Feedback Edit

Get started with Data loss prevention policies for Power BI (preview)

  • Article
  • 3 minutes to read

To help organizations detect and protect their sensitive data, Microsoft Purview data loss prevention (DLP) polices support Power BI. When a PowerBI data set matches the criteria in a DLP policy, an alert that explains the nature of the sensitive content can be triggered. This alert is also registered in the data loss prevention Alerts tab in the Microsoft compliance portal for monitoring and management by administrators. In addition, email alerts can be sent to administrators and specified users.

Considerations and limitations

  • DLP policies apply to workspaces. Only workspaces hosted in Premium Gen2 capacities are supported. For more information, see What is Power BI Premium Gen2?.
  • DLP dataset evaluation workloads impact capacity. Metering for DLP evaluation workloads is not supported.
  • Both classic and new experience workspaces are supported, as long as they are hosted in Premium Gen2 capacities.
  • You must create a custom DLP custom policy for Power BI. DLP templates are not supported.
  • DLP polices that are applied to the DLP location support sensitivity labels and sensitive information types as conditions.
  • DLP policies for Power BI are not supported for sample datasets, streaming datasets, or datasets that connect to their data source via DirectQuery or live connection.
  • DLP policies for Power BI are not supported in sovereign clouds.

Licensing and permissions

SKU/subscriptions licensing

Before you get started with DLP for Power BI, you should confirm your Microsoft 365 subscription. For full licensing guidance, see Microsoft 365 guidance for security & compliance.

Permissions

Data from DLP for Power BI can be viewed in Activity explorer. There are four roles that grant permission to activity explorer; the account you use for accessing the data must be a member of any one of them.

  • Global administrator
  • Compliance administrator
  • Security administrator
  • Compliance data administrator

How DLP policies for Power BI work

You define a DLP policy in the data loss prevention section of the compliance portal. See, Design a data loss prevention policy. In the policy, you specify sensitivity label(s) you want to detect. You also specify the action(s) that will happen when the policy detects a dataset that has a specified sensitivity label applied. DLP policies support two actions for Power BI:

  • User notification via policy tips.
  • Alerts. Alerts can be sent by email to administrators and users. Additionally, administrators can monitor and manage alerts on the Alerts tab in the compliance center.

When a dataset is evaluated by DLP and matches the conditions in a DLP policy, the actions defined in the policy are applied. A dataset is evaluated occurs when a dataset is:

  • Publish
  • Republish
  • On-demand refresh
  • Scheduled refresh

Note

DLP evaluation of the dataset does not occur if either of the following is true:

  • The initiator of the event is a service principal.
  • The dataset owner is either a service principal or a B2B user.

What happens when a dataset matches a DLP policy

When a dataset matches a DLP policy:

  • If the policy has user notification configured, it will be marked in the Power BI service with a shield icon to indicate that it matches a DLP policy.

    Screenshot of policy tip badge on dataset in lists.

    Open the dataset details page to see a policy tip that explains the policy match and how the detected type of sensitive information should be handled.

    Screenshot of policy tip on dataset details page.

    Note

    If you hide the policy tip, it doesn’t get deleted. It will appear the next time you visit the page.

  • If alerts are enabled in the policy, an alert will be recorded on the dlp Alerts tab in the compliance center, and (if configured) an email will be sent to administrators and/or specified users. The following image shows the Alerts tab in the data loss prevention section of the Microsoft Purview compliance portal.

    Screenshot of Alerts tab in the compliance center.

Configure a DLP policy for Power BI

Follow the procedures in Create, test, and tune a DLP policy and use the custom template.

Important

When you select the locations for your DLP policy for Power BI, select only the Power BI location. Do not select any other locations, this configuration is not supported.

Next steps