I get many questions around Power BI and security related features. Users and customers often don’t realize that most of their requirements can actually be solved by AAD. Power BI uses AAD to handle authentication and authorization. Because of this we can also leverage all the features of AAD to add additional security and rules to Power BI. If you want to understand how AAD and Power BI work together guy in a cube has a great video on this.
So what kind of features does AAD have that you can use to secure your Power BI even more?
Conditional access

You can use AAD conditional access which gives you conditions for your users to authenticate with Power BI:
- When logging into Power BI the user needs to use 2 factor authentication
- Make sure they can only connect to Power BI when you are on the corporate network
- Allow Power BI connections only from machines that are domain joined
- Only allow connections from machines that are complaint with the network policy
- Only allow logging in to Power BI from certain AD group (the rest cannot log in)
It also allows mixing and matching from the above so you could say normal users can only log in from VPN or the office but admins can always login, etc.

More AAD options
What else can you do with AAD?
- Assigning Power BI licenses automatically to a group
- View all pro users
- Assign or query licenses through PowerShell
- I want to have my users sign a EULA before connecting to Power BI (this is actually another conditional access feature but I feel it is separate 🙂
- Audit who has logged in and from where
- Configure custom branding for the login screen (be warned this is not just for Power BI)
These AAD features will help you secure your Power BI environment even further and more and more features get added all the time.
This is all about securing access…how about securing publishing? i.e disable publishing to any other account other than the corporate account you are logged into.
You can disable B2B sharing in Power BI: https://docs.microsoft.com/en-us/power-bi/service-admin-portal#export-and-sharing-settings
Thanks Kasper, exactly what I needed.
…actually it’s only partly solved the issue: that stops me sharing a published report from one tenant to another, it doesn’t stop me switching to another tenant completely then uploading to that tenant?
That also exists called Tenant restrictions: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions