Microsoft Power BI is a suite of business analytics tools you can trust to help you analyze data, publish reports, and share insights. Information is power, and with Power BI, you can turn information into rich visuals and communicate your message more clearly and quickly. Users get answers whenever and wherever they need them, with their most important metrics all in one place. You spend less time and create more effective reports and presentations. Power BI includes the service itself, dashboards, mobile apps, the Power BI Desktop report authoring tool, and Power BI gateways.

    The Power BI service is built on Microsoft Azure, which means security is built right in from the start. Power BI uses separate front-end and back-end clusters, the Gateway role, and a secure data storage architecture to protect your information. The authentication process keeps unauthorized users out, and encryption of data at rest and in transit preserves confidentiality. Power BI can unify all your organization’s data, in the cloud or on premises. The Power BI service is governed by the Microsoft Online Services Terms and the Microsoft Online Services Privacy Statement.

    Secure identity

    PowerBI is built on Azure, and uses the Azure Active Directory (AAD) identity and access management mechanisms to help ensure that only authorized users can access the environment, data, and reports.

    Power BI uses AAD as an identity repository for authentication and authorization. Users sign into the Power BI service via a secure (HTTPS) web site, and all communications between the user’s web browser and Power BI service are encrypted. The Azure Traffic Manager receives the request, checks the user’s DNS record, determines the location of the nearest Power BI deployment, and responds with the IP address of that web front end (WFE) cluster.

    The user is redirected to the Microsoft Online Services login page, is authenticated, and is redirected to the nearest WFE cluster, which inspects the cookie obtained on login, checks with AAD to authenticate the Power BI service subscription, and returns an AAD security token. The WFE cluster returns the token, session information, and the web address of the appropriate Back End cluster. The user’s browser downloads files necessary to interact with the Power BI service. Subsequent interactions are through the back end cluster, and include the user’s AAD token.

    Arrow | Navigate to Traffic Manager traffic-routing methodsTo learn more about how the Azure Traffic Manager performs traffic routing, read the Microsoft Azure documentation on Traffic Manager traffic-routing methods.

    Arrow | Navigate to CDN videosTo learn more about the Azure Content Delivery Network (CDN), from which necessary files are downloaded, watch the Microsoft Azure documentation CDN videos.

    Secure infrastructure

    Because Power BI is built on Azure, it leverages Azure infrastructure security, which relies on best security practices and technologies to protect data as it travels within the Microsoft datacenter and across the Internet.

    Architecture

    You can better understand how Power BI helps protect your data by understanding the basic Power BI architecture. Power BI is deployed in datacenters around the world, and each deployment consists of two clusters:

    • Web front end (WFE) cluster. All users connect to the WFE before accessing any information in Power BI. Servers in the WFE cluster authenticate users, using AAD to store user identities and authorize access to data. The Azure Traffic Manager finds the nearest Power BI deployment, and that WFE cluster manages login and authentication.
    • Back end cluster. All subsequent activity and access to data is handled through the back end cluster. It manages dashboards, visualizations, datasets, reports, data storage, data connections, and data refresh activities. The back end cluster hosts many roles, including Azure API Management, Gateway, Presentation, Data, Background Job Processing, and Data Movement roles.

    Users directly interact only with the Gateway role and Azure API Management, which are accessible through the Internet. These roles perform authentication, authorization, DDoS protection, bandwidth throttling, load balancing, routing, and other security, performance, and availability functions. There is a distinct boundary between the roles that users can access and the roles that are accessible only by the system.

    Threat management

    Azure’s multipronged threat management approach protects Power BI using intrusion detection, distributed denial-of-service (DDoS) attack prevention, penetration testing, data analytics, and machine learning to constantly strengthen its defense and reduce risks.

    Physical security

    Power BI is deployed in Microsoft regional datacenters, which are protected by layers of defense-in-depth security that include perimeter fencing, video cameras, security personnel, secure entrances, and real-time communications networks, continuing through every area of the facility to each physical server unit.

    Arrow | Navigate to virtual datacenter tourTo learn more about Microsoft’s global datacenters, take a virtual datacenter tour.

    Secure apps and data

    Data transferred through the Power BI Enterprise Gateway and the Personal Gateway are encrypted. Data that is uploaded from users is typically sent to Azure Blob storage, and all metadata as well as artifacts for the system itself are stored in an Azure SQL database.

    The Power BI service handles data at rest (not currently being acted upon) and data in process (being actively accessed or updated by users or the service). Data is divided into two categories:

    • Data accessed by direct query
    • Data not accessed by direct query

    Direct queries are directly translated to the native language of an underlying data source. Non-direct queries do not include credentials for the underlying data. The distinction between a Direct Query and other queries determines how the Power BI service handles the data at rest, and whether the query itself is encrypted.

    Power BI uses Azure Storage for BLOB storage and Azure SQL Database for metadata generated and used by the system itself. The user never connects directly to these storage repositories—all user connections are made to the Gateway role, which then forwards requests for data to other roles, such as the Presentation role, which is used to render the dashboard.

    Only authorized users can access data, with authorization decisions based on the user’s identity. However, when users access data, it becomes their responsibility to secure any data they share (particularly in the case of static reports).

    • Static reports. When a static report is created, the data is fixed in the report—similarly to a PDF. (There is no “callback” to the Power BI system to view the data visualized in the report.)
    • Dynamic reports. With a dynamic report, the data isn’t actually residing in the report; instead, the report is generated by pulling data from SQL Server Analysis Services, using the Power BI Analysis Service Connector to connect to SQL Server.

    With static reports, authorized users can share reports with unauthorized users. With dynamic reports, users will see reports only if they can authenticate and are authorized.

    All data requested and transmitted by Power BI is encrypted in transit, using HTTPS to connect from the data source to the Power BI service.