Unfortunately, Power BI doesn’t currently have a built-in way to automatically prevent reports built from Azure SQL (or any specific data source) from being published to personal workspaces. It’s an “all or nothing” switch: either personal workspace publishing is allowed for everyone, or you disable it for everyone via the Power BI Admin Portal. There’s no granular setting based on data source. Here’s what works:
-
Disable Personal Workspace Publishing: In the Power BI Admin Portal, you can block all publishing to personal workspaces. This means no one can publish reports to their own workspace, regardless of source. Yes, it’s a bit blunt, but it’s the only guaranteed way right now.
-
Set Up Shared Workspaces for Each Environment: Use separate workspaces for Dev, Test, Acceptance, and Production. Give publishing rights to only the people who need them, especially in Production.
-
Use Security Groups: If you want some exceptions (for example, allowing dev teams to still publish personally), use security groups and allow-list certain users. For most people, keep it locked down.
-
Implement DLP and Audit Logs: Set up Data Loss Prevention policies and Power BI audit logs to alert you if sensitive data is published to the wrong place, or to monitor who is publishing what, and where.
-
Restrict Azure SQL Connections: For extra control, restrict Azure SQL database access so only approved Power BI workspaces can connect (using IP/VNet whitelisting).
-
Manual Approval (if really needed): If you need a review process before publishing to Production, consider having a manual check or even a separate workspace where reports are reviewed before being moved to Production.
There isn’t a way to block personal workspace publishing based on data source right now, but a combination of admin portal settings, workspace structure, and DLP/audit policies is the current best practice for enterprise Power BI governance.