What You Need to Know to Administer Power BI

Melissa Coates Coates Data Strategies March 23, 2021

Download slides: CoatesDS.com/Presentations Melissa Coates

Data architect | Technical trainer | Consultant Specialist in Power BI governance & administration Data Platform MVP

Owner of Coates Data Strategies @SQLChick | @CoatesDS

Creator of Power BI Deployment & Governance Workshop

Power BI & Architecture Security & Adoption & Governance Center of Excellence Decisions Data Protection Administration Goals for This Session

How and why the Power BI administrator role varies based upon the BI approach being used Introduce the breadth & scope of responsibilities Suggestions for next steps

This session focuses on the commercial cloud service only. The national clouds (ex: Govt, China, Germany) are not specifically covered.

Out of scope: Power BI Report Server and Power BI Embedded. What You Need to Know to Administer Power BI Agenda

Admin Power BI Data Auditing & Responsibilities Service Gateways Activity Monitoring

Who Should Premium & Security Suggestions Be An Admin PPU for Next Steps, Q&A Where to Download Materials

Slides: CoatesDataStrategies.com/Presentations

Diagram: CoatesDataStrategies.com/Diagrams Typical Power BI Administrator Responsibilities Power BI is a Broad and Deep Ecosystem Business Intelligence Approaches

Top- Blended Bottom- Down Up Enterprise Managed Business-Led BI Self-Service BI Self-Service BI Centralized Decentralized Data Central IT/BI/COE Business authors ownership:

Report Central IT/BI/COE Business authors ownership: In What Ways Does an Admin Support Users?

Top- Blended Bottom- Down Up Enterprise Managed Business-Led BI Self-Service BI Self-Service BI Centralized Decentralized

Data Management Maturity Level Internal Factors Data Culture

Compliance & Regulatory Requirements External Factors Industry & Competitive Influences Where Does Administration Start & End?

A lot of Data Governance Change overlap Data Management with other Architecture things Data Administration Deployment Management

Security Performance Data Tuning Privacy Common Power BI Admin Responsibilities Power BI Service Workspace creation Tenant settings Security & access Gateways & data sources Auditing & monitoring Premium capacity Deployments Desktop software Licensing & user mgmt Power BI Report Server Integration w/ other apps Power BI Admins Affect the User Experience

Why can’t I start Why can’t I a Pro trial? create a Why can’t I workspace? export data? Why can’t I certify a dataset? Why can’t I Why can’t I use share to this custom visual? Teams? Why can’t I install a gateway? Other Administrators & Teams Involved

Global Office 365 admin Azure AD administrator SharePoint administrator Database administrators OneDrive administrator Licensing & billing admin Teams administrator Intune administrator Desktop support Security & compliance Infrastructure team Legal & risk management Networking Internal audit Who Is Allowed To Be A Power BI Administrator Who is Permitted to be a Power BI Admin?

Competent Risk of too many people able to people with elevated get things done permissions independently

Consider the Power BI administrator role to be a high privilege role. Power BI Administrator Role in

Global Administrator Role Manage Power BI Power BI Administrator Role Service Option 1: Assign Individuals to the Role Global Administrators

Global Administrator Role Manage Power BI Power BI Administrator Role Service

Role assignment

PBI PBI PBI Admin 1 Admin 2 Admin 3 What If You Also Use a Group?

Power BI Administrators Group

Tenant Settings Workspace Access Alerting Groups used to Auditing, health, Notifications allow/disallow adoption & security such as PowerShell jobs features reports or Cloud App Security

Results in a situation where we have to maintain the Power BI Admin group *and* the built-in role, which is not desirable Option 2: Assign Individuals to Group that’s Assigned to Role

Global Administrator Role Manage Power BI Power BI Administrator Role Service

Role is assigned to the group Power BI Administrators Group Group Owner

PBI PBI PBI Admin 1 Admin 2 Admin 3 Administrator-Related Groups Useful to Have (Excluding groups needed to manage most of the tenant settings)

Security group Power BI Power BI administrator role (Azure AD) Administrators Workspace access: admin, auditing, adoption, security reporting Mail-enabled Power BI Tenant setting: incidents and alerts security group (Exchange) Admin Alerting Notifications from PowerShell or Cloud App Security Power BI Gateway cluster administrators Mail-enabled Gateway Admin security group OR Power BI Premium capacity administrators M365 unified Capacity Admin group Power BI Support User contact group for support How to Reduce the # of Administrators Azure AD Privileged Identity Management (PIM) Provides “just-in-time” access for Azure roles such as Global Administrator, Power BI Administrator, etc.

Admin sets Eligible Approve Eligible Member is up PIM roles member the user member automatically & eligible requests to request becomes a full removed members activate a (optional) member of the from role at specific role role & performs expiration →See this blog post + video about managing necessary activity time the admin role & PIM Managing the Power BI Service Tenant Settings The tenant settings are among the most important things to get right.

1. Document decisions made (who, when, why) 2. Document the settings for decentralized users to view + which groups are used for functionality + how to get approved for a group 3. Track the ‘UpdatedAdminFeatureSwitch’ operation in the activity log 4. Alerts set up for if any changes occur Tenant Settings: Email Alerts When a Settings Is Changed

→See this blog post + video about getting alerted when a tenant setting changes Workspaces View & update metadata for all non-personal workspaces* in the tenant: Name, description, and security access

*V2 new workspace experience Embed Codes

1. Ensure tenant setting permits very few people to use Publish to Web 2. Track use of the ‘GenerateEmbedToken’ operation in the activity log 3. Validate the list of embed codes on a regular basis Organizational Visuals Custom visuals give report creators significantly more flexibility

1. Enable tenant setting to use certified visuals only in the Power BI Service. 2. Enable group policy to use certified visuals only in Power BI Desktop. 3. Handle exceptions to that using organizational visuals. Specific allowed visuals may include: -Internally developed visuals -Non-certified, but trustworthy & approved for use Azure Connections Azure Data Lake Storage Gen 2 account: “Bring your own data lake” for dataflows Featured Content A tenant-wide view of objects being “promoted” as featured content on Home

Featured content should be used somewhat sparingly & set by relatively few people. Consider reviewing the activity log to ensure content has enough usage to warrant being featured. Monitoring Power BI System Health

Power BI Support Site Azure Status https://powerbi.microsoft.com/en-us/support/ https://status.azure.com/en-us/status

Microsoft 365 Includes: Admin Center Root cause Scope & user impact https://admin.microsoft.com Start & end time Next steps User Support - Internal

Decide what your internal support team is willing & capable of handling, such as:  Data discrepancies  Technical troubleshooting (ex: refreshes & connectivity)  Updates & installations

Make sure your internal support team is ready & there are clear expectations (SLAs).

The extent of support for enterprise content vs. self-service content needs to be clear. User Support - Microsoft Microsoft Support Option Service Level Agreement Power BI Community Best effort Web-based forum: answers from community members & Microsoft https://community.powerbi.com/ Power BI Pro User Support 1 business day Basic technical support for content authors & consumers who have a Pro license https://support.powerbi.com/ https://powerbi.microsoft.com/en-us/support/pro/ Power BI Administrator Support 1 business day or Technical support for Power Platform admins & M365 Global admins 1 hour depending on severity https://admin.powerplatform.microsoft.com/support https://admin.microsoft.com/AdminPortal/Home#/support/requests Microsoft Premier Support Varies depending on customer Enterprise support & additional training, reviews & workshops for agreement & severity customers with a Premium Support contract https://admin.microsoft.com/AdminPortal/Home#/support/requests Authoritative source: https://docs.microsoft.com/en-us/power-bi/admin/service-support-options Tenant Location Locate as close as possible to each other: • Power BI tenant • Data sources • Gateways • Users

A Premium capacity node can reside in a specific geography if needed. Managing User Machines & Devices Power BI Software Power BI Desktop (monthly updates + bug fixes) Power BI Desktop Optimized for Report Server (3x/year updates) Power BI Paginated Report Builder Power BI Mobile App Ideally pushed to users so all authors Power BI App for Windows 10 are on same version Other Common Items Drivers (ex: Oracle, HANA, MS Access Engine, etc.) Analyze in Excel Provider External Tools (ex: Tabular Editor, DAX Studio, ALM Toolkit) Group Policy settings (ex: use of custom visuals) Custom connectors Managing Power BI Premium & Premium Per User 4 Workspace Types are Based on Licensing

User-based My Workspace Power BI Free license named licensing Pro Workspace Power BI Pro license

User-based 2 + Premium licensing PPU Workspace Premium Per User (PPU) license

1 Capacity-based Power BI Premium (P or EM) Premium

Premium Gen Premium Premium licensing Workspace or Gen Gen

Premium Premium Power BI Embedded (A SKUs) Who Can Access a Workspace? Free Pro PPU User User User

User-based My Workspace X X X named licensing Pro Workspace X X

User-based 2 + Premium licensing PPU Workspace X

1 Capacity-based Premium

Premium Gen Premium X X X

Premium licensing Workspace

Gen Gen Premium Premium Why Go Premium? Both PPU & Premium Capacity Licensing: Additional Enterprise BI Capabilities Deployment pipelines, paginated reports, XMLA read/write, full featureset for dataflows, change detection for auto page refresh Scalability Auto-scale for 24 hours, large datasets, more frequent refreshes Integration with Other Apps Azure Cognitive Services and Azure Machine Learning Why Go Premium? Premium Capacity Only: Unlimited Content Distribution to Free Users Capacity-based licensing for a large number of read-only users is more cost-effective Regulatory & Privacy Bring-your-own-key, specific geography for data storage Hybrid Cloud Use of Power BI Report Server as alternative deployment location Deciding on Premium Capacity Size Multiple smaller capacities Single larger capacity Isolated workloads Larger model size Separate capacity admins Greater parallelism Monitoring Capacity Health

Power BI Premium Capacity Metrics App Built-in health monitoring reports Custom reports from dataset using template app Email notifications (tenant setting) Outages or incidents Capacity overload alerts Data from activity log Usage doesn’t align with workload expectations Managing Power BI Data Gateways Three Types of Gateways Virtual Network Data Gateway Power BI Service Personal Mode Data Gateway Standard Mode Data Gateway Cluster Standard Mode Data Gateway When is a Gateway Needed? In the Power BI Service: AND Data Source Is Located: Refreshing imported Data center within corporate network or datasets on-premises Refreshing dataflows Cloud-based virtual machine (IaaS: infrastructure as a service) Using DirectQuery Cloud-based database in a VNet (PaaS: Using Live Connection platform as a service in a virtual network) for Analysis Services OR Certain Functionality is Used: Web.Page() function Single M query combines cloud & on- prem data Three Types of Gateways

VNet Standard Mode Personal Mode For use by Many users Many users One user Managed by Microsoft Customer (Admin) Customer (User) Premium Workspaces --Yes-- N/A N/A Supports: Data Refresh Yes Yes Yes AAD SSO (DQ-PBI dset) Yes --No-- --No-- Standard DQ (+src SSO) Yes Yes --No-- Live Connection Yes Yes --No-- R & Python --No-- --No-- Yes Gateway Setup

Install on each gateway server: • Gateway software • Custom drivers (Oracle, HANA, etc.) • Power BI custom connectors

The gateway software is updated each month. Gateway Server Specs The GW server handles more than just connectivity. When it can’t be pushed to the source system, work is performed, requiring memory & CPU, such as: • Transformations • Filtering • Data merges & matching CPU: Important for DirectQuery & Live Connection Memory: Important for data refresh Network bandwidth: Always important Gateway Cluster Environments Production gateway cluster Should have at least 2 machines for: High availability Goal: eliminate single point of failure Load balancing Goal: distribute workload across machine resources Rotating updates Goal: ensure uptime Dev/test gateway cluster Can have less servers & less resources Most useful for testing monthly updates Standard Mode Data Gateway

Administrators

Gateway Data Source 1 Users Cluster Data Source 2 Users

Data Source 3 Users

Dataset Virtual Network Data Gateway

Administrators

VNet Data Data Source 1 Users Gateway Data Source 2 Users

Data Source 3 Users

Dataset Premium Workspace Managing Who Can Install Gateways

Only accepts users (not groups) PowerShell: currently Set-DataGatewayInstaller+ Set-DataGatewayTenantPolicy Monitoring Gateway Health & Activity

Enable the gateway performance monitoring log files on each physical gateway server. Produces 4 log files:

• Query Execution Report • Query Execution Aggregation Report • Query Start Report • System Counter Aggregation Report Securing Power BI Content There’s a Lot of Power BI Content Everywhere

Source data in Content published Content exported databases, apps to the Power BI from the Power BI & data lakes cloud service cloud service Datasets PBIX files exported Files stored in file servers, OneDrive, Exports to SharePoint, laptops Dataflows PowerPoint & PDF Power BI Desktop & Data exports Reports Paginated Rpt files E-mail subscription Excel workbooks images & Dashboards attachments Source data files Content Workbooks embedded in External tools files other services File Location Permissions

Have clear guidance for the internal user community regarding use of approved file storage locations:  Source files (ex: PBIX, RDL, XLSX)  Source data (ex: flat files, XLSX, etc)  Saved subscription e-mail attachments  Exports of data  Exports of reports Managing Users

All Power BI users need to be identified via: ✓ Power BI Free license ✓ Power BI Pro license ✓ Power BI Premium Per User (PPU) license

Exceptions: • Content published publicly with Publish to Web • Power BI Embedded (when application is managing authentication) Azure AD Conditional Access Implement security requirements based on various conditions: Conditions Block access Users and groups Block access from: o Locations which are not trusted Sign-in risk o Devices not domain-joined Device platform o Devices not Intune-compliant Location Grant access Device state Allow access if: o Multi-factor authentication is completed o Logins is from certain Azure AD groups o Login from specific IP address range o Login is from a specific device type Azure AD Identity Governance

Terms of Use Users consent to specific terms before gaining access

Access Review Review & attest group memberships and user permissions. Ex: administrator groups or depts at certain intervals

Privileged Identity Management (PIM) Just-in-time access to roles and resources Permissions Managed by Content Owners Workspace Admin | Member | Contributor | Viewer Dashboards & Reports Datasets Read Reshare Read Reshare (Sharing) Build Owner

Subscriptions Read Apps Dataflows Read Copy Reports Owner Recipients

Personal File locations for Power BI Row- Data gateway original & Desktop Level Source credentials exported files Security Settings →See this blog post & video for more info managing permissions Permissions Managed by Gateway Admin

Per Administrators gateway

Stored credentials Per data User permissions source Use of single sign-on Data privacy levels Data Sensitivity Labels

Tenant setting controls who may apply sensitivity labels in Power BI Data Sensitivity Labels

Tenant-wide view of sensitivity labels used Data Sensitivity Labels

Have a data handling policy for each sensitivity label which explains what can, and cannot, happen with the data. For instance:  Data access permitted (ex: internal only)  Download allowed to local PC  Content markings required  Anonymization required Data Loss Prevention with Cloud App Security Limiting Activities in the Power BI Service Session Control: Limits an experience in a connected cloud application. For example, block download of PBIX from Power BI Service if it’s been assigned the “highly confidential” sensitivity label. Azure Active Microsoft Cloud Directory App Security Conditional Access Session Control App Control Policy

Power BI Service Connected app Encryption Keys

Keys to be securely managed: • Data gateway recovery key • Data gateway credentials • Power BI Premium encryption key (if ‘byok’ is used) • Azure Premium Storage encryption key (if large models) • Power BI Report Server encryption key Auditing & Activity Monitoring Why Usage Monitoring is Critical Critical content What content is most frequently used? Is it adequately supported? Change tracking What changes occur, when, and by whom? Internal and external auditing Are you able to satisfy requests from auditors? Why Usage Monitoring is Critical Monitoring adoption efforts Can we analyze not only usage stats, but that the system is being used consistently and optimally/as it was intended? Data trustworthiness levels How many certified vs. non-certified datasets? How many datasets support > 1 report? License usage Who is (and is not) using Power BI, at what frequency? Why Usage Monitoring is Critical Understanding usage patterns How are users *really* using Power BI? Finding training opportunities Is training actively made available to new users, or to encourage specific behaviors? Suspicious usage patterns Are any concerning activities occurring? Basic Power BI Auditing Solution

M365 Power BI Audit Log REST APIs

Power BI Workspace Activity Events Inventory

Analytical Datasets & Reports

Prepared data for adoption, security & auditing End-To-End Power BI Auditing Solution

M365 Power BI MSFT Graph Gateway Audit Log REST APIs REST APIs Servers

Power BI Workspace Gateways & Apps, User Info & Group Power BI Power BI Gateway Activity Events Inventory & Data Capacities Service Prin Memberships Licenses Admins Logs Security Sources etc.

PowerShell Scripts

Optional: Accessed Data Lake, Power BI Analytical by users NoSQL, or Auditing Datasets (RLS) File System Database & Reports Original raw data Historical transactions & Prepared data for adoption, JSON files point-in-time snapshots security & auditing

Accessed only by auditors & administrators Getting Power BI Usage Monitoring Data

Option for Retrieving Data Programmatic User Interface

Power BI Activity Log PowerShell Module: Get-PowerBIActivityEvent Microsoft 365 Unified M365 Management M365 Security & Audit Log Activity API Compliance Center

Admin Usage Metrics Power BI Service

Report/Dashboard Usage Power BI Service Metrics There’s an older PowerShell cmdlet (Search-UnifiedAuditLog)-don’t use it Tips for Successful Usage Monitoring

Know what your Recognize when something is unusual to take “normal” is action early Accumulate Comply with auditing requests & do useful history trending analysis

Retain raw files in a secure and immutable (no Securely retain modifications or deletions) location so you can: raw data files •Re-parse the data if you missed a new attribute •Rely on this data for formal auditing Improve usefulness by correlating with other Correlate data related data Most Common Automation Options

Both modules are maintained by Microsoft. There are other 3rd PowerShell party and open source options. Power BI Management Module Data Gateway Module

Power BI REST APIs

→See this presentation & Jupyter notebook for more info about Activity Log & REST APIs PowerShell Cmdlets

Power BI Management Module Data Gateway Module Common things you can do: Common things you can do: Get activity log data Get list of clusters Create workspace Get list of data sources Get list of workspaces Install gateway cluster Get list of objects Update data source credentials Get users per workspace Update gateway policies Get list of capacities Power BI REST APIs

The APIs cover embedding as well as administration. The REST APIs: • Have more options than the Power BI Mgmt Module • Have less options than in the Power BI Service (browser UI) • Can be used in conjunction with the Mgmt Module What Admins Can Do With the XMLA Endpoint

XMLA = XML for Analysis Use of XMLA An industry standard protocol supported by BI vendors requires Premium Interacts with dataset via the Tabular Object Model (TOM) capacity or PPU 1 Read/Write Activities Use external tools: ✓Use capabilities beyond what is built into Power BI natively for creating & managing a dataset ✓Integrate with source control repository ✓Integrate with tools such as Azure DevOps for CI/CD processes ✓Execute a data refresh with tools such as SSMS, Azure Automation & Azure Functions What Admins Can Do With the XMLA Endpoint

2 Read Activities Monitoring, debugging, and tracing of datasets & queries ✓Dynamic Management Views (DMVs) to view metadata, lineage & resource usage ✓SQL Profiler to trace queries Connect to 3rd party reporting & data visualization tools with a Power BI shared dataset (ex: Tableau, Qlik & Microstrategy) Suggestions for Next Steps Just Getting Started Overseeing Power BI?

Begin capturing activity log data if you are not already.

Validate and document all tenant settings are optimal.

Validate who has been granted Power BI administrator role.

Add additional gateway server if currently a single node. Got the Taken Care Of? What’s Next?

Create analytical reporting for activity log data.

Augment activity log with security snapshots, Azure AD, etc.

Review workspace+apps use, including naming conventions.

Do an end-to-end security review & improve user education where appropriate. Getting Pretty Mature? What To Tackle Next

Begin looking for certain circumstances with data so you can be proactive rather than reactive.

Work with governance team on improving trustworthiness & consistency with shared & certified datasets.

Work with governance/security/compliance teams on sensitivity labels, including relevant data handling policies.

Look into improving efficiency & automation capabilities with XMLA endpoint. Information With High Pace of Change

Follow the release plan closely. Some items will require planning, updated training, or a change in process.

Follow the Power BI blog closely. Crucial information is shared here.

Be cautious with information found online as it gets out of date quickly. Final Thoughts Don’t make administrative Think of your role as helping decisions on the fly. people get things done. Focus on: • Transparency Evolve to being proactive, • Consistency rather than reactive, as much • Communication as possible using repeatable • Documenting process and automation. decisions & policies Always do a technical proof of concept to verify your expectations. Maturity of features takes time. Wrap-Up, Q&A, Links to More Info Q&A Finding More Info from Melissa

Slides: Diagrams: CoatesDS.com/Presentations CoatesDS.com/Diagrams

YouTube: Blog: YouTube.com/CoatesDataStrategies CoatesDS.com/Blog-Posts

Power BI Governance Training: Twitter: CoatesDS.com/Workshop @SQLChick | @CoatesDS Suggested Resources

Planning a Power BI Enterprise Deployment whitepaper Published May 2020 by Melissa Coates & Chris Webb https://aka.ms/PBIEnterpriseDeploymentWP https://docs.microsoft.com/en-us/power-bi/guidance/whitepapers

Power BI Release Plan (Roadmap) https://docs.microsoft.com/en-us/power-platform-release-plan

Power BI Admin & Enterprise Documentation https://docs.microsoft.com/en-us/power-bi/admin/ Suggested Resources

Pro Microsoft Power BI Administration Published November 2020 By Ásgeir Gunnarsson & Michael Johnson Additional Resources

Administrator In a Day Training

Replay available on-demand in Teams

Part 1: aka.ms/AdmPBI1

Part 2: aka.ms/AdmPBI2