Category Archives: Collaboration

Power BI Data Security – Sharing in Email

 

Power BI Security LogoMicrosoft has expanded sharing by allowing users to share Power BI content via email. In a previous post, I discussed how sharing content within your organization should be handled carefully. However, the new process opens up the opportunity to share outside your organization by sending an email. In particular, you can now share with users who have a personal email address such as @outlook.com and @gmail.com. Let’s dig into the implications of this capability.

Sharing Using Email

First, you need to be aware that this functionality is as simple as the original methods of sharing. You click the Share button on your report or dashboard to open the Share dialog.

The Share report dialog in this case accepts email addresses which is not a significant change. However, as shown below, you can add personal emails and emails outside your organization. You be warned, but users do not always pay attention to this or understand the implications.

Share report - outside

You will also notice that consumers need to still have a Power BI Pro account assigned to them or you need to be using Power BI Premium for this to work.

Following the Email Process

When you share, you usually will need to send an email to the recipient. Here is the email content.

Report Share EmailTime to click the report link. This opens a series of dialogs which determine how much you have access. It is important to note that this is all made possible with Azure B2B. More about that in a moment. Let’s trace the story through. The link opens the following page.

Report Share Email - Welcome Link

As you can see, the next step is to log in. I am using an outlook.com account so it prompts me to authenticate. Once I have authenticated, I get the following notice.

Report Share Email - Opened Report

My account does not have Power BI Pro, but now I can try it for free for 60 days and get access to the data while I am on the trial. I clicked both options, because I can. The Upgrade account option would require me to pay for Pro. However, Try Pro for free works and I was able to access the report fully. I have successfully shared my corporate content with a personal user.

Preventing Sharing Outside Your Organization

While in some cases, you need to share outside your organization, we will assume here you need to disable this functionality. There are a few places you can make this happen.

Power BI Admin Portal

First, in Power BI go to the Admin portal and disable sharing outside your organization. If you have followed my previous advice, this will already be disabled.

 

PBI Admin Portal - Disable Sharing

As you can see, this will disable content for users who have been shared with previously. If you need to share, you can specify groups that have that permission.

Office 365 Admin Center

Next, this can be turned off in the Office 365 Admin Center in the Security and privacy area.

PBI O365 Admin Center - Disable Sharing

This prevents the ability to add guest users to the organization. This will disable this capability across Office 365. There is no option to allow some users this access. Once this is disabled, sharing outside the organization which requires a guest user will not be possible.

Azure Active Directory

Finally, you can shut this down from Azure Active Directory. Guest users are ultimately managed through Azure Active Directory and this is the best place to turn this off corporately if you do not need this functionality.

PBI AAD - Disable Sharing

In AAD you have four options.

  1. Guest users permissions are limited. This limits guest user capabilities with regard to the directory. Yes is the default and recommended.
  2. Admins and users in the guest inviter role can invite. This would be a typical option we can understand. However, it is important to note that Admin users in Power BI workspaces will have the ability to create guest users and share reports externally with this permission on.
  3. Members can invite. Just like it sounds. Any member of a group can invite guest users in.
  4. Guests can invite. This allows guests to invite other guests. Seems dangerous to me.

As you can see from my tenant, the options are all on which is the default. Be sure to understand what capability you want to use and set it appropriately within your tenant.

Tracking Sharing

In the Office 365 logging, you can see who and what has been shared. This log covers internal and external shares and should be monitored for auditing and compliance purposes.

Azure B2B

Azure B2B and the sharing capabilities in Power BI go hand in hand. This allows organizations to share content in a controlled fashion to consumers outside their organization. While this is required for certain scenarios, be mindful of who has the capability to share, and track sharing to make sure the data is being handled as you require.

Final Thoughts and References

You need to remember that sharing is at the heart of Power BI and you need to manage how and who can share. If you need to do more extensive sharing, by all means, use these features. For those, who need to lock it down tighter, you can follow the steps above to prevent sharing until you have a process and pattern. Power BI continues to improve and grow and as that happens we can expect more security options to support the new functionality. Enjoy Power BI, it is a great tool and will only continue to get better.

References

Using Azure AD B2B with Power BI

Auditing Power BI

Share your Power BI content with anyone by email

 

 

Advertisements

Power BI and Data Security – Free User’s Cannot Share, Read Only in Premium

Power BI Security LogoAs part of the Power BI Premium release, Microsoft changed how the “free users” in Power BI work within the platform. There are two key changes that affect the data security within your organization.

Power BI Free Users Cannot Share

One of the key areas of concern around the free user accounts was the fact that a corporate user can deploy content to the Power BI service (online). This would allow users to unintentionally (or intentionally) share data with others who would normally not have access to that data. When Microsoft released Power BI Premium, this capability was removed. While Power BI Free Users have access to all of the core capabilities of the product, they are not permitted to share or participate in the collaboration in workspaces. Essentially they only have access to My Workspace.

Power BI Free User Workspace 1

If they try to create an App Workspace, they get prompted to upgrade.

Power BI Free User Workspace 2 - Dialog

Free Users Are Read Only in Power BI Premium

When a customer chooses to use Power BI Premium, they can take advantage of “unlimited”, free, read only users. I called out the fact that Power BI did not support free users in a previous post about sharing content. Now with Power BI Apps and Premium, free users are turned into Read Only users. This is a huge win for the Power BI user community. This currently only works with Premium, so if security and managing content creation are key to success within your organization, you should be reviewing Power BI Premium.

I will have a follow up post on how Power BI Apps and App Workspaces impact data security in Power BI soon. If you want to have a look at creating and using Apps and App Workspaces check out this post on the Power BI site.

 

Creating a SharePoint Server Farm on Azure from the Gallery

As many of you know creating a SharePoint farm for testing can be a daunting task. I volunteered to help troubleshoot an issue that was working with SharePoint Excel Services and it couldn’t be done in Office365. So, my first attempt was to grab the SharePoint Server 2013 Trial from Azure’s VM Gallery.

image

However, once I created the VM, it turns out that SharePoint is not installed, which is what I really wanted. To complicate matters further, the download stopped because IE was blocking file downloads. You can change that setting in Internet Explorer options on the Security tab. Select the Internet Zone and click on the Custom Level button. Scroll down to the Downloads section and enable File download. Restart IE and you can get the file downloaded. Of course, we have to ask, why isn’t it already enabled on the VM since that would be the obvious goal.

As I was troubleshooting that issue, I happened to check out the Azure gallery on the Azure site and found a SharePoint Server Farm gallery image that I could use.

image

image

I clicked on the Farm icon to see what it was. It does the multi-server farm install in Azure.

You start the process by clicking the green Create Virtual Machine button in the middle of the screen. And then you are off to the configuration parts. The next few screen shots will show you the basic configuration points used during the install. Click the button… and your journey will begin.

image

This will open up the preview portal from Azure with a blade for configuring your farm.

image

Add a group name and work your way through the configuration steps on the blade. It will create 3 VMs by default unless you select the Enable high availability checkbox under the password textboxes.

image

Each configuration step will open another blade in the portal allowing you to configure the various servers to be added to the farm.

image

Once you have configured the settings you are ready to create your farm. Click the Create button and the “magic” starts to happen.

image

You will see the following tile added to your Startboard.

image

It took a little more than an hour to set up the three servers required – domain controller, SQL Server and SharePoint server.

image

If you click on the new tile, you will get an overview of what was created including resources and estimated spend. The next step is to log into the instance and check out what is set up. If you click the Deployment history button and then the Microsoft.SharePoint.Farm tile, you can see the SharePoint Central Admin URL and the SharePoint Site URL. Each of these blades provide additional information about your environment.

image

Log in to Central Admin or the SharePoint site. And you now have a functioning SharePoint Farm in Azure. If you are using this as a testing platform be sure to manage your VMs (e.g. shut them down) to reduce costs.

Lync 2013 Video Issues on Windows 8

Part of the reason I have a blog is to document issues and resolutions I do not want to forget. Yesterday morning I was on two calls using Lync and the video was blank or white. I had great audio and messaging worked fine. So the only part that was not functioning was the video. I have been using Lync for years usually the problem was related to connectivity.

I started by leaving and rejoining both calls multiple times. That was primarily just annoying with no change in the video issue. Time to search. So, giving credit to whom credit is due, I found the following blog post by Shay Atik – Lync 2013 Desktop Sharing Shows White Screen. Turns out you need to remove a registry entry related to IE and ActiveX. I am copying the steps that Shay gives here and letting you know it works.

From Shay’s blog:

1. Open the Registry Editor (Start + R -> regedit -> OK).

2. Backup the registry (just in case): File -> Export.

3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility and delete the {00000000-0000-0000-0000-000000000000} expandable folder.

4. Mission completed. Run Lync desktop sharing, and you’re good to go.

Hopefully this helps someone else, and thanks Shay for posting this.