Sensitivity labels in Power BI
This article describes the functionality of Microsoft Information Protection sensitivity labels in Power BI.
For information about enabling sensitivity labels on your tenant, including licensing requirements and prerequisites, see Enable data sensitivity labels in Power BI.
For information about how to apply sensitivity labels to Power BI reports, dashboards, datasets, and dataflows, see How to apply sensitivity labels in Power BI.
Microsoft Information Protection sensitivity labels provide a simple way for your users to classify critical content in Power BI without compromising productivity or the ability to collaborate.
Sensitivity labels can be applied to datasets, reports, dashboards, and dataflows. When labeled data leaves Power BI, either via export to Excel, PowerPoint or PDF files, or via other supported export scenarios such as Analyze in Excel or live connection PivotTables in Excel, Power BI automatically applies the label to the exported file and protects it according to the label’s file encryption settings. This way your sensitive data remains protected, no matter where it is.
Sensitivity labels on reports, dashboards, datasets, and dataflows are visible from many places in the Power BI service. Sensitivity labels on reports and dashboards are also visible in the Power BI iOS and Android mobile apps and in embedded visuals.
A protection metrics report available in the Power BI admin portal gives Power BI admins full visibility over the sensitive data in the Power BI tenant. In addition, the Power BI audit logs include sensitivity label information about activities such as applying, removing, and changing labels, as well as about activities such as viewing reports, dashboards, etc., This gives Power BI and security admins visibility over sensitive data consumption for the purposes of monitoring and investigating security alerts.
Sensitivity labeling does not affect access to content within Power BI – access to content within Power BI is managed solely by Power BI permissions. While the labels are visible, any associated encryption settings (configured in either the Microsoft 365 security center or the Microsoft 365 compliance center) are not applied. They are applied only to data that leaves Power BI via export to Excel, PowerPoint, or PDF files, or one of the other supported export paths.
Sensitivity labels and file encryption are not applied in non-supported export paths. The Power BI admin can block export from non-supported export paths:
Users who are granted access to a report are granted access to the entire underlying dataset, unless row-level security (RLS) limits their access. Report authors can classify and label reports using sensitivity labels. If the sensitivity label has protection settings, Power BI applies these protection settings when the report data is exported to Excel, PowerPoint, or PDF files. Only authorized users will be able to open protected files.
Supported export paths
Applying sensitivity labels and their associated protection to data that leaves Power BI is currently supported for the following export paths:
- Export to Excel, PowerPoint, and PDF files.
- Analyze in Excel from the Power BI service, which triggers download of an Excel file with a live connection to a Power BI dataset.
- PivotTable in Excel with a live connection to a Power BI dataset, for users with M365 E3 and above.
How sensitivity labels work in Power BI
When you apply a sensitivity label to a Power BI dashboard, report, dataset, or dataflow, it's similar to applying a tag on that resource that has the following benefits:
- Customizable - you can create categories for different levels of sensitive content in your organization, such as Personal, Public, General, Confidential, and Highly Confidential.
- Clear text - since the label is in clear text, it's easy for users to understand how to treat the content according to sensitivity label guidelines.
- Persistent - after a sensitivity label has been applied to content, it accompanies that content when it is exported to Excel, PowerPoint and PDF files, and becomes the basis for applying and enforcing policies.
Here's a quick example of how sensitivity labels in Power BI work. The image below shows how a sensitivity label is applied on a report in the Power BI service, then how the data from the report is exported to an Excel file, and finally how the sensitivity label and its protections persist in the exported file.
The sensitivity labels you apply to content persist and roam with the content as it's used and shared throughout Power BI. You can use use the labeling to generate usage reports and to see activity data for your sensitive content.
Sensitivity label inheritance upon creation of new content
When new reports and dashboards are created in the Power BI service, they automatically inherit the sensitivity label previously applied on parent dataset or report. For example, a new report created on top of a dataset that has a "Highly Confidential" sensitivity label will automatically receive the "Highly Confidential" label as well.
The following image shows how a dataset's sensitivity label is automatically applied on a new report that is built on top of the dataset.
If for any reason the sensitivity label can't be applied on the new report or dashboard, Power BI will not block creation of the new item.
Sensitivity labels and protection on exported data
When data is exported from Power BI to Excel, PowerPoint or PDF files, Power BI automatically applies a sensitivity label on the exported file and protects it according to the label’s file encryption settings. This way your sensitive data remains protected no matter where it is.
A user who exports a file from Power BI has permissions to access and edit that file according to the sensitivity label settings; they do not get owner permissions to the file.
Sensitivity labels and protection are not applied when data is exported to .csv, .pbix files, or any other export path.
Applying a sensitivity label and protection to an exported file doesn't add content marking to the file. However, if the label is configured to apply content markings, the markings are automatically applied by the Azure Information Protection unified labeling client when the file is opened in Office desktop apps. The content markings are not automatically applied when you use built-in labeling for desktop, mobile, or web apps. See When Office apps apply content marking and encryption for more detail.
Export fails if a label can't be applied when data is exported to a file. To check if export failed because the label couldn't be applied, click the report or dashboard name at the center of the title bar and see whether it says "Sensitivity label can't be loaded" in the info dropdown that opens. This can happen as the result of a temporary system issue, or if the applied label has been unpublished or deleted by the security admin.
Sensitivity label inheritance in Analyze in Excel
When you create a PivotTable in Excel with a live connection to a Power BI dataset (you can do this either from Power BI through Analyze In Excel or from Excel), the dataset's sensitivity label is inherited and applied to your Excel file, along with any associated protection. If the label on the dataset later changes to a more restrictive one, the label applied on the linked Excel file will automatically update upon data refresh.
Sensitivity labels in Excel that were manually set are not automatically overwritten by the dataset's sensitivity label. Rather, a banner notifies you that the dataset has a sensitivity label and recommends that you apply it.
If the dataset's sensitivity label is less restrictive than the Excel file's sensitivity label, no label inheritance or update takes place. An Excel file never inherits a less restrictive sensitivity label.
Sensitivity label persistence in embedded reports and dashboards
You can embed Power BI reports, dashboards, and visuals in business applications such as Microsoft Teams and SharePoint, or in an organization’s website. When you embed a visual, report or dashboard that has a sensitivity label applied to it, the sensitivity label will be visible in the embedded view, and the label and its protection will persist when data is exported to Excel.
The following embedding scenarios are supported:
- Embed for your organization
- Microsoft 365 apps (for example, Teams and SharePoint)
- Secure URL embedding (embedding from the Power BI service)
Sensitivity labels in the Power BI mobile apps
Sensitivity labels can be viewed on reports and dashboards in the Power BI mobile apps. An icon near the name of the report or dashboard indicates that it has a sensitivity label, and the type of label and its description can be found in the report or dashboard's info box.
Sensitivity labels are only supported for tenants in global (public) clouds; they are not supported for tenants in clouds such as national clouds.
Licensing and requirements
Sensitivity label creation and management
To access sensitivity labels in either of these centers, navigate to Classification > Sensitivity labels. These sensitivity labels can be used by multiple Microsoft services such Azure Information Protection, Office apps, and Office 365 services.
If your organization uses Azure Information Protection sensitivity labels, you need to migrate them to one of the previously listed services in order for the labels to be used in Power BI.
The following list provides some limitations of sensitivity labels in Power BI:
- Sensitivity labels can be applied only on dashboards, reports, datasets, and dataflows. They are not currently available for paginated reports and workbooks.
- Sensitivity labels on Power BI assets are visible in the workspace list, lineage, favorites, recents, and apps views; labels are not currently visible in the "shared with me" view. Note, however, that a label applied to a Power BI asset, even if not visible, will always persist on data exported to Excel, PowerPoint, and PDF files.
- Data sensitivity labels are not supported for template apps. Sensitivity labels set by the template app creator are removed when the app is extracted and installed, and sensitivity labels added to artifacts in an installed template app by the app consumer are lost (reset to nothing) when the app is updated.
- Power BI does not support sensitivity labels of the Do Not Forward, user-defined, and HYOK protection types. The Do Not Forward and user-defined protection types refer to labels defined in the Microsoft 365 security center or the Microsoft 365 compliance center.
- It is not recommended to allow users to apply parent labels within Power BI (a label is considered to be a parent label only if it has sublabels). If a parent label is applied to content, exporting data from that content to a file (Excel, PowerPoint, and PDF) will fail. See Sublabels (grouping labels).
This article provided an overview of data protection in Power BI. The following articles provide more details about data protection in Power BI.