Power BI Hardening Guide
Microsoft BI security for tenant settings, gateway credentials, and embed controls
Overview
Microsoft Power BI provides business intelligence with data connections across enterprise sources. REST API, embed tokens, and dataflows access sensitive business data. Compromised access exposes executive dashboards, financial reports, and aggregated business intelligence through the Microsoft 365 ecosystem.
Intended Audience
- Security engineers managing BI platforms
- Power BI administrators
- GRC professionals assessing analytics security
- Third-party risk managers evaluating Microsoft integrations
Table of Contents
1. Authentication & Access Controls
1.1 Enforce Conditional Access
Profile Level: L1 (Baseline) NIST 800-53: IA-2(1)
ClickOps Implementation
Step 1: Configure Conditional Access (Azure AD)
- Navigate to: Azure AD → Conditional Access
- Create policy for Power BI
- Require MFA
- Configure device compliance
Step 2: Enable Sensitivity Labels
- Navigate to: Power BI Admin Portal → Tenant settings
- Enable: Information protection
- Configure label inheritance
1.2 Workspace Access Controls
Profile Level: L1 (Baseline) NIST 800-53: AC-3, AC-6
ClickOps Implementation
Step 1: Define Workspace Roles
| Role | Permissions |
|---|---|
| Admin | Full workspace control |
| Member | Edit and publish |
| Contributor | Edit only |
| Viewer | View only |
Step 2: Configure Workspace Settings
- Create workspaces per team
- Assign minimum required roles
- Limit external sharing
2. Content Security
2.1 Configure Sharing Defaults
Profile Level: L1 (Baseline) NIST 800-53: AC-21
Description
Control report and dashboard sharing.
Rationale
Attack Scenario: Public publish to web exposes financial reports; embed tokens enable unauthorized dashboard access.
ClickOps Implementation
Step 1: Tenant Settings
- Navigate to: Power BI Admin Portal → Tenant settings
- Configure:
- Publish to web: Disabled
- Share content externally: Restricted
- Allow external users to edit: Disabled
Step 2: Export Controls
- Configure: Export data settings
- Limit export formats
- Audit export activity
2.2 Embed Security
Profile Level: L2 (Hardened) NIST 800-53: AC-21
Implementation
Step 1: Secure Embed Tokens
- Use app owns data pattern with service principal
- Implement row-level security
- Set token expiration
Step 2: Embed Controls
- Navigate to: Tenant settings → Developer settings
- Restrict who can embed
- Limit embed token generation
3. Data Source Security
3.1 Gateway Security
Profile Level: L1 (Baseline) NIST 800-53: IA-5
ClickOps Implementation
Step 1: Manage Gateway Users
- Navigate to: Settings → Manage gateways
- Limit gateway admins
- Review data source credentials
Step 2: Data Source Credentials
- Use service accounts
- Limit database permissions
- Rotate credentials periodically
3.2 Row-Level Security
Profile Level: L2 (Hardened) NIST 800-53: AC-3
Implementation
Step 1: Define RLS Roles
[Region] = USERPRINCIPALNAME()
-- Or use security groups
PATHCONTAINS("Finance", USERPRINCIPALNAME())
Step 2: Test RLS
- Use “View as” feature
- Test with different users
- Audit RLS effectiveness
4. Monitoring & Detection
4.1 Activity Log
Profile Level: L1 (Baseline) NIST 800-53: AU-2, AU-3
ClickOps Implementation
Step 1: Access Activity Log
- Navigate to: Power BI Admin Portal → Audit logs
- Or use: Microsoft 365 Compliance → Audit
- Configure log retention
Detection Focus
// Detect report exports
PowerBIActivity
| where Activity == "ExportReport"
| summarize count() by UserId
| where count_ > 10
// Detect embed token generation
PowerBIActivity
| where Activity == "GenerateEmbedToken"
| project TimeGenerated, UserId, ReportId
Appendix A: Edition Compatibility
| Control | Pro | Premium |
|---|---|---|
| Conditional Access | ✅ | ✅ |
| Sensitivity Labels | ✅ | ✅ |
| Audit Logs | ✅ | ✅ |
| BYOK Encryption | ❌ | ✅ |
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-12-14 | 0.1.0 | draft | Initial Power BI hardening guide | Claude Code (Opus 4.5) |