administrator Office 365

Office 365 Billing Administrator Office 365

Power BI Service Administrator Power BI

Power BI Capacity Administrator A single capacity

(Premium or Azure)
Power BI App Workspace A single app workspace
Administrator
Power Platform Service Power Platform
Administrator © 2021 Microsoft. All rights reserved.
Typical Admin Tasks

Global Admin
• Assigning licenses
• Audit logging

Power Platform Administrator

• Manage Gateways (coming soon)

Power BI Administrator
• Controlling access
• Controlling Power BI tenant features
• Manage Gateways
• Activity Log
• Monitoring usage © 2021 Microsoft. All rights reserved.
 Typical Admin Tools

• Power BI Admin Portal

• Power BI Gateway Management
• Power Platform Admin Center
• Microsoft 365 Admin Center
• Security & Compliance Center
• Azure Active Directory Portal
• PowerShell
• REST APIs

© 2021 Microsoft. All rights reserved.

Power BI
Admin in a Day

Providing Governance in a
Power BI Environment
© 2021 Microsoft. All rights reserved.
Role of Administration and Governance

IT / BI Teams Business Users

Data Enterprise Requirements Ad hoc analysis

Collaboration
Engineering Reporting Gathering and reporting

Central IT
Training and Education

Data Governance

Enabling Business Process & Access control

Procurement & Administration

© 2021 Microsoft. All rights reserved.
Elements of Data Governance

Visibility Control Compliance

Understand Enforce Configure the

system state policies for system to
and activity use of the achieve
system compliance
requirements

© 2021 Microsoft. All rights reserved.

 Configure Tenant Settings

• Part of Power BI Admin Portal

• Global Admin or Power BI Service Administrator or Power Platform Service
Admin
• Provides for granular settings
• Controls tenant level operations

Example: You can disable Publish to Web!

© 2021 Microsoft. All rights reserved.

Deploying Organizational Visuals

• Managed in Power BI Admin Portal

• Establish approval process for usage of custom visuals
• Used to distribute internal custom visuals to organization
• Can also list blessed custom visuals

© 2021 Microsoft. All rights reserved.

Managing Embed Code

• Embed codes generated from Publish to Web

• Users can manage their own embed codes
• Admins can control all embed codes in tenant through Admin Portal

© 2021 Microsoft. All rights reserved.

 Help and Support Settings

• Power BI customizes help and

support links in help menu to
point your users to specific
organizational content
• In Admin Portal ->Tenant
settings -> Publish “Get Help”
information toggle the
Disabled button to Enabled,
and then provide appropriate
URLs to your company’s sites
for training documentation,
discussion forums, and help
desk
© 2021 Microsoft. All rights reserved.
 Help and Support Settings

• Customize the link to

acquire a Power BI license
• Customize the target URL of
the Upgrade account
button
• Guides users through the
process defined in your
organization
• For Power BI Support and
status use
https://support.powerbi.co
m/
© 2021 Microsoft. All rights reserved.
Admin oversight of sensitive data

Power BI admins will have full

visibility to sensitive data labeling
in their Power BI tenant

Information about alerts and

insights from Microsoft Cloud App
Security

Admins can continue the

investigation inside the Microsoft
Cloud App Security portal using
their Power BI admin user
Long-term Usage and Performance Insights (Preview)

Supported in Premium Gen1 and Gen2 workspaces hosted

in Power BI Premium, Premium Per User (PPU) and Power
BI Embedded capacities.

Full visibility into Power BI usage and performance.

Visualize historical data to observe usage trends, spot

periods of unusual load, and identify performance
degradation.

Isolate activities by time range, capacity, dataset, user,

report and more.

Investigate internal operations within a query or dataset

refresh to see where time is being spent.
Long-term Usage and Performance Insights (Preview)

Which is the most popular dataset?

What Insights can I get? What operations generate the most load?
Who are the most active users?
Is query/refresh performance consistent?
Are there any periods of excessive activity?
This first milestone in the Insights roadmap What queries or refreshes are executed in a specific time
exposes Analysis Services engine events. period?
Which are the slowest operations?

Analysis Services engine events are about Power What is contributing to query/refresh slowness?
BI datasets and are very useful in understanding What queries/refreshes spend the most time waiting for
engine load, query performance and refresh data from external sources?
behavior. What DQ queries is Power BI sending to external data
sources?
Power BI
Admin in a Day

Establishing a Power BI
Environment
© 2021 Microsoft. All rights reserved.
The Tenant/Your Organization

Office 365 Bubble

• Azure Active Directory is the foundation Azure Active

• Shared accounts and groups Directory
• Includes subscriptions and licenses
Office 365

Power BI

© 2021 Microsoft. All rights reserved.

Choosing Your Data Center

Power BI Tenant created in Azure Data Center

Not possible to select Power BI location directly (more on this later)

Based on Office 365 country or Azure Active Directory data center

Think about other Azure services! Could result in egress charges!

© 2021 Microsoft. All rights reserved.

User Accounts vs Guest Accounts

User Accounts
• Exist within the organization
• Can create and consume content based on access and license
• Mobile app can be used

Guest Accounts
• External to the organization
• Part of Azure AD B2B & B2C
• Can consume, edit and manage content
• Must have direct URL to shared content
• Can be consumer accounts (@outlook.com, @Hotmail.com, @gmail.com)
• Mobile app can be used
© 2021 Microsoft. All rights reserved.
Licensing

Power BI Power BI Pro Power BI Premium

Desktop

App download Licensed by user Licensed by user Licensed by capacity

Free report Quick, easy-to-use All the capabilities of An add-on to Power

authoring and self-service analytics Power BI Pro with BI Pro for projects
ad-hoc data for users requiring Premium per user requiring large scale
exploration collaboration, with Premium data, demanding
dashboard sharing, feature performance performance, and
ad hoc analysis, and the ability to
report publishing distribute content
without requiring per
user licensing
© 2021 Microsoft. All rights reserved.
Power BI Premium Feature Comparison

© 2021 Microsoft. All rights reserved.

 Power BI Premium per User (PPU)

• New way to license premium features on

a per user basis
• Includes capabilities of Pro
• No dependency on authors publishing to
Premium
• PPU can be turned on for any workspace
• User must have PPU license to access
Premium Per user workspace

© 2021 Microsoft. All rights reserved.

Guest Licensing

Use Power BI Power BI Pro Bring Own Power

Premium to guest user BI Pro

© 2021 Microsoft. All rights reserved.

 License Assignment

• Power BI (Free) assigned

with viral sign-up
• Assigned via O365
Admin Center, Azure
Portal or PowerShell
• Group based licensing
through Azure Active
Directory

© 2021 Microsoft. All rights reserved.

 Understanding Pro Trials

• Two Pro trials

60 day In Service trial
30-day Power BI Pro trial within O365 Admin Center (25 Licenses)
• In service trial is an individual opt-in scenario
• Admins can block or revoke
• In service trial may opt in during user sign up if user doesn’t exist
• When trial expires, user is reverted to a non-Pro experience

© 2021 Microsoft. All rights reserved.

 Premium Per User Trials

• Two Premium Per User trials

In Service trial
Premium Per User trial within O365 Admin Center
• Any user can access In Service trial
• Trial experiences through O365 can be enabled through the portal

© 2021 Microsoft. All rights reserved.

Configuring B2B Trust/Enabling & Monitoring

Power BI integrates with Azure Active

Directory Business to Business to allow
secure distribution of Power BI content to
guest's users, while still maintain control
and governing access

Planned invites for large number of users

using PowerShell
• Add the user in Azure AD
as a new guest user
• Edit invitation to be sent
Or
• Add user directly to the Power BI
workspace © 2021 Microsoft. All rights reserved.
Tenant Settings
Objectives
After completing this lesson, you will be able to:

 What is the Tenant settings

 Going through the different settings
About tenant settings

 Tenant settings that control the availability of features in the Power BI user
interface can help to establish governance policies. It can take up to 15
minutes for a setting change to take effect for everyone in your organization.
How to get to the tenant settings

 Go to the Admin portal and select Tenant settings.

How to use the tenant settings

 Many of the settings can have one of three states:

Tenant setting sections
The sections of the tenant settings page are listed in the table below.
• Help and support settings
• Workspace settings
• Information protection
• Export and sharing settings
• Discovery settings
• Content pack and app settings
• Integration settings
• Power BI visuals
• R and Python visuals settings
• Audit and usage settings
• Dashboard settings
• Developer settings
• Admin API settings
• Dataflow settings
• Template app settings
• Q&A settings
• Dataset Security
• Advanced networking
• Metrics settings
• User experience experiments
• Share data with your Microsoft 365 services
• Insights settings
• Quick measure suggestions settings
Microsoft Fabric
Data Activator
 Turn on Data Activator Preview to
allow users to define a specific set of
conditions about their data, and then
receive notifications when those
conditions are met. After they receive
notifications, users can take action to
correct the change in conditions. This
setting can be managed at both the
tenant and the capacity levels
Microsoft Fabric
Users can create Fabric items
 Users can use production-ready features to
create Fabric items. Turning off this setting
doesn't impact users’ ability to create Power BI
items. This setting can be managed at both the
tenant and the capacity levels.
Microsoft Fabric
Overview of Sustainability data solutions in Microsoft Fabric (preview)
 Sustainability disclosures, analytics and
reduction require rich environmental, social, and
governance data that originate from disparate
sources and need to be unified to improve its
efficiency and value. The Sustainability data
solutions in Microsoft Fabric (preview) feature
provides unique capabilities to ingest,
harmonize, and process disparate data for
specific sustainability scenarios.
Microsoft Fabric
Users can create and use data workflows (preview)

Data workflows are powered

by Apache Airflow and offer
an integrated Apache Airflow
runtime environment,
enabling users to author,
execute, and schedule
Python DAGs. This setting
can be managed at both the
tenant and the capacity
levels.
Microsoft Fabric
Database Mirroring (preview)

Users can connect to and

continuously replicate data
from an external database
into Fabric OneLake via Delta
tables. Once in OneLake, users
can operationalize the data
(i.e., run analytics with Spark,
execute notebooks, visualize
through Power BI Reports,
etc.). This setting can be
managed at both the tenant
and the capacity levels.
Microsoft Fabric
Product Feedback

This setting allows Microsoft to prompt

users for feedback through in-product
surveys within Microsoft Fabric and
Power BI. Microsoft will use this
feedback to help improve product
features and services. User participation
is voluntary.
Help and support tenant settings
Publish "Get Help" information

• Learn
• Community
• Licensing upgrades
• Get help
Help and support tenant settings
Receive email notifications for service outages or incidents

 Mail-enabled security groups will receive email notifications if this tenant is

impacted by a service outage or incident. Learn more about
Service interruption notifications.
Users can try Microsoft Fabric paid features
Help and support tenant settings

Admins can provide a custom message

that appears before a user publishes a
report from Power BI Desktop. After you
enable the setting, you need to provide
a Custom message. The Custom message
can be plain text or follow Markdown
syntax, as in the following example
message:

The Custom message text area does

support scrolling, so you can provide a
message up to 5,000 characters.
Domains

To meet this challenge, organizations

are shifting from traditional IT centric
data architectures, where the data is
governed and managed centrally, to
more federated models organized
according to business needs. This
federated data architecture is
called data mesh. A data mesh is a
decentralized data architecture that
organizes data by specific business
domains, such as marketing, sales,
human resources, etc
Domain management settings
Allow tenant and domain admins to override workspace assignments (preview)

This setting controls whether tenant

and domain admins can override
existing workspace domain
assignments. When disabled, tenant
and domain admins cannot reassign a
workspace that is already assigned to a
domain to another domain. When
enabled, they can override such
assignments. The setting is enabled by
default.
Workspace tenant settings
Create the new workspaces
Workspace tenant settings
Use semantic models across workspaces

Admins can control which users in the

organization can use datasets across
workspaces. When this setting is
enabled, users still need the required
Build permission for a specific dataset.
Workspace tenant settings
Block users from reassigning personal workspaces (My Workspace)

Turn on this setting to prevent users

from reassigning their personal
workspaces (My Workspace) from
Premium capacities to shared
capacities.
Workspace tenant settings
Workspace retention
Turn on this setting to define a retention period
during which you can restore a deleted workspace
and recover items in it. At the end of the retention
period, the workspace is permanently deleted. By
default, workspaces are always retained for a
minimum of 7 days before they're permanently
deleted.

Turn off this setting to accept the minimum

retention period of 7 days. After 7 days the
workspace and items in it will be permanently
deleted.

Enter the number of days to retain a workspace

before it's permanently deleted. My Workspace
workspaces will be retained for 30 days
automatically. Other workspaces can be retained for
up to 90 days.
Govern My workspaces

•Gain access to the contents of

any user's My workspace
•Designate a default capacity for
all existing and new My works
paces
•Prevent users from moving My
workspaces to a different capac
ity that might reside in noncom
pliant regions
•Restore deleted My workspaces
as app workspaces
Information protection
Information protection
Increase the number of users who can edit and republish
encrypted PBIX files (preview)

When enabled, users with

restrictive sensitivity permissions on an
encrypted sensitivity label can open, edit,
publish, and republish PBIX files protected
by that label, with restrictions (provided
that the appropriate
preview feature switch in Power BI
Desktop is on).
Export and Sharing
Allow Azure Active Directory guest users to access and edit Power BI
Export and Sharing
Publish to Web
1) You can find Publish to 2) The Publish to web setting in the
web under File > Embed report when admin portal gives options for which
the Publish to web setting is enabled. users can create embed codes.
Export and Sharing

Copy and paste visuals Export to Excel and CSV

Download Reports
Export and Sharing

Allow live connections Export reports as PowerPoint

presentations or PDF documents

Print dashboards and reports

Create email subscriptions
Export and Sharing

Microsoft Teams integration in the Allow shareable links to grant access to

everyone in your organization
Power BI service
Discovery

Discoverability is a feature that

makes it possible for users to find
endorsed datasets that they don't
have access to. Without
discoverability, the full value of
endorsement, that is, directing users
to quality data, is not fully realized.
Content pack and app

Publish content packs and apps

to the entire organization

Push apps to end users

 Integration

Allow XMLA endpoints Map and filled map

and Analyze in Excel Use global search
visuals
with on-premises for Power BI
semantic models
Cross Distribution - XMLA End Points

Helps building solutions with Power

BI datasets

Enables Single source of truth

Value of semantic model available

across 1st and 3rd party tools

Single consistent XML/A endpoint

that is an industry standard
PowerBI visuals
PowerBI visuals

1.Expand the Allow visuals created using the Power BI

SDK settings.
2.Select Enabled.
3.Choose who can upload .pbiviz and AppSource visuals:
1. Select The entire organization option to allow everyone
in your organization to upload .pbiviz files, and add
visuals from AppSource.
2. Select the Specific security groups option to manage
uploading .pbiviz files, and adding visuals from
AppSource using security groups. Add the security
groups you want to manage to the Enter security
groups text bar. The security groups you specified are
excluded by default. If you want to include these security
groups and exclude everyone else in the organization,
select the Except specific security groups option.
4.Select Apply.
PowerBI visuals

Certified Power BI visuals are visuals that meet the

Microsoft Power BI team code requirements. They're
tested to verify that they don't access external
services or resources, and that they follow secure
coding patterns and guidelines.

When this setting is enabled, only certified Power BI visuals will

render in your organization's reports and dashboards. Power BI
visuals from AppSource or files, that aren't certified, will return an
error message.
1.From the admin portal, select Add and use certified visuals
only.
2.Select Enabled.
3.Select Apply.
Power BI visuals

When this setting is enabled, users can download data from a

custom visual into a file on their storage device.
1. Expand the Allow downloads from custom visuals settings.

2. Select Enabled.

3. Choose who can download files:

• Select The entire organization option to allow everyone in your organization to

download data from a visual into a file.
• Select the Specific security groups option to limit downloading files to specific
security groups. Enter the security groups you want in the Enter security groups
text bar. The security groups you specified are included by default. If you want
to exclude these security groups and include everyone else in the organization,
select the Except specific security groups option.

4. Select Apply.
Organizational visuals
R & Python visuals

R visuals currently can only be created

in Power BI Desktop, and then
published to the Power BI service.
Audit and Usage

When this setting is on, users in the

organization can see usage metrics
for dashboards, reports, and
datasets that they have appropriate
permissions
Audit and Usage

• Per-user data is enabled for

usage metrics by default, and
content creator account
information is included in the
metrics report.
• If you do not wish to gather this
information for all users, you can
disable the feature for specified
security groups or for an entire
organization.
• Account information for the
excluded users will then show in
the report as Unnamed.
Audit and Usage
Azure Log Analytics connections for workspace administrators
• Power BI is integrating with
Azure Log Analytics to enable
administrators and Premium
workspace owners to configure a
Log Analytics connection to their
Power BI subscription.
Dashboard
Developer Settings

• Users in the organization can embed

Power BI dashboards and reports in
Software as a Service (SaaS)
applications. Disabling this setting
prevents users from being able to
use the REST APIs to embed Power
BI content within their application.

• Power BI embedded analytics allows

you to embed your Power BI items
such as reports, dashboards and
tiles, in a web application or in a
website.
Developer Settings

• Web apps registered in Azure Active

Directory (Azure AD) will use an
assigned service principal to access
Power BI APIs without a signed in
user.
• To allow an app to use service
principal authentication its service
principal must be included in an
allowed security group.
Day 2
 Agenda

• Day 1
• Understanding the Power BI Administrator Role
• Providing Governance in a Power BI Environment
• Establishing a Power BI Environment
• Tenant Settings walkthrough
• Day 2
• Facilitating Collaboration and Sharing
• Usage Monitoring and Auditing
• Establishing a Data Access Infrastructure
• Gateway
• Broadening the reach of Power BI
• Automating Power BI Administration

© 2021 Microsoft. All rights reserved.

Developer Settings

• An app owner with many customers

can use service principal profiles as
part of a multi-tenancy solution

• To enable better customer data

isolation and establish tighter
security boundaries between
customers.
Developer Settings

• For extra security, you can block the

use of resource key-based
authentication.
• The Block ResourceKey
Authentication setting applies to
streaming and PUSH datasets.
• If disabled, users will not be allowed
send data to streaming and PUSH
datasets using the API with a
resource key.
Admin API
Automation with Power BI REST API
Automate various tasks with powerful Power BI REST APIs.
Activities on Power BI Artifacts

Admin APIs
• Need to be Power BI Service Admin / Global Admin

Regular APIs
• Can be used to enumerate / operate and perform activities on the Power BI
Entities programmatically. Operations are grouped under – Dashboards,
Reports, Datasets and so on.
• Can be scripted through PowerShell, Python or any other means of calling
the REST API.
• Usual flow includes – Getting the token and using the token to perform
activities.
Sample Operations

Operation group Description

Admin Operations for working with administrative tasks.
Available Features Operations that return available features.
Capacities Operations for working with capacities.
Dashboards Operations for working with dashboards
Datasets Operations for working with datasets
Embed Token Operations for working with embed tokens.
Gateways Operations for working with gateways.
Groups Operations for working with groups.
Imports Operations for working with imports.
Push Datasets Operations for working with push datasets.
Reports Operations for working with reports.
Power BI API with Service Principal

Allow users access resources or

perform operations using Power BI
API without the need for a user to
sign in or have a Power BI Pro license.

Steps:
• Register a server-side web
application in AAD to use with
Power BI.
• Enable the admin toggle in the
Admin portal
Scanner APIs

Extracts metadata using Power BI Admin REST APIs

• Tenant-level metadata
• Dataset Tables and Columns
• Measures
• DAX Expressions
• Mashup Queries
Scanner APIs – How does it work

Caching Mechanism

• Ensures capacity resources are not impacted

• Caching happens after every successful dataset

refresh and republish, provided:

• The Enhance Admin APIs responses with

detailed metadata setting is enabled

• There has been a call to the scanner APIs

within the 1 year up to 10 year
Data flow
Template app settings
Template app settings

• Users in the organization can create

template apps workspaces.

• Control which users can publish

template apps or distribute them to
clients outside your organization by
way of AppSource or other
distribution methods.
Template app settings

• Control which specific users or

security groups can install template
apps from AppSource.
Template app settings

• Control which users in the

organization can download and
install template apps not listed on
AppSource.
Q & A settings
Dataset Security
Advanced Networking
Matrices settings

Allow usage of using the Metrices tab

and set up scorecard and goals
User experience experiments

Recommended to have it available to

Power BI admins only
Share data with M365 services

• When shared with Microsoft 365

services, Power BI content will be listed
in the Most Recently Viewed list on the
Office.com home page. The Power BI
content affected includes reports,
dashboards, apps, workbooks,
paginated reports, and workspaces. The
information required by the Most
Recently Viewed functionality includes:
• The display name of the content
• When the content was last accessed
• The type of content that was accessed
(report, dashboard etc.)
Insights settings

Power BI automatically runs insights

analysis when you open a report. The
light bulb in the action bar turns yellow
and toast notifications are shown if
there are Top insights for visuals in
your current report page.
Enabling data model editing in the admin portal and
workspace level
Quick measure suggestions
Scale out queries for large semantic models

•Your workspace resides on a Power BI

Premium capacity:
• Premium Per User (PPU)
• Power BI Premium P SKUs
• Power BI A SKUs for Power BI
Embedded (also known as
embed for your customers).
• Fabric F SKUs
Power BI
Admin in a Day

Facilitating Collaboration and

Sharing
© 2021 Microsoft. All rights reserved.
 My Workspace vs Workspaces vs Apps
My Workspace
• Personal sandbox for individual user
• Every user has this
• IF IN DOUBT DO NOT USE

Workspace https://powerbi.microsoft.com/en-
• Workspace used for collaboration us/blog/duplicating-workspaces-by-
• Can be specific to a team or subject area using-power-bi-cmdlets/
• When in doubt, use this!
• Pro feature

Apps
• Based on the workspace, packaged content and publishes/shares
• Used for broad distribution of consumable content (View only)
• May require Pro license if not backed with Premium
• Apps can be pushed to groups © 2021 Microsoft. All rights reserved.
Application Life Cycle Management
Scenario 1: Using Workspace as Dev and App as Prod.
Application Life Cycle Management
Scenario 2: Different Workspaces / Apps for Dev/Test/Prod. (Manual)
Application Life Cycle Management
Scenario 3: Different Workspaces / Apps for Dev/Test/Prod. (Custom Automation)
Application Life Cycle Management
Scenario 3: Different Workspaces / Apps for Dev/Test/Prod. (OOTB Automation through Deployment
Pipelines)
Deployment Pipelines
Deployment Pipelines

Clone content from one stage in the pipeline to

another

The connections between the copied items are

kept during the copy process

Power BI will also apply configured deployment

rules to the updated content in the target stage
Scenario – DevOps for moving from Dev to Prod

Multiple Approaches
• Dev Workspace to Prod Workspace – CloneReport and RebindReport.
• Using Parameter – Data source is defined as a parameter. So we can use
CloneReport and UpdateParameters.
Permissions in Workspaces v2

Role Definition
Admin Can change and delete workspaces
Add Admins
Everything a Member can do
Member “Reshare” – add new users to be Members or
lower permissions
Publish and update Apps
Everything a Contributor can do
Contributor Add/edit/delete content within the workspace
Everything a Viewer can do

Viewer View content within the workspace

Replaces read-only workspaces © 2021 Microsoft. All rights reserved.
Apps Slide

© 2021 Microsoft. All rights reserved.

Sharing

• Can share Reports and Dashboards

• Share can be to external users by way of Azure AD B2B and B2C
• Sharing to external users can be disabled in Tenant settings
• Access can be revoked by content owner

© 2021 Microsoft. All rights reserved.

 Publish to Web

• Generates Embed code Covered in more

depth later
• No authentication required (not secure!!!)
• Great for Public Relations!

© 2021 Microsoft. All rights reserved.

 Embedding and Linking in Portals

• Embedding via SPO Web Part or Teams integration

• URLs to shared content can be listed in emails or
on web sites.

Will be reviewed in detail

later today
© 2021 Microsoft. All rights reserved.
Data Sensitivity Labels

• Power BI can integrate with Microsoft Information Protection and Microsoft

Cloud App Security to provide greater control and visibility over sensitive
data in Power BI
• Certain users/security groups can classify and apply sensitivity labels to their
Power BI dashboards, reports, datasets, and dataflows.
• All members of the organization can see those labels.
• Data sensitivity labels promote data protection by making Power BI authors
and consumers aware of data sensitivity.
• Power BI data that has a data sensitivity label is exported to an Excel,
PowerPoint, or PDF file, its data sensitivity label goes with it.

© 2021 Microsoft. All rights reserved.

Data Protection
Classify and label Power BI artifacts with sensitivity labels

Data owners apply Microsoft

Information Protection (MIP)
sensitivity labels for datasets,
reports, dashboards and dataflows.

These are the same sensitivity

labels that can be used to classify
and label Office 365 files, like Excel,
Power Point
and Word and emails
in Exchange.
Data Protection
Integration with MIPs
Sensitivity labels in Power BI Desktop (Preview)
Sensitivity can be applied to a Power BI workbook (.pbix file) and inherited by the related dataset
and reports
Data Protection
Label and Protect data exported from Power BI to files

Extend protection and governance

policies to exported data from
Power BI to files

Initially applicable when exporting

files to Excel, Power Point and PDF
files
Data Protection
End to end persistence of labels.
Data Protection
Implementing Row Level Security

Requirement where different users should only

access some of the data in a dataset.

Approach: Single Shared Dataset, Multiple

Reports using Power BI Service Live Connections.

Approach: Data Sources that support role-based

access would be best bet if there are numerous
datasets with same kinds of data available.

Can significantly lower the risk of inconsistencies,

errors and maintenance hassle.
Dynamic RLS – Sample Schema
Power BI
Admin in a Day

Usage Monitoring and

Auditing
© 2021 Microsoft. All rights reserved.
Admin Portal – Usage Metrics

• Some of the information on

there is useless (eg.
“packages”)

• Not usage by month, but

most active
report/dashboard creators

• New admin usage metrics

are constantly released

© 2021 Microsoft. All rights reserved.

Usage Metrics for Dashboards & Reports

• Ability to see usage

of individual
dashboards and
reports

• May differ from audit

log numbers due to
how it is collected

• Can create reports

with underlying
dataset
© 2021 Microsoft. All rights reserved.
Usage Metrics for Dashboards & Reports –
New Version
• Will only be available in v2
workspaces

• Will contain basic perf

numbers for reports

• Built on top of a brand-new

infrastructure for collecting
and storing usage
information – more reliable,
more scalable, and based on
audit events, so no
inconsistencies any longer
between audit log and usage
metrics report © 2021 Microsoft. All rights reserved.
 Audit Logs

• Disabled by default
• Can use data to
understand usage in
Power BI Tenant
• Users assigned E5: 1
year retention can be
extended to up 10
years
• In-Region Auditing
• PowerShell access

© 2021 Microsoft. All rights reserved.

 Activity Log
• Activity Log is an API that helps Power BI service admins track user and admin activity
• There are some key differences between audit log and Power BI activity log

Unified Audit Log Power BI Activity Log

Includes events from SharePoint Online, Exchange Online, Only includes the Power BI auditing events.
Dynamics 365, and other services in addition to the Power BI
auditing events.
Only users with View-Only Audit Logs or Audit Logs Global admins and Power BI service admins have access.
permissions have access, such as global admins and auditors.

Global admins and auditors can search the unified audit log by There’s no user interface to search the activity log yet.
using Office 365 Security & Compliance Center, the Microsoft
365 Security Center, and the Microsoft 365 Compliance Center.

Global admins and auditors can download audit log entries by Global admins and Power BI service admins can download
using Office 365 Management APIs and cmdlets. activity log entries by using a Power BI REST API and
management cmdlet.
© 2021 Microsoft. All rights reserved.