Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
JessieF
Advocate II
Advocate II

Question about Query activity and security issue with Datasets with Execute Query REST API

‎08-05-2024 03:17 PM

Hello community!

 

We have a non-standard use of Self-service environment in our Power BI tenant and are trying to migrate to an enterprise content publishing with some managed self-service report creation, but it's a challenge!  Along with that, new data classification and protection policies are having us err on the side of caution until we can work out all the bumps in the process.  Recently in a tenant settings review, we chose to disable Dataset Execute Queries REST API. There were a few reasons, one being that there is UPN impersonation as an available option and second, we are unclear how running this via Power Automate, especially with the opportunity to impersonate would qualify the data authentication via Entra AD Groups on our sources.  
Datasets - Execute Queries - REST API (Power BI Power BI REST APIs) | Microsoft Learn

 

In our current tenant with Premium capacity, many end users have Power BI Pro licenses and are building "their regional department version of the truth" and we are working towards a "company-wide version of the truth".  This full self-service model previously used had little to no oversight on what content was created, how, why, where it was distributed, etc.  In our new environment, we are choosing to limit first, ask questions and then re-qualify accounts or licenses on an as-necessary basis. 

 

Can anyone speak to security concerns with using the Execute Queries REST API, in an environment where we have strict policies about external data sharing - no external sharing from Power BI, keyword control policies for external email, domain whitelisting, etc.  Would a user (accidentally) be able to use this process to circumvent the procedures to share protected internal use only data with external email addresses when running a query against a Power BI dataset?


The secondary part of my question is the activity we would see for the Capacity - I assume I'm going to see "Analyzed by External application" as the query activity for these Power Automate flows the user has for this REST API, is this correct?  I read the notes about volume of records having a limit in this process, but does it work similar to Power Query in that it analyzes the entire tables before applying filtering? Is it likely/possible that incorrect values could be returned with this DAX Execute if the total table has too many rows? Or is the row limit based on the returned results only?  With a limit (!) of 120 query requests per minute, it seems like a large table would have a significant impact on compute resources. 

 

Thanks all!

Jessie. 

Message 1 of 5
907 Views
0
2 ACCEPTED SOLUTIONS
lbendlin
Super User
Super User

‎08-05-2024 06:12 PM 
 Would a user (accidentally) be able to use this process to circumvent the procedures to share protected internal use only data with external email addresses when running a query against a Power BI dataset?

No, but they can - accidentally, of course - download the data (or make a screenshot) and send an email to the external contact.  Nothing you can prevent technically - this needs to be covered by SBC (standard of business conduct) rules.

 

 I assume I'm going to see "Analyzed by External application" as the query activity for these Power Automate flows the user has for this REST API, is this correct?

No, that is separate.  MDX queries ("Analyze in Excel") are audited different than DAX queries, and different than XMLA queries.

 

The data extraction limits per call are quite murky. A ballpark number is 1 million data points (rows times columns)  for DAX - but that is only a guidance. 

 

Not sure where your 120 requests per minute limit comes from? Not aware of such a thing. Are you on a P1/F64 ?

View solution in original post

Message 3 of 5
865 Views
0
lbendlin
Super User
Super User
In response to JessieF

‎08-06-2024 10:25 AM 
There's a limit of 120 query requests per minute per user, regardless of the dataset that's queried.

That's a bit of a fluff - I don't think it is related.

 

You use the Premium Capacity metrics app to gauge how healty your capacity is.  For reference - we have P3 capacities with well over 100K queries per minute doing just fine.

View solution in original post

Message 5 of 5
813 Views
0
4 REPLIES 4
lbendlin
Super User
Super User

‎08-05-2024 06:12 PM 
 Would a user (accidentally) be able to use this process to circumvent the procedures to share protected internal use only data with external email addresses when running a query against a Power BI dataset?

No, but they can - accidentally, of course - download the data (or make a screenshot) and send an email to the external contact.  Nothing you can prevent technically - this needs to be covered by SBC (standard of business conduct) rules.

 

 I assume I'm going to see "Analyzed by External application" as the query activity for these Power Automate flows the user has for this REST API, is this correct?

No, that is separate.  MDX queries ("Analyze in Excel") are audited different than DAX queries, and different than XMLA queries.

 

The data extraction limits per call are quite murky. A ballpark number is 1 million data points (rows times columns)  for DAX - but that is only a guidance. 

 

Not sure where your 120 requests per minute limit comes from? Not aware of such a thing. Are you on a P1/F64 ?

Message 3 of 5
866 Views
0
JessieF
Advocate II
Advocate II
In response to lbendlin

‎08-06-2024 06:21 AM

Thank you @lbendlin for the reply.  The 120 requests per minute is from the Limitations section of this page Datasets - Execute Queries - REST API (Power BI Power BI REST APIs) | Microsoft Learn.  I actually was concerned that so many queries could be run in such a short time, because I was concerned about the capacity CU impact.  Yes, we are on P1. 

Message 4 of 5
826 Views
0
lbendlin
Super User
Super User
In response to JessieF

‎08-06-2024 10:25 AM 
There's a limit of 120 query requests per minute per user, regardless of the dataset that's queried.

That's a bit of a fluff - I don't think it is related.

 

You use the Premium Capacity metrics app to gauge how healty your capacity is.  For reference - we have P3 capacities with well over 100K queries per minute doing just fine.

Message 5 of 5
814 Views
0
Anonymous
Not applicable

‎08-05-2024 06:11 PM

Hi @JessieF 

 

Regarding the security concerns with using the Execute Queries REST API in an environment with strict external data sharing policies, the API itself does not inherently bypass your established security measures. However, if not properly managed, there could be potential for misuse. For instance, if a user with malicious intent has access to both the REST API and the ability to impersonate another user, they might execute queries that they should not have access to. It's crucial to have robust monitoring and auditing in place to ensure that all API usage is legitimate and compliant with your security policies.

In terms of activity for the capacity, you are correct that you would likely see "Analyzed by External application" for the query activity from Power Automate flows using the REST API. The REST API does have limits in place, such as the 120 query requests per minute, to manage the load on the system. The way the API handles large datasets is similar to Power Query in that it will process the entire dataset before applying any filters. This means that if your dataset is very large, it could indeed have a significant impact on compute resources. The row limit is for the returned results, not the dataset size, so large tables can be queried as long as the result set is within the limit.

 

 

 

 

 

Best Regards,

Jayleny

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 5
866 Views
0

Helpful resources

Announcements
July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All