Power BI Blog: Secure Collaboration in Power BI Desktop

Welcome back to this week’s edition of the Power BI blog series.  This week, we look at how to ensure your data is secured in Power BI Desktop.

If you are working with sensitive data in Power BI or wish to collaborate with teammates, it is possible in Power BI Desktop to ensure your data is secured.  The latest Sensitivity Labels update for Power BI Desktop makes it even easier to protect your files while still working together.

You can set sensitivity labels to classify your Power BI files for confidential or internal use only.  Once applied, you gain the following benefits:

• it will comply with your organisational policies by classifying your data
• it enables sensitivity label continuity back to Power BI Service and Fabric
• it encrypts the file according to your organisation’s requirements.

To open a PBIX file, you either have to be the label issuer or else have permission.  Power BI restricts permission to change or remove sensitivity labels from ‘Purview Information Protection’ that have file encryption settings to authorised users only.

These usage rights grant elevated permission, as they grant permission to change the sensitivity label.  Since Power BI and Office applications use the same label policies, compliance administrators may prefer not to grant these usage rights for highly confidential labels.  This might block you from collaborating with your colleagues when you’re sharing or downloading Power BI reports and trying to open them in the desktop app.

With this upcoming update, working with protected Power BI files has been made simpler, allowing seamless collaboration with protected files.  Now, more users in your organisation can:

• open encrypted PBIX files while remaining compliant to the label permissions
• edit them directly in Power BI Desktop
• republish them securely, but only to the original workspace.
• That means easier teamwork, without compromising security or compliance.
• To maintain protection and policy enforcement, a few limits still apply when working with labelled files:
•  exporting to unsupported formats is blocked, including:
• CSV
• PBIT
• PBIP
• you can only republish it back to its original workspace
• you can’t change the sensitivity label in Power BI Desktop.

These safeguards help prevent accidental leaks and unauthorised distribution.

To take advantage of this update, here’s what needs to be in place:

• Ensure users have the correct usage rights on the sensitivity label.

The Microsoft Purview compliance administrator should assign the following usage rights:
• View Content (VIEW)
• Edit Content (DOCEDIT)
• Save (EDIT)
• Copy and extract content (EXTRACT)
• Allow Macros (OBJMODEL).

These permissions allow users to securely open, edit and republish protected files in Power BI Desktop.  It should be noted that these rights are a subset of the built-in ‘editor’ (previously named ‘co-author’) permission preset in the ‘Microsoft Purview compliance center’

• Enable information Protection in the Power BI Admin Portal.

Power BI administrators must ensure the Information Protection feature is enabled.  No tenant switches or Preview feature toggles in Desktop are required.  Power BI Desktop now makes it simpler and safer to collaborate on sensitive data.  With the new encryption update, you get:
• protection that travels with the file
• secure, real-time collaboration
• no extra configuration or friction.

Whether you’re reporting on financials, customer data or internal KPIs, you can now work confidently and compliantly straightaway.

In the meantime, please remember we offer training in Power BI which you can find out more about here.  If you wish to catch up on past articles, you can find all of our past Power BI blogs here.