Solved: Re: Power BI & SharePoint – Securing Sensitive Dat...

imik · ‎02-25-2025

Hi there,

We have sensitive data stored in SharePoint (lists, files) that we need to visualize in Power BI service. However, we want to ensure that this data remains invisible to everyone, including Power BI admins.

As Power BI admins, my colleagues and I can access any workspace, including personal workspaces. RLS doesn't seem to be a solution either, as it only applies to the Viewer role—anyone with a higher role sees everything without restrictions.

I'm looking for a secure way to connect to SharePoint so that only users with direct access to the SharePoint data can see the visuals. However, I haven't found any clear guidance on how to achieve this (according to what I have found, live connection to the SharePoint is not possible).

If anyone has experience with this kind of setup, I'd really appreciate your insights.

Thanks!

v-ssriganesh · ‎03-06-2025

Hi @imik,
Thank you for reaching out to the Microsoft Fabric Community.

Your requirement is unique, and currently, Power BI does not offer a built-in feature that directly prevents Power BI Admins from accessing datasets. However, if this is a critical feature for your organization, I recommend submitting it to the Microsoft fabric ideas: New Idea - Microsoft Fabric Community

If the idea gains enough upvotes, Microsoft may consider implementing it in a future update. Many Power BI and Fabric features have been introduced based on community feedback.

If this helps, kindly Accept it as a solution and give a "Kudos" so other members can find it more easily.

Thank you.

View solution in original post

v-ssriganesh · ‎03-01-2025

Hi @imik,

Could you please confirm if your query have been resolved the solution provided by @freginier & @christinepayton ? If they have, kindly mark the helpful response and accept it as the solution. This will assist other community members in resolving similar issues more efficiently.

Thank you

imik · ‎03-03-2025

Hi @v-ssriganesh,

I apologize for the slightly delayed response; we had several internal discussions regarding the business requirements. Although the two suggested solutions did not fully align with our needs, they were both inspiring, and I truly appreciate them. I'll share my comments on them later in this thread.

Best regards,
imik

v-ssriganesh · ‎03-05-2025

Hi @imik,

May I ask if you have resolved this issue? If so, please mark it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

imik · ‎03-06-2025

Hi @v-ssriganesh,

Unfortunately, we haven't found a suitable solution yet. I have responded to the suggestions provided by the Fabric Forum contributors—they brought interesting insights, but they do not address our specific issue.

Best regards,
imik

v-ssriganesh · ‎03-06-2025

Hi @imik,
Thank you for reaching out to the Microsoft Fabric Community.

Your requirement is unique, and currently, Power BI does not offer a built-in feature that directly prevents Power BI Admins from accessing datasets. However, if this is a critical feature for your organization, I recommend submitting it to the Microsoft fabric ideas: New Idea - Microsoft Fabric Community

If the idea gains enough upvotes, Microsoft may consider implementing it in a future update. Many Power BI and Fabric features have been introduced based on community feedback.

If this helps, kindly Accept it as a solution and give a "Kudos" so other members can find it more easily.

Thank you.

imik · ‎03-06-2025

Hi @v-ssriganesh, I understand and thank you.

We will continue investigating this internally, and if we find a solution or workaround, I will post it here so others can benefit from it.

I will also consider logging this as an idea as per your recommendation.

Best regards,

imik

christinepayton · ‎02-26-2025

Put sensitive semantic models and reports in a designated workspace and restrict the access there. Power BI admins don't have access to all workspaces by default, they have to add themselves to the permissions for a workspace to access it, which is logged in the audit logs as an activity - it provides traceability.

It sounds like perhaps you have more Power BI administrators than you should if all your colleagues have the role, though. Consider making people owners of individual workspaces instead of administrators of the entire service?

What many IT teams do is have separate accounts for their administrator roles, so that they only log into the accounts when they need to do administrator activity, then use normal accounts for day to day work.

imik · ‎03-03-2025

Hi @christinepayton,
Thank you for your insights! As I mentioned in my previous reply, our goal is to make sure that nobody has the option to bypass access restrictions. We have already minimized the number of Power BI service admins, but restricting access to a specific workspace is not a viable solution in our case.
While we could monitor admin activity using ActivityEvents logs, admins occasionally need to access workspaces for maintenance purposes. Ideally, we are looking for a fully independent solution that cannot be bypassed. Simply put, security should not rely on human decisions—it should be enforced technically, making unauthorized access impossible.
My perspective is influenced by my experience with OLAP cubes in Power BI service. In my previous company, we used SQL Server Analysis Services (SSAS) database connector. Even if users had access to a Power BI workspace, they couldn’t see any data without explicit permissions to the OLAP cube. Downloading the report to Power BI Desktop didn’t help either—without the necessary OLAP cube permissions, users couldn’t even open the report. This security mechanism was absolute and couldn’t be bypassed, ensuring full control for the data owners. There was no way to create exceptions, no room for human error, and no possible workaround on the PBIS side.
One theoretical approach we discussed internally is what we call "Active Encryption." The idea is that data would be sent to Power BI in an encrypted form and only decrypted on the user’s end if they have the necessary permissions. Essentially, this would be a combination of RLS and encryption, but it would require implementation outside of Power BI service.
That said, I still believe we are not the only ones facing this challenge, and there must be an elegant, built-in Microsoft solution for it.
Best regards,
imik

freginier · ‎02-25-2025

Hey there!

Since you need Power BI to connect to SharePoint while ensuring that only users with direct SharePoint access can see the data (even restricting Power BI admins), here’s a secure solution:

1. In SharePoint, set strict permissions on your Lists and Files:
Remove access for Power BI Admins if they should not see the data.
Assign specific user/group access only to those who need it.
Ensure that Power BI service accounts do not have blanket access to SharePoint.

2. To ensure Power BI only retrieves data for authorized users, use:

OAuth Authentication → Power BI can connect to SharePoint using the logged-in user’s credentials instead of a shared service account.
Use "Organizational Account" Login in Power BI → When connecting SharePoint Online, ensure that each user logs in with their own credentials.
This ensures only users who can access the data in SharePoint can retrieve it.

3. Since standard RLS doesn’t affect admins, use Dynamic RLS to filter data based on user access.

DAX RLS Rule for SharePoint Users
- Create a User Access Table (from SharePoint List/Active Directory) with:
- UserEmail, AllowedSharePointSite, Permissions
Create a DAX filter in Power BI: User_Access_Filter =
LOOKUPVALUE(
'UserPermissions'[AllowedSharePointSite],
'UserPermissions'[UserEmail], USERPRINCIPALNAME()
) <> BLANK()

Apply this RLS rule to restrict Power BI visuals based on SharePoint permissions.

5. Instead of loading data into a dataset, use Power BI Dataflows:

Configure Dataflow access only for allowed users.
Keep raw data secured in SharePoint, and only expose processed data.

6. To prevent Power BI admins from bypassing RLS, do the following:

Remove "Admin" roles for those who don’t need it.
Use Viewer Role → Ensure users only see reports but cannot download datasets.

Disable "Export Data" to prevent sensitive information leaks.

Hope this helps!

😁😁

imik · ‎03-03-2025

Hi @freginier,

First of all, thank you very much for your response and effort!

I have gone through all the suggestions, and I’d probably start from the end. The Power BI service admin role is limited to the absolute minimum number of people, so there is no unnecessary overlap. The main issue here is that we need to prevent anyone, including Power BI service admins, from accessing the sensitive SharePoint data.

Given this requirement, any RLS-based approach is not applicable in our case. While it’s true that Power BI service admins do not have direct access to the specific SharePoint file, our concern is that once the data is pulled into Power BI, it might still be accessible.

Dataflows seem like a promising direction, but we are unsure whether this approach would prevent the data from being stored and accessible within the Power BI service. As for Dynamic RLS, it is indeed an interesting idea, but wouldn’t it still be bypassed by someone downloading the dataset and opening it in Power BI desktop?

Best regards,
imik