Sensitivity label inheritance from data sources

Power BI semantic models that connect to sensitivity-labeled data in supported data sources can inherit those labels, so that the data remains classified and secure when brought into Power BI.

Currently supported data sources:

  • Excel files stored on OneDrive or SharePoint Online*
  • Azure Synapse Analytics (formerly SQL Data Warehouse)
  • Azure SQL Database

*Inheritance from Excel files requires specific configuration and isn't supported for Excel files stored behind a gateway, such as files stored locally. See Sensitivity label inheritance from Excel files for more detail.

To be operative, sensitivity label inheritance from data sources must be enabled on the tenant.

Requirements

Inheritance behavior

  • In the Power BI service, when the semantic model is connected to the data source, Power BI inherits the label and applies it automatically to the semantic model. Subsequently, inheritance occurs upon semantic model refresh. In Power BI Desktop, when you connect to the data source via Get data, Power BI inherits the label and automatically applies it to the .pbix file (both the semantic model and report). Subsequently inheritance occurs upon refresh.
  • If the data source has sensitivity labels of different degrees, the most restrictive is chosen for inheritance. In order to be applied, that label (the most restrictive) must be published for the semantic model owner.
  • Labels from data sources never overwrite manually applied labels.
  • Less restrictive labels from the data source never overwrite more restrictive labels on the semantic model.
  • In Desktop, if the incoming label is more restrictive than the label that is currently applied in Desktop, a banner will appear that recommends to the user to apply the more restrictive label.
  • Semantic model refresh will succeed even if for some reason the label from the data source isn't applied.

Note

No inheritance takes place if the semantic model owner is not authorized to apply sensitivity labels in Power BI, or if the specific label in question has not been published for the semantic model owner.

Sensitivity label inheritance from Excel files

Sensitivity label inheritance from an Excel file is supported for Excel files stored on OneDrive or SharePoint Online.

To make sure sensitivity label inheritance from an Excel file works:

  1. Store the Excel file on OneDrive or SharePoint Online.

  2. In Power BI Desktop, connect to the Excel file using the web connector, as described in Use OneDrive for work or school links in Power BI Desktop. The process described in that article applies to both OneDrive and SharePoint Online.

  3. After publishing the semantic model, to enable refresh, reconfigure the authentication credentials for the semantic model, also as described in the above article. Be sure to select OAuth2 as the authentication method, otherwise you might encounter an error when you attempt to connect or refresh.

Considerations and limitations

  • Inheritance from data sources is supported only for semantic models with enhanced metadata. See Using enhanced semantic model metadata for more information.
  • Inheritance from data sources is supported only for semantic models using the Import data connectivity mode. Live connection and DirectQuery connectivity isn't supported.
  • Inheritance from data sources isn't supported in connections via gateways or Azure Virtual Network (VNet). This means that inheritance from an Excel file located on a local machine won't work, because this requires a gateway.