Using Microsoft Cloud App Security controls in Power BI

Using Cloud App Security with Power BI, you can help protect your Power BI reports, data, and services from unintended leaks or breaches. With Cloud App Security, you can create conditional access policies for your organization’s data, using real-time session controls in Azure Active Directory (Azure AD), that help to ensure your Power BI analytics are secure. Once these policies have been set, administrators can monitor user access and activity, perform real-time risk analysis, and set label-specific controls.

Using Cloud App Security controls pane

You can configure Cloud App Security for all sorts of apps and services, not only Power BI. You’ll need to configure Cloud App Security to work with Power BI to benefit from Cloud App Security protections for your Power BI data and analytics. For more information about Cloud App Security, including an overview of how it works, the dashboard, and app risk scores, see the Cloud App Security documentation.

Cloud App Security licensing

To use Cloud App Security with Power BI, you must use and configure relevant Microsoft security services, some of which are set outside Power BI. In order to have Cloud App Security in your tenant, you must have one of the following licenses:

  • Microsoft Cloud App Security: Provides Cloud App Security capabilities for all supported apps, part of the EMS E5 and Microsoft 365 E5 suites.
  • Office 365 Cloud App Security: Provides Cloud App Security capabilities only for Office 365, part of the Office 365 E5 suite.

Configure real-time controls for Power BI with Cloud App Security


  • An Azure Active Directory Premium P1 license is required in order to benefit from Cloud App Security real-time controls.

The sections below describe the steps for configuring real-time controls for Power BI with Cloud App Security.

Set session policies in Azure AD (required)

The steps necessary to set session controls are completed in the Azure AD and Cloud App Security portals. In the Azure AD portal, you create a conditional access policy for Power BI, and route sessions used in Power BI through the Cloud App Security service.

Cloud App Security operates using a reverse-proxy architecture, and is integrated with Azure AD conditional access to monitor Power BI user activity in real-time. The following steps are provided here to help you understand the process, and detailed step-by-step instructions are provided in the linked content in each of the following steps. You can also read this Cloud App Security article that describes the process in whole.

  1. Create an Azure AD conditional access test policy
  2. Sign into each app using a user scoped to the policy
  3. Verify the apps are configured to use access and session controls
  4. Test the deployment

The process for setting session policies is described in detail in the Session policies article.

You can define anomaly Power BI detection policies that can be independently scoped, so that they apply to only the users and groups you want to include and exclude in the policy. Learn more.

Cloud App Security also has two dedicated, built-in detections for Power BI. See the section later on in this document for detail.

Sensitivity labels enable you to classify and help protect sensitive content, so that people in your organization can collaborate with partners outside your organization, yet still be careful and aware of sensitive content and data.

You can read the article on sensitivity labels in Power BI, which goes into detail about the process of using sensitivity labels for Power BI. See below for an example of a Power BI policy based on sensitivity labels.

Custom policies to alert on suspicious user activity in Power BI

Cloud App Security activity policies enable administrators to define their own custom rules to help detect user behavior that deviates from the norm, and even possibly act upon it automatically, if it seems too dangerous. For example:

  • Massive sensitivity label removal. For example: alert me when sensitivity labels are removed by a single user from 20 different reports in a time window shorter than 5 minutes.

  • Encrypting sensitivity label downgrade. For example: alert me when a report that had a ‘Highly confidential’ sensitivity label is now classified as ‘Public’.


Custom activity policies are configured in the Cloud App Security portal. Learn more.

Built-in Cloud App Security detections for Power BI

Cloud App Security detections enable administrators to monitor specific activities of a monitored app. For Power BI, there are currently two dedicated, built-in Cloud App Security detections:

  • Suspicious share – detects when a user shares a sensitive report with an unfamiliar (external to the organization) email. A sensitive report is a report whose sensitivity label is set to INTERNAL-ONLY or higher.

  • Mass share of reports – detects when a user shares a massive number of reports in a single session.

Settings for these detections are configured in the Cloud App Security portal. Learn more.

Power BI admin role in Cloud App Security

A new role is created for Power BI admins when using Cloud App Security with Power BI. When you log in as a Power BI admin to the Cloud App Security portal, you have limited access to Power-BI-relevant data, alerts, users at risk, activity logs, and other information.

Considerations and limitations

Using Cloud App Security with Power BI is designed to help secure your organization’s content and data, with detections that monitor user sessions and their activities. When using Cloud App Security with Power BI, there are a few considerations and limitations you should keep in mind:

  • Cloud App Security can only operate on Excel, PowerPoint, and PDF files.
  • If you want to use sensitivity labels capabilities in your session policies for Power BI, you need to have an Azure Information Protection Premium P1 or Premium P2 license. Microsoft Azure Information Protection can be purchased either standalone or through one of the Microsoft licensing suites. See Azure Information Protection pricing for detail. In addition, sensitivity labels must have been applied on your Power BI assets.
  • Session control is available for any browser on any major platform on any operating system. We recommend using Internet Explorer 11, Microsoft Edge (latest), Google Chrome (latest), Mozilla Firefox (latest), or Apple Safari (latest). Power BI public API calls and other non-browser-based sessions aren't supported as part of Cloud App Security session control. See more detail.


  • In the session policy, in the “Action” part, the “protect” capability will only work if no label exists on the item. If a label already exists, the “protect” action won't apply; you can’t override an existing label that has already been applied to an item in Power BI.


The following example shows you how to create a new session policy using Cloud App Security with Power BI.

First, create a new session policy. Select Policies from the left menu in the Cloud App Security portal.

Create a new session policy

In the window that appears, select the Create policy drop-down.

Select create policy

From the list of options in the drop-down, select Session policy.

Select session policy

In the window that appears, create the session policy. The numbered steps describe settings for the following image.

  1. In the Policy template drop-down, choose No template.

  2. For the Policy name box, provide a relevant name for your session policy.

  3. For Session control type, select Control file downloaded (with DLP).

    For the Activity source section, choose relevant blocking policies. We recommend blocking unmanaged and non-compliant devices. Choose to block downloads when the session is in Power BI.

    Create the session policy - block downloads.

    When you scroll down you see more options. The following image shows those options, with additional examples.

  4. Choose Confidentiality label as highly confidential or whatever best fits your organization.

  5. Change the Inspection method to none.

  6. Choose the Block option that fits your needs.

  7. Make sure you create an alert for such an action.

    Select session policy settings.

  8. Finally make sure you select the Create button to create the session policy.

    Create the session policy.

Next steps

This article described how Cloud App Security can provide data and content protections for Power BI. You might also be interested in the following articles, which describe Data Protection for Power BI and supporting content for the Azure services that enable it.

You might also be interested in the following Azure and security articles: