Power BI, PowerApps, and Microsoft Flow
Meet your organization’s compliance, security, and privacy needs with business application platform. Learn about how Power BI, PowerApps, and Microsoft Flow protect your data with a robust set of security technologies and practices.
Discover powerful security technologies
Your data is securely protected because the business application platform is built on Microsoft Azure. This means that they benefit from the Azure platform’s powerful security technologies. Encryption of data, at rest and in transit, also preserves confidentiality. In addition, business application platform services use separate front-end and back-end clusters, the Gateway role, and secure data storage architecture. This helps protect your information and allows your organization’s data to be unified whether in the cloud or on premises.Get an overview of the business application platform
Now you can make sure that user access to your data is secure and controlled. The business application platform uses Azure Active Directory (Azure AD) identity and access management mechanisms to help ensure that only authorized users can access the environment, data, and reports.
The business application platform uses Azure AD as an identity repository for authentication and authorization. When users sign in to business application platform services via a secure (HTTPS) website, all communication between the user’s web browser and a business application platform service is encrypted.
The Azure Traffic Manager receives the request, and—based on the user’s location—determines the location of the nearest service deployment, then responds with the IP address of that web front end (WFE) cluster.
To learn more about how the Azure Traffic Manager performs traffic routing, read the Microsoft Azure documentation on Traffic Manager traffic-routing methods.
To find out about the Azure Content Delivery Network (CDN) from which necessary files are downloaded, watch the Microsoft Azure documentation CDN videos.
Encryption can help protect your data both at rest and in transit. Data requested and transmitted is encrypted in transit using HTTPS.
Data transferred through the on-premises data gateway is encrypted. Data that users upload is typically sent to Azure Blob storage, and all metadata and artifacts for the system itself are stored in an Azure SQL database and Azure Table storage.
In Power BI, your data is secure because access authorization is based on a user’s identity. The Power BI service handles data at rest (not currently being acted upon) and data in process (being actively accessed or updated by users or the service). Data is divided into two categories:
- Data accessed by direct query
- Data not accessed by direct query
Direct queries are directly translated to the native language of an underlying data source. Non-direct queries do not include credentials for the underlying data. The distinction between a direct query and other queries determines how the Power BI service handles the data at rest and whether the query itself is encrypted.
Power BI uses Azure Storage for Blob storage and Azure SQL Database for metadata that the system generates and uses. The user never connects directly to these storage repositories—all user connections are made to the Gateway role. The Gateway role then forwards requests for data to other roles such as the Presentation role, which is used to render the dashboard.
Only authorized users can access data based on identity. However, when users access data, it becomes their responsibility to secure any data they share. With static reports, authorized users can share reports with unauthorized users. With dynamic reports, users can see reports only if they are authenticated and authorized. Here’s how static and dynamic reports handle data:
- Static reports. When a static report is created, the data is fixed in the report—similar to a PDF. (There is no “callback” to the Power BI system to view the data visualized in the report.)
- Dynamic reports. With a dynamic report, the data doesn’t reside in the report. Instead, the report is generated by pulling data from SQL Server Analysis Services, using the Power BI Analysis Service Connector to connect to SQL Server.
PowerApps and Flow ensure that your data is secure because they connect to external services on behalf of users. So only authorized users can access your data with authorization decisions based on the user’s identity. It’s impossible for a flow or app to perform an operation in a service for which the creator does not have permissions.
Even when users grant other users access to a flow or app, access to the data is not shared when sharing an app. Users must provide their own credentials to create their own non-shared connection to the data sources. Users can share their flows or apps with other authenticated users in their organizations, and each user provides their own credential to create their own (non-shared) connection to the data sources.
Authorization tokens are easy to manage. Flow and PowerApps connect through Azure API Management, which stores the authorization tokens that users create for those services. These tokens are automatically refreshed when they expire and live until they are explicitly revoked by the user who created the connection. They do not expire when the user’s password changes. In addition, administrators can manage the flows and apps in an organization as well as which services they have access to, through the Flow or PowerApps Admin centers.
Finally, administrators can configure Data Loss Prevention policies to control the flow of data between different services in their flows and apps. These policies can block data from being sent to non-compliant systems even if the end user would have access to send this information manually.Learn about data loss prevention policies