The ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM.
Get registeredCompete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.
Hi, I have to create a report where data is sensitive. That data is only Access by me and My manager. I have a shared workspace in Power BI service with my manager. We both are the admin of shared Workspace.
I am wondering, is there a way where we can hide the content of the Data(Dataset+Report) of our Workspace from Power BI system administrator?
At the Moment RLS can not be implemented.
Solved! Go to Solution.
Hi @saliknaveed
In Power BI, even if you and your manager are the only administrators of a shared workspace, the Power BI Service Administrator (or a Microsoft 365 Global Administrator) retains the technical ability to access all content within the Power BI environment, including datasets and reports—regardless of workspace permissions or roles. This is by design to ensure compliance, auditability, and organizational governance. While Row-Level Security (RLS) can help restrict data access for report consumers, it does not prevent Power BI administrators or tenant-level admins from accessing underlying datasets. There is currently no built-in method to completely hide or encrypt report content from Power BI system administrators at the service level. If the data is highly sensitive, one workaround could involve keeping the most sensitive processing and storage off Power BI Service entirely, using local PBIX files, or integrating data masking or pseudonymization at the source level. Alternatively, you could explore Power BI Report Server (on-premises) for more control, or encrypt sensitive data at the source, so even if accessed, the data remains unintelligible without a key—though this adds complexity to your reporting pipeline.
Hi @saliknaveed
In Power BI, even if you and your manager are the only administrators of a shared workspace, the Power BI Service Administrator (or a Microsoft 365 Global Administrator) retains the technical ability to access all content within the Power BI environment, including datasets and reports—regardless of workspace permissions or roles. This is by design to ensure compliance, auditability, and organizational governance. While Row-Level Security (RLS) can help restrict data access for report consumers, it does not prevent Power BI administrators or tenant-level admins from accessing underlying datasets. There is currently no built-in method to completely hide or encrypt report content from Power BI system administrators at the service level. If the data is highly sensitive, one workaround could involve keeping the most sensitive processing and storage off Power BI Service entirely, using local PBIX files, or integrating data masking or pseudonymization at the source level. Alternatively, you could explore Power BI Report Server (on-premises) for more control, or encrypt sensitive data at the source, so even if accessed, the data remains unintelligible without a key—though this adds complexity to your reporting pipeline.
Hi @saliknaveed No, it is not possible to completely hide Power BI datasets or reports from a Power BI system administrator. However, you can encrypt sensitive data before uploading or use DirectQuery with a secure external data source. Limit data exposure by including only aggregated information and restrict workspace access strictly.
Hi @saliknaveed
Thank you @ibarrau for your detailed explanation of how Power BI and Microsoft Fabric security is designed.
Just to confirm. Even if the workspace is only shared between me and my manager, a Power BI (Fabric) Administrator still has the ability to view or grant themselves access to the workspace and its contents, correct?
I understand this is by design and based on trust and NDA policies. I just want know before proceeding, since the data is quite sensitive.
Regards,
Akhil.
Hi. No, you cannot fully prevent a Fabric Administrator (Power Bi system administrator) from accessing report content across workspaces. You can create the workspace and add only you two. The admin might no be aware of it because it won't trigger an alert. However, if the Administrator go to it's special settings, they can see all workspaces created at the whole organizations and give themselves admin permission at workspace.
It's supposed that a Fabric Admin will have the role because they can see sensitive data or they should sign an NDA.
I hope that helps,
Happy to help!