Power BI 安全性Power BI Security

如需 Power BI 安全性的詳細說明,請下載 Power BI 安全性技術白皮書For a detailed explanation of Power BI security, please download the Power BI Security whitepaper:

Power BI 服務是建置在 Microsoft 的雲端運算基礎結構和平台 Azure之上。The Power BI service is built on Azure, which is Microsoft’s cloud computing infrastructure and platform. Power BI 服務架構的基礎包含兩個叢集:Web 前端 (WFE) 叢集和 後端 叢集。The Power BI service architecture is based on two clusters – the Web Front End (WFE) cluster and the Back End cluster. WFE 叢集負責 Power BI 服務的初始連接和驗證;驗證後,便會由後端來處理所有後續使用者互動。The WFE cluster is responsible for initial connection and authentication to the Power BI service, and once authenticated, the Back End handles all subsequent user interactions. Power BI 分別使用 Azure Active Directory (AAD) 來儲存及管理使用者身分識別,以及使用 Azure BLOB 和 Azure SQL Database 來管理資料和中繼資料的儲存。Power BI uses Azure Active Directory (AAD) to store and manage user identities, and manages the storage of data and metadata using Azure BLOB and Azure SQL Database, respectively.

Power BI 架構Power BI Architecture

每個 Power BI 部署都是由兩個叢集所組成:Web 前端 (WFE) 叢集和 後端 叢集。Each Power BI deployment consists of two clusters – a Web Front End (WFE) cluster, and a Back End cluster.

WFE 叢集管理 Power BI 的初始連接和驗證程序,其使用 AAD 驗證用戶端並提供權杖,以便進行 Power BI 服務的後續用戶端連接。The WFE cluster manages the initial connection and authentication process for Power BI, using AAD to authenticate clients and provide tokens for subsequent client connections to the Power BI service. Power BI 也會使用 Azure 流量管理員 (ATM),將使用者流量導向至由用戶端嘗試連接的 DNS 記錄所決定的最近資料中心,以便進行驗證程序及下載靜態內容和檔案。Power BI also uses the Azure Traffic Manager (ATM) to direct user traffic to the nearest datacenter, determined by the DNS record of the client attempting to connect, for the authentication process and to download static content and files. Power BI 使用 Azure 內容傳遞網路 (CDN),以根據地區設定有效率地散發必要的靜態內容和檔案給使用者。Power BI uses the Azure Content Delivery Network (CDN) to efficiently distribute the necessary static content and files to users based on geographical locale.

後端 叢集是已驗證的用戶端與 Power BI 服務的互動方式。The Back End cluster is how authenticated clients interact with the Power BI service. 後端 叢集管理視覺效果、使用者儀表板、資料集、報表、資料儲存、資料連接、資料重新整理,以及與 Power BI 服務互動的其他層面。The Back End cluster manages visualizations, user dashboards, datasets, reports, data storage, data connections, data refresh, and other aspects of interacting with the Power BI service. 閘道角色 擔任使用者要求與 Power BI 服務之間的閘道。The Gateway Role acts as a gateway between user requests and the Power BI service. 使用者無法與 閘道角色以外的任何角色直接互動。Users do not interact directly with any roles other than the Gateway Role. 最終會由 Azure API 管理來操控閘道角色Azure API Management will eventually handle the Gateway Role.

重要

請務必注意,只有 Azure API 管理 (APIM) 和 閘道 (GW) 角色可以透過公用網際網路存取。It is imperative to note that only Azure API Management (APIM) and Gateway (GW) roles are accessible through the public Internet. 這些角色提供驗證、授權、DDoS 保護、節流、負載平衡、路由及其他功能。They provide authentication, authorization, DDoS protection, Throttling, Load Balancing, Routing, and other capabilities.

資料儲存安全性Data Storage Security

Power BI 使用兩個主要的儲存機制來儲存及管理資料:使用者上傳的資料通常會傳送至 Azure BLOB 儲存體,而所有中繼資料及系統本身的成品則會儲存在 Azure SQL Database中。Power BI uses two primary repositories for storing and managing data: data that is uploaded from users is typically sent to Azure BLOB storage, and all metadata as well as artifacts for the system itself are stored in Azure SQL Database.

上方 後端 叢集圖中的虛線清楚顯示只有使用者可存取的兩個元件 (虛線左側),以及只有系統可存取的角色之間的界限。The dotted line in the Back End cluster image, above, clarifies the boundary between the only two components that are accessible by users (left of the dotted line), and roles that are only accessible by the system. 當已驗證的使用者連接到 Power BI 服務時,會由 閘道角色 (最終由 Azure API 管理來操控) 接受及管理用戶端所進行的連接和任何要求,該角色接著會代表使用者與 Power BI 服務的其餘部分互動。When an authenticated user connects to the Power BI Service, the connection and any request by the client is accepted and managed by the Gateway Role (eventually to be handled by Azure API Management), which then interacts on the user’s behalf with the rest of the Power BI Service. 例如,當用戶端嘗試檢視儀表板時, 閘道角色 會接受該要求,然後另外傳送要求給 簡報角色 ,以擷取瀏覽器呈現儀表板所需的資料。For example, when a client attempts to view a dashboard, the Gateway Role accepts that request then separately sends a request to the Presentation Role to retrieve the data needed by the browser to render the dashboard.

使用者驗證User Authentication

Power BI 使用 Azure Active Directory (AAD) 來驗證登入 Power BI 服務的使用者,而 Azure Active Directory 則會在每次使用者嘗試存取需要驗證的資源時使用 Power BI 登入認證。Power BI uses Azure Active Directory (AAD) to authenticate users who login to the Power BI service, and in turn, uses the Power BI login credentials whenever a user attempt to resources that require authentication. 如果使用者以用來建立 Power BI 帳戶的電子郵件地址登入 Power BI 服務,Power BI 會使用該登入電子郵件做為「有效的使用者名稱」 ,並在每次使用者嘗試連接到資料時,將該名稱傳遞給資源。Users login to the Power BI service using the email address used to establish their Power BI account; Power BI uses the that login email as the effective username, which is passed to resources whenever a user attempts to connect to data. 「有效的使用者名稱」接著會對應到「使用者主體名稱」(UPN),並依據所套用的驗證,解析為相關聯的 Windows 網域帳戶。The effective username is then mapped to a User Principal Name (UPN and resolved to the associated Windows domain account, against which authentication is applied.

針對使用公司電子郵件 (例如 david@contoso.com) 登入 Power BI 的組織,「有效的使用者名稱」與 UPN 的對應相當直接。For organizations that used work emails for Power BI login (such as david@contoso.com), the effective username to UPN mapping is straightforward. 針對未使用公司電子郵件(例如 david@contoso.onmicrosoft.com) 登入 Power BI 的組織,AAD 與內部部署認證之間的對應需要目錄同步作業才能正常運作。For organizations that did not use work emails for Power BI login (such as david@contoso.onmicrosoft.com), mapping between AAD and on-premises credentials will require directory synchronization to work properly.

Power BI 的平台安全性還包括多租用戶環境安全性、網路安全性,以及增加其他以 AAD 為基礎之安全性措施的能力。Platform security for Power BI also includes multi-tenant environment security, networking security, and the ability to add additional AAD-based security measures.

資料和服務安全性Data and Service Security

如需詳細資訊,請瀏覽 Microsoft 信任中心For more information, please visit the Microsoft Trust Center.

如本文稍早所述,內部部署 Active Directory 伺服器利用使用者的 Power BI 登入來對應至 UPN 以取得認證。As described earlier in this article, a user’s Power BI login is used by on-premises Active Directory servers to map to a UPN for credentials. 不過,請 務必 注意,使用者對所要共用的資料負有責任:如果使用者使用自己的認證連接到資料來源,然後共用依據該資料的報表 (或儀表板、資料集),則共用儀表板的其他使用者不會經過原始資料來源的驗證,便會取得報表的存取權。However, it’s important to note that users are responsible for the data they share: if a user connects to data sources using her credentials, then shares a report (or dashboard, or dataset) based on that data, users with whom the dashboard is shared are not authenticated against the original data source, and will be granted access to the report.

唯一的例外是使用內部部署資料閘道連線到 SQL Server Analysis Services;這些儀表板會在 Power BI 中快取,但存取基礎報表或資料集會對嘗試存取該報表 (或資料集) 的使用者起始驗證,使用者必須具備足以存取該資料的認證,才能存取該資料。An exception is connections to SQL Server Analysis Services using the on-premises data gateway; dashboards are cached in Power BI, but access to underlying reports or datasets initiate authentication for the user attempting to access the report (or dataset), and access will only be granted if the user has sufficient credentials to access the data. 如需詳細資訊,請參閱內部資料閘道深入探討For more information, see On-premises data gateway deep dive.