Protecting Against Oversharing Power BI Reports with Microsoft Sentinel

Microsoft Power BI is an essential tool for monitoring performance, identifying trends, and developing stunning data visualizations that many teams across Microsoft use every day. A well-built Power BI report can play a critical role in helping communicate business information efficiently and effectively. But with great Power BI reports comes great responsibility, which includes keeping data and reports secure, and ensuring that only the right people have access to it.

Across Microsoft, we use Microsoft Purview Data Loss Prevention (DLP), which is now in general availability, to help secure our data. Purview DLP policies allow administrators to comply with governmental and industry regulations such as the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), and automatically detect sensitive information to prevent data leaks. These policies can now also uncover data that might have accidentally been uploaded to Power BI without your knowledge.

While Purview’s controls ensure sensitive data is handled appropriately, we learned from customer research that sensitive data can be accidentally overshared with unauthorized individuals when large audience groups are inadvertently granted access to the report. This often happens when report owners grant access to Power BI reports without first checking who is authorized to view them—both inside and outside data boundaries.

We wanted to find a solution that would prevent this kind of unintentional oversharing and make it easy for Power BI administrations to set up, use, and configure.

— Prathiba Enjeti, senior program manager, Microsoft Digital Security and Resilience team

To address this problem, Microsoft Digital Security and Resilience collaborated with the Microsoft Sentinel product group to develop an out-of-the-box Microsoft Sentinel solution for Power BI reports to detect and respond to oversharing. Using the Power BI connector for Microsoft Sentinel, which is now available in preview, you can track user activity in your Power BI environment with Microsoft Sentinel using Power BI audit logs. This solution helps administrators to identify potential data leaks with automatically generated reports.

How it works

With Microsoft Sentinel playbook automation for Power BI detection, the SOC can achieve higher productivity and efficiency, saving analysts’ time and energy for investigative tasks.

— Prathiba Enjeti, senior program manager, Microsoft Digital Security and Resilience team

Enjeti faces the camera standing outside in a natural area. — Prathiba Enjeti is a senior security program manager on the Microsoft Security Standards and Configuration team.

Our oversharing detection logic uses Power BI audit logs, which are cross-referenced against Microsoft Sentinel-generated watchlists that track high-risk security groups. When a report is shared with a group that exceeds a specified number of users, the detection is triggered. Thresholds can be adjusted by administrators to suit any organization’s needs and policies.

Additionally, we used the Microsoft Sentinel playbook to automate the remediation process. We configured it to automatically send email notifications containing remediation instructions to report owners. From our discussions with customers, we learned that some organizations preferred that accountability remain with the Power BI report owners for various periods of time to remediate, before escalating to the tenant administrators. To meet customer needs for flexibility, administrators can configure time spans ranging from instantaneous escalation, to hours, days, and weeks.

“With Microsoft Sentinel playbook automation for Power BI detection, the SOC can achieve higher productivity and efficiency, saving analysts’ time and energy for investigative tasks,” Enjeti says.

Automating how cases of data oversharing are found and fixed will allow IT administrators to detect, notify, and limit access to Power BI reports in real time. We’re excited to bring this Microsoft Sentinel solution to our customers, which will be available for public release soon.

Here are some suggestions for tackling oversharing at your company:

Oversharing of data is a problem that many organizations face. They might not be aware of the magnitude of the problem. If you don’t already, consider auditing distribution and security groups used by employees to share information.
Understand where potential data loss issues might be occurring. Be sure to enable data loss prevention policies wherever possible.
Consider implementing detections and automated workflows solutions such as the Microsoft Sentinel solution for Power BI reports oversharing to reduce manual effort and reduce time to identify and remediate oversharing.