Azure security baseline for Power BI
This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Power BI. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Power BI.
When a feature has relevant Azure Policy Definitions they are listed in this baseline, to help you measure compliance to the Azure Security Benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.
Note
Controls not applicable to Power BI, and those for which the global guidance is recommended verbatim, have been excluded. To see how Power BI completely maps to the Azure Security Benchmark, see the full Power BI security baseline mapping file.
Network Security
For more information, see the Azure Security Benchmark: Network Security.
NS-3: Establish private network access to Azure services
Guidance: Power BI supports connecting your Power BI tenant to a Private link endpoint and disabling public internet access.
Responsibility: Shared
NS-4: Protect applications and services from external network attacks
Guidance: Power BI is a fully managed SaaS offering and has built in denial of service protections which Microsoft manages. No action is needed from customers to protect the service from external network attacks.
Responsibility: Microsoft
NS-7: Secure Domain Name Service (DNS)
Guidance: Not applicable; Power BI does not expose its underlying DNS configurations, these settings are maintained by Microsoft.
Responsibility: Microsoft
Identity Management
For more information, see the Azure Security Benchmark: Identity Management.
IM-1: Standardize Azure Active Directory as the central identity and authentication system
Guidance: Power BI is integrated with Azure Active Directory (Azure AD) which is Azure's default identity and access management service. You should standardize on Azure AD to govern your organization’s identity and access management.
Securing Azure AD should be a high priority in your organization’s cloud security practice. Azure AD provides an identity secure score to help you assess identity security posture relative to Microsoft’s best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.
Note: Azure AD supports external identities that allow users without a Microsoft account to sign in to their applications and resources with their external identity.
Responsibility: Customer
IM-2: Manage application identities securely and automatically
Guidance: Power BI and Power BI Embedded support the use of Service Principals. Store any Service Principal credentials used for encrypting or accessing Power BI in a Key Vault, assign proper access policies to the vault and regularly review access permissions.
Responsibility: Customer
IM-3: Use Azure AD single sign-on (SSO) for application access
Guidance: Power BI uses Azure Active Directory (Azure AD) to provide identity and access management to Azure resources, cloud applications, and on-premises applications. This includes enterprise identities such as employees, as well as external identities such as partners, vendors, and suppliers. This enables single sign-on (SSO) to manage and secure access to your organization’s data and resources on-premises and in the cloud. Connect all your users, applications, and devices to the Azure AD for seamless, secure access and greater visibility and control.
Responsibility: Customer
IM-7: Eliminate unintended credential exposure
Guidance: For Power BI embedded applications it is recommended to implement Credential Scanner to identify credentials within your code. Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.
Store any encryption keys or Service Principal credentials used for encrypting or accessing Power BI in a Key Vault, assign proper access policies to the vault and regularly review access permissions.
For GitHub, you can use native secret scanning feature to identify credentials or other form of secrets within the code.
Responsibility: Shared
Privileged Access
For more information, see the Azure Security Benchmark: Privileged Access.
PA-1: Protect and limit highly privileged users
Guidance: To reduce risk and follow the principle of least privilege, it is recommended to keep membership of the Power BI administrators to a small number of people. Users with these privileged permissions could potentially access and modify all any management feature for the organization. Global administrators, via Microsoft 365 or Azure Active Directory (Azure AD), implicitly possess administrator rights in the Power BI service as well.
Power BI has below highly privileged accounts:
- Global admin
- Billing admin
- License admin
- User admin
- Power BI admin
- Power BI Premium Capacity admin
- Power BI Embedded Capacity admin
Power BI supports session policies in Azure AD to enable conditional access policies and route sessions used in Power BI through the Microsoft Defender for Cloud Apps service.
Enable just-in-time (JIT) privileged access for the Power BI admin accounts using privileged access management in Microsoft 365.
Responsibility: Customer
PA-3: Review and reconcile user access regularly
Guidance: As a Power BI service admin, you can analyze usage for all Power BI resources at the tenant level by using custom reports based on the Power BI activity log. You can download the activities by using a REST API or PowerShell cmdlet. You can also filter the activity data by date range, user, and activity type.
You must meet these requirements to access the Power BI activity log:
- You must either be a global admin or a Power BI service admin.
- You have installed the Power BI Management cmdlets locally or use the Power BI Management cmdlets in Azure Cloud Shell.
Once these requirements are met you can follow the guidance below to track user activity within Power BI:
Responsibility: Customer
PA-6: Use privileged access workstations
Guidance: Secured, isolated workstations are critically important for the security of sensitive roles like administrators, developers, and critical service operators. Use highly secured user workstations and/or Azure Bastion for administrative tasks related to managing Power BI. Use Azure Active Directory (Azure AD), Microsoft Defender Advanced Threat Protection (ATP), and/or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstations can be centrally managed to enforce secured configuration including strong authentication, software and hardware baselines, restricted logical and network access.
Responsibility: Customer
Data Protection
For more information, see the Azure Security Benchmark: Data Protection.
DP-1: Discovery, classify and label sensitive data
Guidance: Use sensitivity labels from Microsoft Purview Information Protection on your reports, dashboards, datasets, and dataflows to guard your sensitive content against unauthorized data access and leakage.
Use sensitivity labels from Microsoft Purview Information Protection to classify and label your reports, dashboards, datasets, and dataflows in Power BI service and to protect your sensitive content from unauthorized data access and leakage when content is exported from Power BI service to Excel, PowerPoint and PDF files.
Responsibility: Customer
DP-2: Protect sensitive data
Guidance: Power BI integrates with sensitivity labels from Microsoft Purview Information Protection for sensitive data protection. For more details see sensitivity labels from Microsoft Purview Information Protection in Power BI
Power BI allows service users to bring their own key to protect data at rest. For more details see Bring your own encryption keys for Power BI
Customers have the option to keep data sources on-premise and leverage Direct Query or Live Connect with an on-premise data gateway to minimize data exposure to the cloud service. For more details see What is an on-premises data gateway?
Power BI supports Row Level Security. For more details see Row-level security (RLS) with Power BI. Note that RLS can be applied even to Direct Query data sources in which case PBIX file acts as a security enabling proxy.
Responsibility: Customer
DP-3: Monitor for unauthorized transfer of sensitive data
Guidance: This control can be partially achieved by using Microsoft Defender for Cloud Apps support for Power BI.
Using Microsoft Defender for Cloud Apps with Power BI, you can help protect your Power BI reports, data, and services from unintended leaks or breaches. With Microsoft Defender for Cloud Apps, you create conditional access policies for your organization’s data, using real-time session controls in Azure Active Directory (Azure AD), that help to ensure your Power BI analytics are secure. Once these policies have been set, administrators can monitor user access and activity, perform real-time risk analysis, and set label-specific controls.
Responsibility: Customer
DP-4: Encrypt sensitive information in transit
Guidance: Ensure for HTTP traffic, that any clients and data sources connecting to your Power BI resources can negotiate TLS v1.2 or greater.
Responsibility: Customer
DP-5: Encrypt sensitive data at rest
Guidance: Power BI encrypts data at rest and in process. By default, Power BI uses Microsoft-managed keys to encrypt your data. Organizations can choose to use their own keys for encryption of user content at rest across Power BI, from report images to imported datasets in Premium capacities.
Responsibility: Shared
Asset Management
For more information, see the Azure Security Benchmark: Asset Management.
AM-1: Ensure security team has visibility into risks for assets
Guidance: Use Microsoft Sentinel with your Power BI Office Audit logs to ensure your security team has visibility into risks for your Power BI assets.
Responsibility: Customer
AM-2: Ensure security team has access to asset inventory and metadata
Guidance: Ensure that security teams have access to a continuously updated inventory of Power BI Embedded resources. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuously security improvements.
Azure Resource Graph can query for and discover all Power BI Embedded resources in your subscriptions.
Logically organize assets according to your organization’s taxonomy using Tags as well as other metadata in Azure (Name, Description, and Category).
Responsibility: Customer
AM-3: Use only approved Azure services
Guidance: Power BI supports Azure Resource Manager-based deployments for Power BI Embedded, and you are able to restrict the deploying of its resources via Azure Policy using a custom Policy definition.
Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.
Responsibility: Customer
Logging and Threat Detection
For more information, see the Azure Security Benchmark: Logging and Threat Detection.
LT-2: Enable threat detection for Azure identity and access management
Guidance: Forward any logs from Power BI to your SIEM which can be used to set up custom threat detections. Additionally, use Microsoft Defender for Cloud Apps controls in Power BI to enable anomaly detection using the guide here.
Responsibility: Customer
LT-3: Enable logging for Azure network activities
Guidance: Power BI is a fully managed SaaS offering and the underlying network configuration and logging is Microsoft’s responsibility. For customers utilizing Private Links some logging and monitoring is available that can be configured.
Responsibility: Shared
LT-4: Enable logging for Azure resources
Guidance: With Power BI, you have two options to track user activity: The Power BI activity log and the unified audit log. These logs both contain a complete copy of the Power BI auditing data, but there are several key differences, as summarized below.
Unified Audit Log:
Includes events from SharePoint Online, Exchange Online, Dynamics 365, and other services in addition to the Power BI auditing events.
Only users with View-Only Audit Logs or Audit Logs permissions have access, such as global admins and auditors.
Global admins and auditors can search the unified audit log by using the Microsoft 365 Defender portal and the Microsoft Purview compliance portal.
Global admins and auditors can download audit log entries by using Microsoft 365 Management APIs and cmdlets.
Keeps audit data for 90 days.
Retains audit data, even if the tenant is moved to a different Azure region.
Power BI Activity Log:
Includes only the Power BI auditing events.
Global admins and Power BI service admins have access.
There's no user interface to search the activity log yet.
Global admins and Power BI service admins can download activity log entries by using a Power BI REST API and management cmdlet.
Keeps activity data for 30 days.
Doesn't retain activity data when the tenant is moved to a different Azure region.
For more information, see the following references:
Responsibility: Shared
LT-5: Centralize security log management and analysis
Guidance: Power BI, centralizes logs in two places: the Power BI activity log and the unified audit log. These logs both contain a complete copy of the Power BI auditing data, but there are several key differences, as summarized below.
Unified Audit Log:
Includes events from SharePoint Online, Exchange Online, Dynamics 365, and other services in addition to the Power BI auditing events.
Only users with View-Only Audit Logs or Audit Logs permissions have access, such as global admins and auditors.
Global admins and auditors can search the unified audit log by using the Microsoft 365 Defender portal and the Microsoft Purview compliance portal.
Global admins and auditors can download audit log entries by using Microsoft 365 Management APIs and cmdlets.
Keeps audit data for 90 days.
Retains audit data, even if the tenant is moved to a different Azure region.
Power BI Activity Log:
Includes only the Power BI auditing events.
Global admins and Power BI service admins have access.
There's no user interface to search the activity log yet.
Global admins and Power BI service admins can download activity log entries by using a Power BI REST API and management cmdlet.
Keeps activity data for 30 days.
Doesn't retain activity data when the tenant is moved to a different Azure region.
For more information, see the following references:
Responsibility: Customer
LT-6: Configure log storage retention
Guidance: Configure your storage retention policies for your Office Audit logs according to your compliance, regulation, and business requirements.
Responsibility: Customer
LT-7: Use approved time synchronization sources
Guidance: Power BI does not support configuring your own time synchronization sources. The Power BI service relies on Microsoft time synchronization sources, and is not exposed to customers for configuration.
Responsibility: Microsoft
Posture and Vulnerability Management
For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.
PV-1: Establish secure configurations for Azure services
Guidance: Configure your Power BI service with the settings appropriate to your organization and security stance. Settings for access to the service, and content, as well as workspace and app security should be carefully considered. See Power BI Security and Data Protection in the Power BI Enterprise Deployment whitepaper.
Responsibility: Customer
PV-2: Sustain secure configurations for Azure services
Guidance: Monitor your Power BI instance using the Power BI Admin REST APIs.
Responsibility: Customer
PV-3: Establish secure configurations for compute resources
Guidance: Power BI is a fully managed SaaS offering, the service's underlying compute resources are secured and managed by Microsoft.
Responsibility: Microsoft
PV-4: Sustain secure configurations for compute resources
Guidance: Power BI is a fully managed SaaS offering, the service's underlying compute resources are secured and managed by Microsoft.
Responsibility: Microsoft
PV-5: Securely store custom operating system and container images
Guidance: Power BI is a fully managed SaaS offering, the service's underlying compute resources are secured and managed by Microsoft.
Responsibility: Microsoft
PV-6: Perform software vulnerability assessments
Guidance: Power BI is a fully managed SaaS offering, the service's underlying compute resources are scanned and managed by Microsoft.
Responsibility: Microsoft
PV-7: Rapidly and automatically remediate software vulnerabilities
Guidance: Power BI is a fully managed SaaS offering, the service's underlying compute resources are scanned and managed by Microsoft.
Responsibility: Microsoft
PV-8: Conduct regular attack simulation
Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings.
Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
Responsibility: Shared
Endpoint Security
For more information, see the Azure Security Benchmark: Endpoint Security.
ES-1: Use Endpoint Detection and Response (EDR)
Guidance: Power BI does not deploy any customer-facing compute resources which would require customers to configure Endpoint Detection and Response (EDR) protection. The underlying infrastructure for Power BI is handled by Microsoft, which includes anti-malware and EDR handling.
Responsibility: Microsoft
ES-2: Use centrally managed modern anti-malware software
Guidance: Power BI does not deploy any customer-facing compute resources which would require customers to configure anti-malware protection. The underlying infrastructure for Power BI is handled by Microsoft, which includes anti-malware scanning.
Responsibility: Microsoft
ES-3: Ensure anti-malware software and signatures are updated
Guidance: Power BI does not deploy any customer-facing compute resources which would require customers to ensure anti-malware signatures are updated consistently. The underlying infrastructure for Power BI is handled by Microsoft, which includes all anti-malware handling.
Responsibility: Microsoft
Backup and Recovery
For more information, see the Azure Security Benchmark: Backup and Recovery.
BR-3: Validate all backups including customer-managed keys
Guidance: If you are using the Bring Your Own Key (BYOK) feature in Power BI you need to periodically validate that you can access and restore your customer-managed keys.
Responsibility: Customer
BR-4: Mitigate risk of lost keys
Guidance: If you are using the Bring Your Own Key (BYOK) feature in Power BI you need to ensure the Key Vault controlling your customer-managed keys is configured with the guidance in the BYOK in Power BI documentation below. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.
For Gateway key resources ensure you are following the guidance in the Gateway recovery key documentation below.
Responsibility: Customer
Next steps
- See the Azure Security Benchmark V2 overview
- Learn more about Azure security baselines