Get started with Data loss prevention policies for Power BI

  • מאמר

To help organizations detect and protect their sensitive data, Microsoft Purview Data Loss Prevention (DLP) polices support Power BI. When a Power BI data set matches the criteria in a DLP policy, an alert that explains the nature of the sensitive content can be triggered. This alert is also registered in the data loss prevention Alerts tab in the Microsoft compliance portal for monitoring and management by administrators. In addition, email alerts can be sent to administrators and specified users.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Considerations and limitations

  • DLP policies apply to workspaces. Only workspaces hosted in Premium Gen2 capacities are supported. For more information, see What is Power BI Premium Gen2?.
  • DLP dataset evaluation workloads impact capacity. For more information, see CPU metering for DLP policy evaluation
  • Both classic and new experience workspaces are supported, as long as they're hosted in Premium Gen2 capacities.
  • You must create a custom DLP custom policy for Power BI. DLP templates aren't supported.
  • DLP policies that are applied to the DLP location support sensitivity labels and sensitive information types as conditions.
  • DLP policies for Power BI aren't supported for sample datasets, streaming datasets, or datasets that connect to their data source via DirectQuery or live connection.

Licensing and permissions

SKU/subscriptions licensing

Before you get started with DLP for Power BI, you should confirm your Microsoft 365 subscription. For full licensing guidance, see Microsoft 365 guidance for security & compliance.

Permissions

Data from DLP for Power BI can be viewed in Activity explorer. There are four roles that grant permission to activity explorer; the account you use for accessing the data must be a member of any one of them:

  • Global administrator
  • Compliance administrator
  • Security administrator
  • Compliance data administrator

How DLP policies for Power BI work

You define a DLP policy in the Data Loss Prevention (DLP) section of the compliance portal. See, Design a data loss prevention policy. In the policy, you specify the sensitivity label(s) and/or sensitive information types that you want to detect. You also specify the action(s) that will occur when the policy detects a dataset that has a specified sensitivity label applied. DLP policies support two actions for Power BI:

  • User notification via policy tips.
  • Alerts. Alerts can be sent by email to administrators and users. Additionally, administrators can monitor and manage alerts on the Alerts tab in the compliance portal.

When a dataset is evaluated by DLP and matches the conditions in a DLP policy, the actions defined in the policy are applied. A dataset is evaluated occurs when it is:

  • Published
  • Republished
  • On-demand refreshed
  • Scheduled refreshed

Note

DLP evaluation of the dataset does not occur if either of the following is true:

  • The initiator of the event is a service principal.
  • The dataset owner is either a service principal or a B2B user.

What happens when a dataset matches a DLP policy

When a dataset matches a DLP policy:

  • If the policy has user notifications configured, it will be marked in the Power BI service with a shield icon to indicate that it matches a DLP policy.

    Screenshot of policy tip badge on dataset in lists.

    Open the dataset details page to see a policy tip that explains the policy match and how the detected type of sensitive information should be handled.

    Screenshot of policy tip on dataset details page.

    Note

    If you hide the policy tip, it doesn’t get deleted. It will appear the next time you visit the page.

  • If alerts are enabled in the policy, an alert will be recorded on the dlp Alerts tab in the compliance portal, and (if configured) an email will be sent to administrators and/or specified users. The following image shows the Alerts tab in the data loss prevention section of the Microsoft Purview compliance portal.

Configure a DLP policy for Power BI

Follow the procedures in Create and Deploy data loss prevention policies and use the custom template.

Important

When you select the locations for your DLP policy for Power BI, select only the Power BI location. Do not select any other locations, this configuration is not supported.

Next steps