Data loss prevention policies for Power BI (preview)

To help organizations detect and protect their sensitive data, Power BI supports Microsoft Purview Data Loss Prevention (DLP) polices. When a DLP policy for Power BI detects a sensitive dataset, a policy tip can be attached to the dataset in the Power BI service that explains the nature of the sensitive content, and an alert can be registered in the data loss prevention Alerts tab in the Microsoft Purview compliance portal for monitoring and management by administrators. In addition, email alerts can be sent to administrators and specified users.

Considerations and limitations

  • DLP policies for Power BI are defined in the Microsoft Purview compliance portal.
  • DLP policies apply to workspaces. Only workspaces hosted in Premium Gen2 capacities and Premium Per User workspaces are supported.
  • DLP dataset evaluation workloads impact capacity. See CPU metering for DLP policy evaluation for more information.
  • DLP policy templates aren't yet supported for Power BI DLP policies. When creating a DLP policy for Power BI, choose the "custom policy" option.
  • Power BI DLP policy rules currently support sensitivity labels and sensitive info types as conditions.
  • DLP policies for Power BI aren't supported for sample datasets, streaming datasets, or datasets that connect to their data source via DirectQuery or live connection.
  • DLP policies for Power BI aren't supported in sovereign clouds.
  • Custom sensitive info types of the type Keyword list and Keyword dictionary are currently not supported when using DLP policies for the Power BI location.
  • Currently, DLP policies for Power BI don't support scanning for sensitive info types in data stored in the Southeast Asia region. See How to find the default region for your organization to learn how to find your organization's default data region.

Licensing and permissions

SKU/subscriptions licensing

Before you get started with DLP for Power BI, you should confirm your Microsoft 365 subscription. The admin account that sets up the DLP rules must be assigned one of the following licenses:

  • Microsoft 365 E5
  • Microsoft 365 E5 Compliance
  • Microsoft 365 E5 Information Protection & Governance

Permissions

Data from DLP for Power BI can be viewed in Activity explorer. There are four roles that grant permission to activity explorer; the account you use for accessing the data must be a member of any one of them.

  • Global administrator
  • Compliance administrator
  • Security administrator
  • Compliance data administrator

CPU metering for DLP policy evaluation

This section is relevant only for workspaces hosted on Premium Gen2 capacities. It doesn't apply to Premium Per User workspaces.

DLP policy evaluation uses CPU from the premium capacity associated with the workspace where the dataset being evaluated is located. CPU consumption of the evaluation is calculated as 30% of the CPU consumed by the action that triggered the evaluation. For example, if a refresh action costs 30 milliseconds of CPU, the DLP scan will cost another 9 milliseconds. This fixed 30% additional CPU consumption for DLP evaluation helps you predict the impact of DLP policies on your overall Capacity CPU utilization, and perform capacity planning when rolling out DLP policies in your organization.

Use the Power BI Premium Capacity Metrics App to monitor the CPU usage of your DLP policies. For more information, see Use the Gen2 metrics app.

Note

As mentioned, metering of DLP evaluation to calculate CPU consumption applies only to workspaces hosted on Premium Gen2 capacities. DLP evaluation in Premium Per User workspaces is included in the PPU license.

How do DLP policies for Power BI work

You define a DLP policy in the data loss prevention section of the compliance portal. In the policy, you specify the sensitivity labels and/or sensitive info types you want to detect. You also specify the actions that will happen when the policy detects a dataset that contains sensitive data of the kind you specified. DLP policies for Power BI support two actions:

  • User notification via policy tips.
  • Alerts. Alerts can be sent by email to administrators and users. Additionally, administrators can monitor and manage alerts on the Alerts tab in the compliance portal.

When a dataset is evaluated by DLP policies, if it matches the conditions specified in a DLP policy, the actions specified in the policy occur. A dataset is evaluated against DLP policies whenever one of the following events occurs:

  • Publish
  • Republish
  • On-demand refresh
  • Scheduled refresh

Note

DLP evaluation of the dataset does not occur if either of the following is true:

  • The initiator of the event is a service principal.
  • The dataset owner is either a service principal or a B2B user.

What happens when a dataset is flagged by a Power BI DLP policy

When a DLP policy detects an issue with a dataset:

  • If "user notification" is enabled in the policy, the dataset will be marked in the Power BI service with a shield that indicates that a DLP policy has detected an issue with the dataset.

    Screenshot of policy tip badge on dataset in lists.

    Open the dataset details page to see a policy tip that explains the policy violation and how the detected type of sensitive information should be handled.

    Screenshot of policy tip on dataset details page.

    Note

    If you hide the policy tip, it doesn’t get deleted. It will appear the next time you visit the page.

  • If alerts are enabled in the policy, an alert will be recorded on the data loss prevention Alerts tab in the compliance portal, and (if configured) an email will be sent to administrators and/or specified users. The following image shows the Alerts tab in the data loss prevention section of the compliance portal.

    Screenshot of Alerts tab in the compliance portal.

Configure a DLP policy for Power BI

  1. Log into the Microsoft Purview compliance portal.

  2. Choose the Data loss prevention solution in the navigation pane, select the Policies tab, choose Create policy.

    Screenshot of D L P create policy page.

  3. Choose the Custom category and then the Custom policy template.

    Note

    No other categories or templates are currently supported.

    Screenshot of D L P choose custom policy page.

    When done, select Next.

  4. Name the policy and provide a meaningful description.

    Screenshot of D L P policy name description section.

    When done, select Next.

  5. Enable Power BI as a location for the DLP policy. Disable all other locations. Currently, DLP policies for Power BI must specify Power BI as the sole location.

    Screenshot of D L P choose location page.

    By default the policy will apply to all workspaces. Alternatively, you can specify particular workspaces to include in the policy as well as workspaces to exclude from the policy.

    Note

    DLP actions are supported only for workspaces hosted in Premium Gen2 capacities.

    If you select Choose workspaces or Exclude workspaces, a dialog will allow you to select workspaces to be included (or excluded).

    You can search for workspaces by workspace name or by user email address. When you search by a user's email address, that user's My Workspace will be listed as personalWorkspace - <email address>, and you can then select it.

    Screenshot of D L P choose workspaces dialog.

    After enabling Power BI as a DLP location for the policy and choosing which workspaces the policy will apply to, select Next.

  6. The Define policy settings page appears. Choose Create or customize advanced DLP rules to begin defining your policy.

    Screenshot of D L P create advanced rule page.

    When done, select Next.

  7. On the Customize advanced DLP rules page, you can either start creating a new rule or choose an existing rule to edit. Select Create rule.

    Screenshot of D L P create rule page.

  8. The Create rule page appears. On the create rule page, provide a name and description for the rule, and then configure the other sections, which are described following the image below.

    Screenshot of D L P create rule form.

Conditions

In the condition section, you define the conditions under which the policy will apply to a dataset. Conditions are created in groups. Groups make it possible to construct complex conditions.

  1. Open the conditions section, choose Add condition and then Content contains.

    Screenshot of D L P add conditions content contains section.

    This opens the first group (named Default – you can change this).

  2. Choose Add, and then chose either Sensitive info types or Sensitivity labels.

    Screenshot of D L P add conditions section.

    Note

    Currently, DLP policies for Power BI don't support scanning for sensitive info types in data stored in the Southeast Asia region. See How to find the default region for your organization to learn how to find your organization's default data region.

    When you choose either Sensitive info types or Sensitivity labels, you'll be able to choose the particular sensitivity labels or sensitive info types you want to detect from a list that will appear in a sidebar.

    Screenshot of sensitivity-label and sensitive info types choices.

    When you select a sensitive info type as a condition, you then need to specify how many instances of that type must be detected in order for the condition to be considered as met. You can specify from 1 to 500 instances. If you want to detect 500 or more unique instances, enter a range of '500' to 'Any'. You also can select the degree of confidence in the matching algorithm. Select the info button next to the confidence level to see the definition of each level.

    Screenshot of confidence level setting for sensitive info types.

    You can add additional sensitivity labels or sensitive info types to the group. To the right of the group name, you can specify Any of these or All of these. This determines whether matches on all or any of the items in the group is required for the condition to hold. If you specified more than one sensitivity label, you'll only be able to choose Any of these, since datasets can’t have more than one label applied.

    The image below shows a group (Default) that contains two sensitivity label conditions. The logic Any of these means that a match on any one of the sensitivity labels in the group constitutes “true” for that group.

    Screenshot of D L P conditions group section.

    You can create more than one group, and you can control the logic between the groups with AND or OR logic.

    The image below shows a rule containing two groups, joined by OR logic.

    Screenshot of rule with two groups.

Exceptions

If the dataset has a sensitivity label or sensitive info type that matches any of the defined exceptions, the rule won’t be applied to the dataset.

Exceptions are configured in the same way as conditions, described above.

Screenshot of D L P exceptions section.

Actions

Protection actions are currently unavailable for Power BI DLP policies.

Screenshot of D L P policy actions section.

User notifications

The user notifications section is where you configure your policy tip. Turn on the toggle, select the Notify users in Office 365 service with a policy tip and Policy tips checkboxes, and write your policy tip in the text box.

Screenshot of D L P user notification section.

User overrides

User overrides are currently unavailable for Power BI DLP policies.

Screenshot of D L P user overrides section.

Incident reports

Assign a severity level that will be shown in alerts generated from this policy. Enable (default) or disable email notification to admins, specify users or groups for email notification, and configure the details about when notification will occur.

Screenshot of D L P incident report section.

Additional options

Screenshot of D L P additional options section.

Monitor and manage policy alerts

Log into the Microsoft Purview compliance portal and navigate to Data loss prevention > Alerts.

Screenshot of D L P Alerts tab.

Select an alert to start drilling down to its details and to see management options.

Next steps