I’ve had a handful of customers ask me recently about best practices when it comes to tenant administration and governance. This is an incredibly important topic for obvious reasons and I thought it would be helpful to make public my recommendations for others to reference.
For this article, I’m just going to focus on the Tenant Settings available inside the Power BI Admin Portal. By no means an exhaustive set of Power BI best practices, nor a recommendation for every setting within the Admin Portal – I’d definitely encourage you to check out my other articles as well as my Helpful Links for additional assistance across the product.
For organizations in the progress of rolling out Power BI, below is what I would initially recommend configuring within the Admin Portal, as well as my rationale for each:
Disable:
- Share content with external users
- If you are planning on distributing reports with your own customers, you will eventually want to enable this feature. Initially though – and especially while users are learning the product – this will ensure that content will remain within your organization, and only to licensed users with whom specific content has been shared.
- Publish to web
- If you are not familiar with Publish to Web, I recommend reading up on it immediately; I cannot stress enough the importance of this. If you are not comfortable with every user in the world viewing your data, do not use Publish to Web. I’ve seen lots of customers leverage this feature to get around needing a Pro license to distribute content. While there are situations where this feature comes in handy (marketing, blogs, etc.), do yourself a favor and disable now and revisit as needed.
- Publish content packs and apps to the entire organization
- Think of this as a step to reduce both maintenance hell for your admins and confusion for your end users. Like the above, revisit as needed, but this is a great check and balance out of the gate to not give Pro users more power than needed.
Before I get into the last three, I’m going to put on my reverend hat and do a little preaching. Forgive me in advance for my sins.
I hear some version of this statement all the time from customers:
We want to better secure our data, but we also want our users to print reports and export data to analyze in other tools or present as PowerPoint/PDFs.
Every time you take data out of Power BI, you are opening yourself up to a security vulnerability. Every. Time.
Listen, I get it. I really do. Since the beginning of time, we’ve been printing reports to bring to meetings. We export to PowerPoint because that’s how we give presentations. We export to Excel because that’s how we know to do analysis…and then all of a sudden we have 20 linked spreadsheets via VLOOKUP living on a network drive.
It’s not possible to make an enterprise change in technology without expecting change in process and user behavior.
</soapbox>
As with the above, this is not a universal recommendation. And I don’t expect process or behavior change to happen overnight. Change is hard, and it’s why I always recommend focusing on adoption as soon as possible (there’s a fantastic Power BI Adoption Framework webinar series here).
So restrict all three features to only the users who need it. But if security is truly as important as we say it is, here’s what I would recommend to help change behavior over time:
- Instead of Export data, use Analyze in Excel.
- This allows for users to take advantage of Excel’s amazing ability as a presentation layer to do analysis, while keeping the data stored in a Power BI dataset for better data management.
- Instead of Export reports as PowerPoint presentations, take advantage of Bookmarks.
- This without question my favorite feature of Power BI. You can essentially create snapshots and interactions to create custom navigation and truly achieve storytelling within your data. Think of it this way: you can essentially replicate the look and feel of PowerPoint, but maintain the interactivity and amazing feature set of Power BI.
- Instead of Print dashboards and reports, encourage users to utilize the Power BI Mobile Apps.
- Nothing shocking here, but with as much as we’re on our phones and tablets these days, why not? Every device with a mobile app can be managed with Microsoft Intune and users authenticate via Office 365 Azure Active Directory the same way they would on a desktop, so you can rest assured data won’t get into the wrong hands.
What do you think? Agree or disagree? I’d love to hear from you.
Have a great week!