Power BI 安全Power BI Security

有关 Power BI 安全的详细说明,请下载 Power BI 安全白皮书For a detailed explanation of Power BI security, please download the Power BI Security whitepaper:

Power BI 服务基于 Azure,后者是 Microsoft 的云计算基础结构和平台。The Power BI service is built on Azure, which is Microsoft’s cloud computing infrastructure and platform. Power BI 服务体系结构基于两个群集 – Web 前端 (WFE) 群集和后端群集。The Power BI service architecture is based on two clusters – the Web Front End (WFE) cluster and the Back End cluster. WFE 群集负责执行初始连接并对 Power BI 服务进行身份验证,经过身份验证后后,后端会处理所有后续的用户交互。The WFE cluster is responsible for initial connection and authentication to the Power BI service, and once authenticated, the Back End handles all subsequent user interactions. Power BI 使用 Azure Active Directory (AAD) 来存储和管理用户身份,并分别使用 Azure BLOB 和 Azure SQL Database 管理数据和元数据存储。Power BI uses Azure Active Directory (AAD) to store and manage user identities, and manages the storage of data and metadata using Azure BLOB and Azure SQL Database, respectively.

Power BI 体系结构Power BI Architecture

每个 Power BI 部署均包含两个群集 – Web 前端 (WFE) 群集和后端群集。Each Power BI deployment consists of two clusters – a Web Front End (WFE) cluster, and a Back End cluster.

WFE 群集为 Power BI 管理初始连接和身份验证进程,使用 AAD 对客户端进行身份验证并为后续客户端连接到 Power BI 服务提供令牌。The WFE cluster manages the initial connection and authentication process for Power BI, using AAD to authenticate clients and provide tokens for subsequent client connections to the Power BI service. Power BI 还使用 Azure 流量管理器 (ATM) 将用户流量定向到最近的数据中心,由针对身份验证进程尝试连接并下载静态内容和文件的客户端的 DNS 记录确定。Power BI also uses the Azure Traffic Manager (ATM) to direct user traffic to the nearest datacenter, determined by the DNS record of the client attempting to connect, for the authentication process and to download static content and files. Power BI 使用 Azure 内容交付网络 (CDN) 来有效地根据地理区域设置将所需的静态内容和文件分发到用户。Power BI uses the Azure Content Delivery Network (CDN) to efficiently distribute the necessary static content and files to users based on geographical locale.

后端群集是指经身份验证的客户端如何与 Power BI 服务进行交互。The Back End cluster is how authenticated clients interact with the Power BI service. 后端群集管理可视化、用户仪表板、数据集、报表、数据存储、数据连接、数据刷新以及与 Power BI 服务进行交互的其他方面。The Back End cluster manages visualizations, user dashboards, datasets, reports, data storage, data connections, data refresh, and other aspects of interacting with the Power BI service. 网关角色充当用户请求与 Power BI 服务之间的网关。The Gateway Role acts as a gateway between user requests and the Power BI service. 用户并不直接与网关角色以外的任何角色进行交互。Users do not interact directly with any roles other than the Gateway Role. Azure API 管理将最终处理网关角色Azure API Management will eventually handle the Gateway Role.

重要

必须注意,只有 Azure API 管理 (APIM) 和网关 (GW) 角色可通过公共 Internet 访问。It is imperative to note that only Azure API Management (APIM) and Gateway (GW) roles are accessible through the public Internet. 它们提供身份验证、授权、DDoS 保护、限制、负载平衡、路由和其他功能。They provide authentication, authorization, DDoS protection, Throttling, Load Balancing, Routing, and other capabilities.

数据存储安全性Data Storage Security

Power BI 使用两个主要的存储库进行数据存储和管理:用户上载的数据通常发送到 Azure BLOB 存储,并且所有元数据以及系统本身的项目均存储在 Azure SQL 数据库中。Power BI uses two primary repositories for storing and managing data: data that is uploaded from users is typically sent to Azure BLOB storage, and all metadata as well as artifacts for the system itself are stored in Azure SQL Database.

上方后端群集映像中的虚线阐明了仅用户可访问的两个组件(左边的虚线)与仅系统可访问的角色之间的边界。The dotted line in the Back End cluster image, above, clarifies the boundary between the only two components that are accessible by users (left of the dotted line), and roles that are only accessible by the system. 经身份验证的用户连接到 Power BI 服务时,该连接和客户端的任何请求均由网关角色(最终由 Azure API 管理处理)接受和管理,它会以用户的名义与 Power BI 服务的其余部分进行交互。When an authenticated user connects to the Power BI Service, the connection and any request by the client is accepted and managed by the Gateway Role (eventually to be handled by Azure API Management), which then interacts on the user’s behalf with the rest of the Power BI Service. 例如,当客户端尝试查看仪表板时,网关角色接受该请求,然后分别发送请求到演示文稿角色来检索浏览器呈现仪表板时所需的数据。For example, when a client attempts to view a dashboard, the Gateway Role accepts that request then separately sends a request to the Presentation Role to retrieve the data needed by the browser to render the dashboard.

用户身份验证User Authentication

Power BI 使用 Azure Active Directory (AAD) 对要登录到 Power BI 服务的用户进行身份验证,反过来,只要用户尝试获取要求进行身份验证的资源,均使用 Power BI 登录凭据。Power BI uses Azure Active Directory (AAD) to authenticate users who login to the Power BI service, and in turn, uses the Power BI login credentials whenever a user attempt to resources that require authentication. 用户使用用于建立其 Power BI 帐户的电子邮件地址登录到 Power BI 服务,Power BI 使用登录电子邮件作为有效用户名,每当用户尝试连接到数据时,就会将其传递给资源。Users login to the Power BI service using the email address used to establish their Power BI account; Power BI uses the that login email as the effective username, which is passed to resources whenever a user attempts to connect to data. 然后,有效用户名将映射到用户主体名称 (UPN),解析为关联的 Windows 域帐户,对其应用身份验证。The effective username is then mapped to a User Principal Name (UPN and resolved to the associated Windows domain account, against which authentication is applied.

对于使用工作电子邮件(如 david@contoso.com)进行 Power BI 登录的组织,有效用户名映射到 UPN 非常简单。For organizations that used work emails for Power BI login (such as david@contoso.com), the effective username to UPN mapping is straightforward. 对于未使用工作电子邮件(如 david@contoso.onmicrosoft.com)进行 Power BI 登录的组织,AAD 和本地凭据之间的映射需要目录同步才能正常工作。For organizations that did not use work emails for Power BI login (such as david@contoso.onmicrosoft.com), mapping between AAD and on-premises credentials will require directory synchronization to work properly.

Power BI 的平台安全还包括多租户环境安全、网络安全和添加其他基于 AAD 的安全措施的能力。Platform security for Power BI also includes multi-tenant environment security, networking security, and the ability to add additional AAD-based security measures.

数据和服务安全Data and Service Security

有关详细信息,请访问 Microsoft 信任中心For more information, please visit the Microsoft Trust Center.

如本文前面部分中所述,用户的 Power BI 登录名由本地 Active Directory 服务器使用以映射到凭据的 UPN。As described earlier in this article, a user’s Power BI login is used by on-premises Active Directory servers to map to a UPN for credentials. 但是,必须注意的是,用户将负责管理共享的数据:如果用户使用自己的凭据连接到数据源,然后基于这些数据(用户所共享的仪表板未针对原始数据源进行身份验证)共享报表(或仪表板、数据集),并将被授予访问报表的权限。However, it’s important to note that users are responsible for the data they share: if a user connects to data sources using her credentials, then shares a report (or dashboard, or dataset) based on that data, users with whom the dashboard is shared are not authenticated against the original data source, and will be granted access to the report.

例外情况是使用本地数据网关连接到 SQL Server Analysis Services;仪表板缓存在 Power BI 中,但对基础报表或数据集的访问会对尝试访问报表(或数据集)启动用户身份验证,且仅当用户有足够的凭据访问数据时才被授予访问权限。An exception is connections to SQL Server Analysis Services using the on-premises data gateway; dashboards are cached in Power BI, but access to underlying reports or datasets initiate authentication for the user attempting to access the report (or dataset), and access will only be granted if the user has sufficient credentials to access the data. 有关详细信息,请参阅深入了解本地数据网关For more information, see On-premises data gateway deep dive.