Using Sensitivity Labels to Safeguard Data in Power BI

The sensitivity label feature in Power BI allows content creators to classify reports, dashboards, datasets and dataflows with descriptive labels that reflect the sensitivity of data they contain. A simple, efficient means to further enhancing data security, sensitivity labels promote awareness with data consumers so they don’t accidentally share organizational data with those who should not see it.

You can mark content in Power BI with your organization’s configured sensitivity labels. Do this from the settings of a report, dashboard, dataset or dataflow in a Power BI service workspace.

Types of sensitivity labels

Examples of some common sensitivity labels are Public, General, Confidential and Highly Confidential. Power BI also supports sub-labels. A good application of sub-label use is at the department level. For example, highly sensitive financial reports could be marked “Highly Confidential – Finance” and very sensitive information about employees could be marked “Highly Confidential – HR.”

Exporting data with sensitivity labels

While these labels can be viewed in the Power BI mobile app and in certain areas of the Power BI service, the feature really shines when exporting data. Sensitivity labels applied to content in Power BI will follow that content when it is exported to Excel, PDF or PowerPoint. Only those three export formats are currently supported. And a Power BI administrator can turn off the ability to export to unsupported formats.

For example, the CSV file format knows nothing about sensitivity labels, so if your organization requires sensitivity labels to follow exported data, then CSV exports should be turned off. Embedded reports also show a banner containing sensitivity label information when applied.

Access to content is still the job for permissions, which get applied by Power BI administrators and via sharing features. The intent of sensitivity labels is to raise awareness with employees that content needs to be protected, both digitally and physically. If that content is exported and printed, the sensitivity label follows that exported or printed content. Additionally, sensitivity labels talk to the Microsoft Security & Compliance Center, which allows authorized IT staff to monitor use and research compromises if they occur.

Limitations with sensitivity labels in Power BI

There are several limitations with sensitivity labels in Power BI. Sensitivity labels do not currently export to the PBIX file when downloaded from Power BI service for use in Power BI desktop.

Also, labels that are set to force encryption or watermarks in other Microsoft files, for example Word or Excel, don’t currently carry over to Power BI content. Nor does Power BI currently have a watermark feature. If you export from Power BI to one of those formats, the force encryption and watermark features start being applied to those exported files. Likely this ability will be brought into alignment in Power BI at some point in the future.

Sensitivity label administration

Sensitivity labels in Power BI are part of a broader Microsoft Information Protection system. They are configured at the organizational level by a user who has been assigned a global administrator or security administrator role.

There are three places where these labels can be configured, but the configuration tool is the same in all of these areas: Microsoft 365 compliance center, Microsoft 365 security center or the Security & Compliance center.

After navigating to one of those locations, create the desired labels and publish them for organizational use.

An Azure Information Protection Premium P1 or P2 resource must also be created in Azure. Power BI rides on top of the Azure platform, so Power BI taps into this resource for access to and monitoring sensitivity label information.

Lastly, a Power BI Administrator then needs to turn on the sensitivity label setting in Power BI under Admin portal > Tenant Settings. The feature can be enabled for the entire organization or just for specific security groups.

Monitoring use

Use reporting and analytics are also available in multiple areas of the Microsoft cloud. The Microsoft 365 compliance center and Microsoft 365 security center contain use reporting in a “Label Analytics” report. In addition, the Power BI admin portal also contains a fairly simple protection metrics report that speaks to how many reports, dashboards, datasets and dataflows have sensitivity labels applied.

An efficient, easy way to enhance data security

One of the biggest threats to data security is driven by exported data from operational systems. Sensitivity labels are a useful tool you can give your Power BI content creators to help safeguard your company’s data. Consistent use and education through the organization is still required—and vital—to keeping content confidential. By consistently using sensitivity labels in Power BI and with proactive analysis by administrators, your company can vastly enhance data security with minimal effort.

We expect to see the capabilities of this feature in Power BI to expand over time to better align with other Office app capabilities. With robust use, this feature will allow IT to be well prepared to respond to requests from security auditors and meet a variety of compliance standards.

Row-level security is another excellent tool for effectively safeguarding data. It allows you to control user access to reports and the data slices within them. See our on-demand webinar How to Set Up Row-Level Security in Power BI.

Your data is an invaluable corporate asset. If you’re not confident you have Power BI locked down, or to ensure you are using the best security measures possible in your BI environment, we can help. We can perform a security review and let you know where you have holes, if any. Contact us.

Connect with Senturus

Sign up to be notified about our upcoming events

Back to top