Power BI
This page will list security settings and configurations that is advisable to implement in your environment.
Each environment is different where I believe the below settings are easy to setup and provides a way to get to a more mature security level.
Disable share content with external users
Users in the organization can share dashboards and reports with users outside the organization by default. We advise to disable this and only enable it when there is a need for this functionality. You can also specify that users in a specific security group can share dashboards.
How will this impact my users?
Users are unable to share dashboards or reports with users outside the organization
Using the user interface
This setting needs to be changed at the Power Bi admin center. The direct link is https://app.powerbi.com/admin-portal/tenantSettings
Using PowerShell
There is currently no Cmdlet available to change global Power BI settings
Disable publish to web
People in your org can publish public reports on the web. Publicly published reports don’t require authentication to view them. We advise to disable this and only enable it when there is a need for this functionality. You can also specify that users in a specific security group can publish dashboards to the web.
How will this impact my users?
Users are unable to publish public reports on the web
Using the user interface
This setting needs to be changed at the Power Bi admin center. The direct link is https://app.powerbi.com/admin-portal/tenantSettings
Using PowerShell
There is currently no Cmdlet available to change global Power BI settings
Disable export data
Users in the organization can export data from a tile or visualization. We advise to disable this and only enable it when there is a need for this functionality. You can also specify that users in a specific security group can export data.
How will this impact my users?
Users are unable to export data to for example CSV
Using the user interface
This setting needs to be changed at the Power Bi admin center. The direct link is https://app.powerbi.com/admin-portal/tenantSettings
Using PowerShell
There is currently no Cmdlet available to change global Power BI settings
Disable print or export Power BI reports as PowerPoint or PDF
Users in the organization can print or export Power BI reports as PowerPoint files or PDF documents. We advise to disable this and only enable it when there is a need for this functionality. You can also specify that users in a specific security group can print or export Power Bi reports.
How will this impact my users?
Users are unable to print or export Power BI reports as PowerPoint or PDF documents.
Using the user interface
This setting needs to be changed at the Power Bi admin center. The direct link is https://app.powerbi.com/admin-portal/tenantSettings
Using PowerShell
There is currently no Cmdlet available to change global Power BI settings
Block custom visuals
Users in the organization can add, view, share, and interact with custom visuals in the Power BI service. We advise to only enable it when there is a need for this functionality. You can also specify that users in a specific security group can use or add custom visuals. Microsoft also states that a custom visual could contain code with security or privacy risks. Make sure you trust the author and custom visual source before importing it to your report. It is possible to also allow custom visuals but only certified custom visuals
How will this impact my users?
Users are unable to add, view, share and interact with custom visuals.
Using the user interface
This setting needs to be changed at the Power Bi admin center. The direct link is https://app.powerbi.com/admin-portal/tenantSettings
Using PowerShell
There is currently no Cmdlet available to change global Power BI settings
Block template apps
Users in the organization can create template app workspaces to develop app solutions for distribution to clients outside of the organization. We advise to only enable it when there is a need for this functionality. You can also specify that users in a specific security group can publish or install template apps
How will this impact my users?
Users are unable to publish or install template apps.
Using the user interface
This setting needs to be changed at the Power Bi admin center. The direct link is https://app.powerbi.com/admin-portal/tenantSettings
Using PowerShell
There is currently no Cmdlet available to change global Power BI settings
Disable external guest users to edit and manage content in the organization
The specified guest users in the organization can edit and manage content in workspaces in the organization. They receive the ability to browse content and request access to content. We advise to only enable it when there is a need for this functionality. You can also specify that it is allowed for specific security groups. This is disabled by default!
How will this impact my users?
Guest users are unable to edit and manage content in workspaces in the organization
Using the user interface
This setting needs to be changed at the Power Bi admin center. The direct link is https://app.powerbi.com/admin-portal/tenantSettings
Using PowerShell
There is currently no Cmdlet available to change global Power BI settings