Power BI’s mission is to empower every individual, team, and organization to make confident decisions with data. My workspace is the personal workspace every Power BI user has for working with their own content. It gives each user the ability to learn and experiment in their own sandbox environment. The popularity of these personal workspaces has brought about a number of unique challenges that keep some of our admins up at night. They worry that their users might upload sensitive information to these workspaces that could be located outside of data residency boundaries. They also don’t like the fact that My workspace content gets “orphaned” when the person leaves the company and no one can take over a dataset refresh or publish an updated report.
Today, I’m very excited to announce the Public Preview of several features that address these friction points. These new features allow admins to gain access to the contents of any user’s My workspace, designate a capacity for all existing and new My workspaces, and prevent users from moving My workspaces to a different capacity that may reside in a non-compliant region. Let’s dive in.
Admins can gain access to users’ My workspaces
The contents of a user’s My workspace is private by default. It can be shared with others only if the My workspace owner has a Pro or Premium Per User license and chooses to do so. However, Power BI admins sometimes need access to these workspaces, for such things as fixing a dataset refresh failure, controlling access to sensitive data, allowing content retrieval when an employee leaves the organization, and ensuring employee compliance with company policies and data usage. With the features we’re releasing today, admins can now gain access to users’ My workspaces when necessary, via the Workspaces tab in the Admin Portal. Only Power BI service admins can perform this action, and access is automatically revoked after 24 hours.
Getting My workspace access also works for My workspaces of users who have left the company. When this happens, their My workspace will show up as Deleted in the Admin Portal, and its contents will be retained for a period of 90 days. During this 90-day retention period, besides being able to gain access as illustrated above, the admin now also has an option to restore the My workspace as an app workspace that other users can collaborate in.
Admin can control where My workspaces are located
Our customers care about where their users’ data resides. By default, My workspace is in Shared Capacity (aka Pro Capacity), which is in each customer’s home tenant. For customers whose home tenants are in a different region from where their data must reside (e.g., HQ in Europe but most usage occurring in the US), publishing data into My workspaces violates that requirement. Until today, the only way to comply with such data residency requirements was to assign My workspaces, one by one, to a designated capacity. However, this solution is manual and inefficient without resorting to Admin APIs. What’s worse, My workspace owners can still move their My workspaces back to Pro and cause the content contained within to be non-compliant again.
With today’s announcement, admins can now designate a capacity as the default capacity for all new My workspaces, via the capacity settings page. They can also migrate existing My workspaces to a designated capacity.
To alleviate admins’ concerns regarding My workspace owners moving content back to Shared Capacity, we have created a new tenant toggle setting: Users can reassign personal workspaces. Please refer to the documentation below for more details.
That’s it! Check out the references below to learn more. We hope these features help you sleep better at night, knowing your users’ contents can be better governed. Please let us know what you think of them by leaving comments below or by getting in touch with me directly. We can’t wait to hear back from you!