Enable sensitivity labels in Power BI
In order for sensitivity labels from Microsoft Purview Information Protection to be used in Power BI, they must be enabled on the tenant. This article shows Power BI admins how to do this. For an overview about sensitivity labels in Power BI, see Sensitivity labels in Power BI. For information about applying sensitivity labels in Power BI, see Applying sensitivity labels
When sensitivity labels are enabled:
- Specified users and security groups in the organization can classify and apply sensitivity labels to their Power BI content. In the Power BI service, this means their reports, dashboards, datasets, and dataflows. In Power BI Desktop, it means their .pbix files.
- In the service, all members of the organization will be able to see those labels. In Desktop, only members of the organization who have the labels published to them will be able to see the labels.
Enabling sensitivity labels requires an Azure Information Protection license. See Licensing and requirements for detail.
Give us your feedback
The product team would love to get your feedback about Power BI's information protection capabilities and its integration with Microsoft Purview Information Protection. Help us meet your information protection needs! Thanks!
Licensing and requirements
An Azure Information Protection Premium P1 or Premium P2 license is required to apply or view sensitivity labels from Purview Information Protection in Power BI. Azure Information Protection can be purchased either standalone or through one of the Microsoft licensing suites. See Azure Information Protection pricing for detail.
Note
If your organization uses Azure Information Protection sensitivity labels, they need to be migrated to the Purview Information Protection Unified Labeling platform in order for the them to be used in Power BI. Learn more about migrating sensitivity labels.
To be able to apply labels to Power BI content and files, a user must have a Power BI Pro or Premium Per User (PPU) license in addition to one of the Azure Information Protection licenses mentioned above.
Office apps have their own licensing requirements for viewing and applying sensitivity labels.
Before enabling sensitivity labels on your tenant, make sure that sensitivity labels have been defined and published for relevant users and groups. See Create and configure sensitivity labels and their policies for detail.
Customers in China must enable rights management for the tenant and add the Microsoft Purview Information Protection Sync Service service principle, as described in steps 1 and 2 under Configure Azure Information Protection for customers in China.
Using sensitivity labels in Desktop requires the Desktop December 2020 release or later.
Note
If you try to open a protected .pbix file with a Desktop version earlier than December 2020, it will fail, and you'll be prompted to upgrade your Desktop version.
Enable sensitivity labels
Sensitivity labels must be enabled on the tenant before they can be used in both the service and in Desktop. This section describes how to enable them in the tenant settings.
To enable sensitivity labels on the tenant, go to the Power BI Admin portal, open the Tenant settings pane, and find the Information protection section.
In the Information Protection section, perform the following steps:
Open Allow users to apply sensitivity labels for Power BI content.
Enable the toggle.
Define who can apply and change sensitivity labels in Power BI assets. By default, everyone in your organization will be able to apply sensitivity labels. However, you can choose to enable setting sensitivity labels only for specific users or security groups. With either the entire organization or specific security groups selected, you can exclude specific subsets of users or security groups.
- When sensitivity labels are enabled for the entire organization, exceptions are typically security groups.
- When sensitivity labels are enabled only for specific users or security groups, exceptions are typically specific users.
This approach makes it possible to prevent certain users from applying sensitivity labels in Power BI, even if they belong to a group that has permissions to do so.
Press Apply.
Important
Only Power BI Pro users who have create and edit permissions on the asset, and who are part of the relevant security group that was set in this section, will be able to set and edit the sensitivity labels. Users who are not part of this group won't be able to set or edit the label.
Troubleshooting
Power BI uses sensitivity labels from Purview Information Protection. Thus if you encounter an error message when trying to enable sensitivity labels, it might be due to one of the following reasons:
- Sensitivity labels haven't been migrated to the Microsoft Purview Information Protection version supported by Power BI.
- No sensitivity labels from Microsoft Purview Information Protection have been defined in the organization.
Considerations and limitations
For a list of sensitivity label limitations in Power BI, see Sensitivity labels in Power BI.
Next steps
This article described how to enable sensitivity labels in Power BI. The following articles provide more details about data protection in Power BI.
Feedback
Submit and view feedback for