Data loss prevention policies for Power BI overview

To help organizations detect and protect their sensitive data, Power BI supports Microsoft Purview Data Loss Prevention (DLP) polices. When a DLP policy for Power BI detects a sensitive dataset, a policy tip can be attached to the dataset in the Power BI service that explains the nature of the sensitive content, and an alert can be registered on the data loss prevention Alerts page in the Microsoft Purview compliance portal for monitoring and management by administrators. In addition, email alerts can be sent to administrators and specified users.

This article describes how DLP in Power BI works, lists considerations and limitations as well as licensing and permissions requirements, and explains how DLP CPU usage is metered. For further information, see:

Before you get started with DLP for Power BI, you should confirm your Microsoft 365 subscription. The admin account that sets up the DLP rules must be assigned one of the following licenses:

Data from DLP for Power BI can be viewed in Activity explorer. There are four roles that grant permission to activity explorer; the account you use for accessing the data must be a member of any one of them.

DLP policy evaluation uses CPU from the premium capacity associated with the workspace where the dataset being evaluated is located. CPU consumption of the evaluation is calculated as 30% of the CPU consumed by the action that triggered the evaluation. For example, if a refresh action costs 30 milliseconds of CPU, the DLP scan will cost another 9 milliseconds. This fixed 30% additional CPU consumption for DLP evaluation helps you predict the impact of DLP policies on your overall Capacity CPU utilization, and perform capacity planning when rolling out DLP policies in your organization.

Use the Power BI Premium Capacity Metrics App to monitor the CPU usage of your DLP policies. For more information, see Use the Premium metrics app.

Note

Users with PPU licenses do not incur the DLP policy evaluation costs described above, as these costs are covered for them up front by their PPU license.

You define a DLP policy in the data loss prevention section of the compliance portal. In the policy, you specify the sensitivity labels and/or sensitive info types you want to detect. You also specify the actions that will happen when the policy detects a dataset that contains sensitive data of the kind you specified. DLP policies for Power BI support two actions:

When a dataset is evaluated by DLP policies, if it matches the conditions specified in a DLP policy, the actions specified in the policy occur. A dataset is evaluated against DLP policies whenever one of the following events occurs:

Note

DLP evaluation of the dataset does not occur if either of the following is true:

When a DLP policy detects an issue with a dataset:

If "user notification" is enabled in the policy, the dataset will be marked in the Power BI service with a shield that indicates that a DLP policy has detected an issue with the dataset.

Open the dataset details page to see a policy tip that explains the policy violation and how the detected type of sensitive information should be handled.

Note

If you hide the policy tip, it doesn鈥檛 get deleted. It will appear the next time you visit the page.

If alerts are enabled in the policy, an alert will be recorded on the data loss prevention Alerts page in the compliance portal, and (if configured) an email will be sent to administrators and/or specified users. The following image shows the Alerts page in the data loss prevention section of the compliance portal. To get to the Alerts page, in the compliance portal, expand the Data loss prevention solution and choose Alerts.

Log into the Microsoft Purview compliance portal, expand the Data loss prevention solution, and choose Alerts.

Select an alert to start drilling down to its details and to see management options.