Using sensitivity labels – Using Data Model Advanced Features

Using sensitivity labels

As part of the holistic data protection capabilities, Power BI includes integration with Microsoft Information Protection (MIP). MIP provides sensitivity labels as a way of making it easy for users to classify critical content and data while not making this a burden for the user or restricting collaboration.

Sensitivity labels allow users to classify datasets, reports, dashboards, and dataflows as having a specific sensitivity so that data can be protected. For example, some data used in Power BI reports might be publicly accessible data, and this feature allows those datasets to be labeled as such. In the same way, internal sales data might need to be protected and labeled as confidential; when this happens, the data is protected by the service from being accessed by those who do not have permission to access data labeled confidential. It can also enforce encryption, restrict forwarding, and, in some cases, printing as well.

In Power BI, sensitivity labels are persistent wherever the data is used. There is a concept known as downstream inheritance that will enforce downstream data products to adhere to the defined sensitivity label. For example, if the sales data is labeled as confidential, then a downstream aggregation of that data in a new table or query will also be labeled as confidential if this feature is enabled. This helps ensure that data is protected throughout its life cycle. Downstream inheritance works when data is exported as a PDF from the Power BI service or Excel from the Power BI service or Power BI Desktop. It does not support exporting to CSV files.

The requirements for sensitivity labels in Power BI are as follows:

  • Azure Information Protection (AIP) Premium P1 or Premium P2.
  • AIP, which uses the MIP unified labeling platform.
  • The user applying labels must have a Power BI Pro or Premium per-user license.
  • Defined and published sensitivity labels for your organization in Microsoft 365.
  • An up-to-date version of Power BI Desktop.

For sensitivity labels to be used in Power BI, MIP sensitivity labels need to be enabled on the tenant. Administrators can enable sensitivity labels in the Power BI admin portal.

Within the Power BI admin portal, the sensitivity labels setting can be found under Tenant settings and then Information Protection. This capability can be enabled for an entire organization or specific security groups within the organization.

Sensitivity labels are an expanding capability for Power BI where additional features, such as default labeling, mandatory labeling, and downstream inheritance capabilities, are being added. Through expanded integration, such as Cloud App Security, sensitivity labels are also used to prevent data exfiltration by blocking the exporting of data from reports.

In the next section, we’ll look at how we can further enhance the security of data in a data model by using row-level security.

Author: Noah Walker

Leave a Reply

Your email address will not be published. Required fields are marked *