Two and a half years ago Power BI partnered with Microsoft 365 Compliance to enable you to discover, classify, and protect sensitive information in Power BI using Microsoft Information Protection (MIP) sensitivity labels. Microsoft 365 Compliance solutions are widely used by the infosec teams of enterprise-sized companies to protect sensitive data in Office 365, Exchange, Teams, SharePoint, OneDrive, etc.
Today we’re happy to announce the general availability of two very popular MIP label features: Mandatory MIP label policies and Default MIP label policies, which, both together and separately, can help you ensure that MIP labels are applied to all your Power BI content.
We’re also very excited to announce that the widely used Microsoft 365 Data Loss Prevention policies now support Power BI premium workspaces(public preview).
Default label policies in Power BI – general availability
Default label policies enable you to define a baseline level of protection to be applied to Power BI files and in the Power BI service. This capability is now generally available.
When default labeling applies, when a user creates a new file in Power BI Desktop or a new dataset or report in the Power BI service, the default label is set automatically on the new file or artifact, without interfering with the user’s workflow.
The following image shows how the Sensitivity menu displays the default label as selected when a new or existing unlabeled Power BI file is opened.
Moving forward, we are working to extend default label policies to additional editing flows in the Power BI service.
Mandatory label policy – general availability
Mandatory label policy enable organizations to ensure that MIP sensitivity labels will be applied to new content when it is created in or uploaded to Power BI. This capability is now generally available. When a user tries to save a PBIX file in Power BI Desktop or a Power BI artifact in the service that doesn’t have a sensitivity label applied, they will be prompted to choose a label before the item will be saved.
If you wish to ensure that content will get labeled without having to prompt users to choose a MIP label, you can enable a default label policy alongside a mandatory label policy. When both are enabled, the user won’t need to choose a label in order to save an item – the default label will be set automatically.
Use Microsoft 365 data loss prevention policies to detect sensitive data upload – public preview
To meet local and industry-specific compliance requirements (e.g., for financial services or healthcare industries), organizations require full visibility over the uploading of sensitive data to the cloud.
Microsoft 365 data loss prevention (DLP) policies help organizations meet these requirements for leading Microsoft products like Office 365, Teams, SharePoint, OneDrive, etc.
Rolling out in the coming week, in public preview, security admins will be able to leverage Microsoft 365 data loss prevention policies to identify and detect the upload of sensitive data to Power BI Premium (Gen 2) workspaces, according to data’s (MIP) sensitivity labels. The admin will be able to define triggers for automatic data-loss risk remediation actions, such as alerts or custom policy tips for end users.
Note: DLP policy evaluation is not currently included in capacity CPU usage. It will start to be accounted as background operation in capacity’s CPU consumption during Q1 CY2022 DLP.
Learn about data loss prevention policies for Power BI (Documentation available upon feature release)
- MIP DLP policies support identify and detect the upload of sensitive data according to sensitive data detected via dataset’s content scan.
- DLP policies CPU usage accounted in capacity CPU usage.
- MIP labels for paginated reports – general availability
- Support refresh from OneDrive of encrypted PBIX files
Finally – If you have any other suggestions or feedback about MIP in Power BI, feel free to fill out this form.