Using Microsoft Defender for Cloud Apps controls in Power BI

Using Defender for Cloud Apps with Power BI, you can help protect your Power BI reports, data, and services from unintended leaks or breaches. With Defender for Cloud Apps, you can create conditional access policies for your organization's data, using real-time session controls in Azure Active Directory (Azure AD), that help to ensure your Power BI analytics are secure. Once these policies have been set, administrators can monitor user access and activity, perform real-time risk analysis, and set label-specific controls.

Screenshot of Defender for Cloud Apps Cloud Apps catalog.

You can configure Defender for Cloud Apps for all sorts of apps and services, not only Power BI. You'll need to configure Defender for Cloud Apps to work with Power BI to benefit from Defender for Cloud Apps protections for your Power BI data and analytics. For more information about Defender for Cloud Apps, including an overview of how it works, the dashboard, and app risk scores, see the Defender for Cloud Apps documentation.

Defender for Cloud Apps licensing

To use Defender for Cloud Apps with Power BI, you must use and configure relevant Microsoft security services, some of which are set outside Power BI. In order to have Defender for Cloud Apps in your tenant, you must have one of the following licenses:

  • Microsoft Defender for Cloud Apps: Provides Defender for Cloud Apps capabilities for all supported apps, part of the EMS E5 and Microsoft 365 E5 suites.
  • Office 365 Cloud App Security: Provides Defender for Cloud Apps capabilities only for Office 365, part of the Office 365 E5 suite.

Configure real-time controls for Power BI with Defender for Cloud Apps

Note

An Azure Active Directory Premium P1 license is required in order to benefit from Defender for Cloud Apps real-time controls.

The sections below describe the steps for configuring real-time controls for Power BI with Defender for Cloud Apps.

Set session policies in Azure AD (required)

The steps necessary to set session controls are completed in the Azure AD and Defender for Cloud Apps portals. In the Azure AD portal, you create a conditional access policy for Power BI, and route sessions used in Power BI through the Defender for Cloud Apps service.

Defender for Cloud Apps operates using a reverse-proxy architecture, and is integrated with Azure AD conditional access to monitor Power BI user activity in real-time. The following steps are provided here to help you understand the process, and detailed step-by-step instructions are provided in the linked content in each of the following steps. You can also read this Defender for Cloud Apps article that describes the process in whole.

  1. Create an Azure AD conditional access test policy
  2. Sign into each app using a user scoped to the policy
  3. Verify the apps are configured to use access and session controls
  4. Enable the app for use in your organization
  5. Test the deployment

The process for setting session policies is described in detail in the Session policies article.

You can define anomaly Power BI detection policies that can be independently scoped, so that they apply to only the users and groups you want to include and exclude in the policy. Learn more.

Defender for Cloud Apps also has two dedicated, built-in detections for Power BI. See the section later on in this document for detail.

Sensitivity labels enable you to classify and help protect sensitive content, so that people in your organization can collaborate with partners outside your organization, yet still be careful and aware of sensitive content and data.

You can read the article on sensitivity labels in Power BI, which goes into detail about the process of using sensitivity labels for Power BI. See below for an example of a Power BI policy based on sensitivity labels.

Custom policies to alert on suspicious user activity in Power BI

Defender for Cloud Apps activity policies enable administrators to define their own custom rules to help detect user behavior that deviates from the norm, and even possibly act upon it automatically, if it seems too dangerous. For example:

  • Massive sensitivity label removal. For example: alert me when sensitivity labels are removed by a single user from 20 different reports in a time window shorter than 5 minutes.

  • Encrypting sensitivity label downgrade. For example: alert me when a report that had a 'Highly confidential' sensitivity label is now classified as 'Public'.

Note

The unique identifiers (IDs) of Power BI artifacts and sensitivity labels can be found using Power BI REST APIs. See Get datasets or Get reports.

Custom activity policies are configured in the Defender for Cloud Apps portal. Learn more.

Built-in Defender for Cloud Apps detections for Power BI

Defender for Cloud Apps detections enable administrators to monitor specific activities of a monitored app. For Power BI, there are currently two dedicated, built-in Defender for Cloud Apps detections:

  • Suspicious share – detects when a user shares a sensitive report with an unfamiliar (external to the organization) email. A sensitive report is a report whose sensitivity label is set to INTERNAL-ONLY or higher.

  • Mass share of reports – detects when a user shares a massive number of reports in a single session.

Settings for these detections are configured in the Defender for Cloud Apps portal. Learn more.

Power BI admin role in Defender for Cloud Apps

A new role is created for Power BI admins when using Defender for Cloud Apps with Power BI. When you log in as a Power BI admin to the Defender for Cloud Apps portal, you have limited access to data, alerts, users at risk, activity logs, and other information relevant to Power BI.

Considerations and limitations

Using Defender for Cloud Apps with Power BI is designed to help secure your organization's content and data, with detections that monitor user sessions and their activities. When using Defender for Cloud Apps with Power BI, there are a few considerations and limitations you should keep in mind:

  • Defender for Cloud Apps can only operate on Excel, PowerPoint, and PDF files.
  • If you want to use sensitivity labels capabilities in your session policies for Power BI, you need to have an Azure Information Protection Premium P1 or Premium P2 license. Microsoft Azure Information Protection can be purchased either standalone or through one of the Microsoft licensing suites. See Azure Information Protection pricing for detail. In addition, sensitivity labels must have been applied on your Power BI assets.
  • Session control is available for any browser on any major platform on any operating system. We recommend using Internet Explorer 11, Microsoft Edge (latest), Google Chrome (latest), Mozilla Firefox (latest), or Apple Safari (latest). Power BI public API calls and other non-browser-based sessions aren't supported as part of Defender for Cloud Apps session control. See more detail.

Caution

In the session policy, in the "Action" part, the "protect" capability works only if no label exists on the item. If a label already exists, the "protect" action won't apply; you can't override an existing label that has already been applied to an item in Power BI.

Example

The following example shows you how to create a new session policy using Defender for Cloud Apps with Power BI.

First, create a new session policy. In the Defender for Cloud Apps portal, select Policies on the navigation pane. Then on the policies page, click Create policy and choose Session policy.

Screenshot of Defender for Cloud App Security create new session policy option.

In the window that appears, create the session policy. The numbered steps describe settings for the following image.

  1. In the Policy template drop-down, choose No template.

  2. For the Policy name box, provide a relevant name for your session policy.

  3. For Session control type, select Control file download (with inspection) (for DLP).

    For the Activity source section, choose relevant blocking policies. We recommend blocking unmanaged and non-compliant devices. Choose to block downloads when the session is in Power BI.

    Screenshot of Defender for Cloud App Security policy configuration page.

    When you scroll down you see more options. The following image shows those options, with additional examples.

  4. Create a filter on Sensitivity label and choose Highly confidential or whatever best fits your organization.

  5. Change the Inspection method to none.

  6. Choose the Block option that fits your needs.

  7. Make sure you create an alert for such an action.

    Screenshot of Defender for Cloud App Security policy configuration - choosing inspection method.

  8. Finally, select the Create button to create the session policy.

    Screenshot of Defender for Cloud App Security create session policy button.

Next steps

This article described how Defender for Cloud Apps can provide data and content protections for Power BI. You might also be interested in the following articles, which describe Data Protection for Power BI and supporting content for the Azure services that enable it.

You might also be interested in the following Azure and security articles: