Events
Mar 31, 11 PM - Apr 2, 11 PM
The ultimate Microsoft Fabric, Power BI, SQL, and AI community-led event. March 31 to April 2, 2025.
Register todayThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Power BI uses sensitivity labels from Microsoft Purview Information Protection. Thus, if you encounter an error message when trying to enable sensitivity labels, it might be due to one of the following:
To be able to apply or change a sensitivity label, you must
If a particular label you wish to change is greyed out, you may not have the correct usage rights to change that label. If you need to change a sensitivity label and can't, either ask the person who applied the label in the first place to modify it, or contact the Microsoft 365/Office security administrator and request the necessary usage rights for the label.
If the sensitivity button is greyed out, it may indicate that you don't have an appropriate license or that you don't belong to a security group that has permissions to apply sensitivity labels, as described in Enable sensitivity labels in Power BI.
Sensitivity labels and file encryption protect data only when it leaves Power BI via supported export paths. Data that leaves Power BI via unsupported export paths won't inherit the sensitivity label and won't be encrypted.
To prevent leakage of sensitive data, the Power BI admin can block export from non-supported export paths using Power BI's export and sharing settings.
Don't use parent labels. A parent label is a label that has sublabels. You can't apply parent labels, but a label that is already applied may become a parent label if it acquires sublabels. If you come across an item that has a parent label, apply the appropriate sublabel. To change a parent label, you must have sufficient usage rights on the label.
If an item has a parent label, note the following behavior:
In the Power BI service, if a semantic model has a label that has been deleted from the label admin center, you won't be able to export or download the data. In Analyze in Excel, a warning will be issued and the data will be exported to an .odc file with no sensitivity label. In Desktop, if a .pbix file has such an invalid label, you won't be able to save the file.
Power BI doesn’t support sensitivity labels of the Do Not Forward, user-defined, and HYOK protection types. The Do Not Forward and user-defined protection types refer to labels defined in the Purview compliance portal.
Get data and refresh scenarios from encrypted Excel (.xlsx) files are supported, unless the file is stored behind a gateway, in which case the Get data/refresh action will fail. Get data and refresh actions from an Excel file that is stored behind a gateway and that has an unprotected sensitivity label will succeed, but the sensitivity label won't be inherited. See Sensitivity label inheritance from data sources for detail.
In the Power BI service, sensitivity labeling doesn't affect access to content. Access to content in the service is determined solely by the permissions a user has on the content. While the labels are visible in the service, any associated encryption settings (configured in the Microsoft Purview compliance portal) aren't applied. They're applied only to data that leaves the service via supported export paths.
In Power BI Desktop, sensitivity labels with encryption settings affect access to content. If a user doesn't have sufficient permissions according to the encryption settings of the sensitivity label on the .pbix file, they won't be able to open the file. In addition, in Desktop, when you save your work, any sensitivity label you've added and its associated encryption settings will be applied to the saved .pbix file.
Using sensitivity labels in Desktop requires the Desktop December 2020 release and later. If you try to open a protected .pbix file with a Desktop version earlier than December 2020, it will fail, and you'll be prompted to upgrade your Desktop version.
Users with a free license can't open protected .pbix files.
Protected .pbix files can be only opened by a user who has an appropriate license and Full control and/or Export usage rights for the relevant label. The user that set the label also has Full control and can never be locked out. See more detail
In rare cases, it may happen that no one has the necessary usage rights for the relevant label except the person that set the label. Then, if that one person leaves the organization or changes aliases within the organization, all access to the .pbix file will be lost. The solution for regaining access to the file in such cases is to either change or remove the sensitivity label on the file using the set/remove sensitivity label Admin APIs. Contact your Power BI admin for assistance (only admins can run the Admin APIs).
Power BI Desktop users may experience problems saving their work when internet connectivity is lost, such as after going offline. With no internet connection, some actions related to sensitivity labels and rights management might not complete properly. In such cases it's recommended to go back online and try saving again.
In general, when you protect a file with a sensitivity label that applies encryption, it's good practice to use another encryption method as well, such as pagefile encryption, NTFS encryption, BitLocker instances, antimalware, etc.
"Publish" or "Get data" of a protected .pbix file requires that the label on the .pbix file be in the user's label policy. If the label isn't in the user's label policy, the Publish or Get data action will fail.
Publishing or importing a .pbix file that has a protected sensitivity label to the service via APIs running under a service principal is not supported and will fail. To mitigate, users can remove the label and then publish using service principals.
Import of sensitivity-labeled .pbix files (both protected and unprotected) stored on OneDrive or SharePoint Online, as well as on-demand and automatic semantic model refresh from such files, is supported, with the exception of the following scenarios:
Power BI Desktop for Power BI Report Server doesn't support information protection. If you try to open a protected .pbix file, the file won't open, and you'll receive an error message. Sensitivity-labeled .pbix files that aren't encrypted can be opened as normal.
To successfully connect from Fabric or Power BI (including Power BI Desktop) to a data source (such as an Excel file) that has a sensitivity label that applies file encryption, information protection must be enabled in Fabric/Power BI (that is, the tenant setting Allow users to apply sensitivity labels for content must be set to Enabled).
Sensitivity labels are supported in the following sovereign clouds:
Data sensitivity labels aren't supported for template apps. Sensitivity labels set by the template app creator are removed when the app is extracted and installed, and sensitivity labels added to artifacts in an installed template app by the app consumer are lost (reset to nothing) when the app is updated.
Default labeling in Power BI covers most common scenarios, but there may be some less common flows that still allow users to open or create unlabeled .pbix files or Power BI artifacts.
Default labeling in Power BI isn't supported for service principals and APIs. Service principals and APIs aren't subject to default label policies.
Default label policies in Power BI aren't supported for external guest users (Microsoft Entra B2B). When a B2B user opens or creates an unlabeled .pbix file in Power BI Desktop or Power BI artifact in the Power BI service, no default label is applied automatically.
Default labeling in Power BI covers most common scenarios, but there may be some less common flows that still allow users to open or create unlabeled .pbix files or Power BI artifacts.
Default label policy settings for Power BI are independent of the default label policy settings for files and email.
Default label policies in Power BI aren't supported for external guest users (B2B users). When a B2B user opens or creates an unlabeled file in Power BI Desktop, no default label will be applied to the file automatically.
Mandatory labeling in Power BI isn't supported for service principals and APIs. Service principals and APIs aren't subject to mandatory label policies.
There may be flows that allow the user to create or edit unlabeled content.
Mandatory labeling in Power BI isn't supported for external guest users (B2B users). B2B users aren't subject to mandatory label policies.
Downstream inheritance is limited to 80 items. If the number of downstream items exceeds 80, no downstream inheritance takes place. Only the item the label was actually applied to will receive the label.
Downstream inheritance never overwrites labels that were applied manually.
Downstream inheritance never overwrites a label with a less restrictive label.
Sensitivity labels inherited from data sources are automatically propagated downstream only when fully automated downstream inheritance mode is enabled.
To use Defender for Cloud Apps with Power BI, you must use and configure relevant Microsoft security services, some of which are set outside Power BI. In order to have Defender for Cloud Apps in your tenant, you must have one of the following licenses:
Using Defender for Cloud Apps with Power BI is designed to help secure your organization's content and data, with detections that monitor user sessions and their activities. When using Defender for Cloud Apps with Power BI, there are a few considerations and limitations you should keep in mind:
Caution
In the session policy, in the "Action" part, the "protect" capability works only if no label exists on the item. If a label already exists, the "protect" action won't apply; you can't override an existing label that has already been applied to an item in Power BI.
In order for the data protection metrics report to be successfully generated, information protection must be enabled on your tenant and sensitivity labels should have been applied.
The data protection metrics report isn't available to external users such as Microsoft Entra B2B (Microsoft Entra B2B) guest users.
In order to access Defender for Cloud Apps information, your organization must have the appropriate Defender for Cloud Apps license.
The data protection metrics report is a special report and doesn't show up in the Shared with me, Recent, and Favorites lists.
The data protection metrics report isn't available to external users (Microsoft Entra B2B guest users).
Downstream inheritance isn't supported. The label of an upstream model won't propagate down to its downstream paginated reports.
The label of a paginated report won't propagate down to the report's downstream content.
Mandatory labeling won't apply to paginated reports.
Events
Mar 31, 11 PM - Apr 2, 11 PM
The ultimate Microsoft Fabric, Power BI, SQL, and AI community-led event. March 31 to April 2, 2025.
Register today