Publishing your Power BI report to the internet, free for everyone to see. An amazing feature.. isn’t it?
Ever since the release of this ‘Publish to web’ option I’ve been amazed by it. And most often in a very positive way! For instance, when I’m inspired by beautifully designed reports with interesting stories of data. Or, when other Power BI enthusiasts showcase and demonstrate their findings, tips, and tricks using a public report (like this recent report with a map of 911 calls in Seattle).
My amazement is also caused by the fact that – despite the warnings Microsoft throws at them – lots of people still don’t fully understand the ‘Publish to web’ feature and use it on reports with sensitive data. In my consultancy work, I come across publicly shared reports very often, and a lot of them should never have been publicly published. Of course, in these situations I advise and assist my clients to remove these reports immediately (the solution is easy).
A small part of these reports is shared by people that don’t understand that both the visuals and the data model are exposed to the internet and are accessible without authentication. Please know that detail-level-data is also exposed, even if you only have visuals on aggregated data-levels. End-users can export the detail level, or use interactive features like Q&A to get to the (sensitive) details. In my experience, with a bit of extra education on how the feature works, these people realize what they are doing and will never publish reports with sensitive data again. Great 👊.
But the second segment of wrongfully publicly shared reports is a lot bigger. These reports are shared by people who think they understand the feature fine and are consciously taking a ‘calculated risk’. Their main argument is that public reports are ‘safe’ as long as they don’t share the public report URL outside of the organization 🤔. They believe nobody can find these public reports. That’s where they’are wrong, and I’m going to prove it.
The ‘why’: SharePoint Embedding
I think I know why this happened though. Probably a large portion of these reports is shared publicly to be able to embed them in (classic) SharePoint pages. The official SharePoint Online web-part took a little while to arrive, and the ‘Publish to web’ feature was a very common workaround. We can still not embed reports in classic pages using this web part, and not in on-premises SharePoint environments, so I guess for these scenarios this still drives people to publicly share their report.
How many more?
The number of wrongfully, publicly shared reports that I’ve come across is just shocking. I’m sure there must be a lot more of these reports. I think the time has come to alarm a broader group of people. So, to prove how easy it is to find reports published to the web, I’ve created a gallery of public reports to create more awareness! Check out the thousands of reports I was able to find, in the embedded report below!
Mouse-over screenshot included for your convenience 🤗 . I’m writing a blog post to explain exactly how I made the report, don’t worry 😉 !
Direct link to the online report: Dave’s Gallery.
With this gallery of public reports, I hope to motivate all Power BI developers and administrators to carefully (re)think if they should share their reports on the web.
How do I know if someone in my organization publicly shared a Power BI report?
Are you a Power BI Admin in your organization? Or the tenant Global Admin? Easy:
- Go to the Admin Portal (https://app.powerbi.com/admin-portal/)
- Open the Embed Codes section. You will see all the publicly shared reports there.
Want to stop publicly sharing one or all reports? Delete the so-called ’embed code’ per report right there 🗑 (no worries, it will not touch or delete the actual report).
What if you are not the Power BI admin? Well, of course, its best to have an overview of all the embed codes. So be sure to find out who the admin is. In the meantime: you can stop public sharing of reports from within the App Workspaces. It’s a simple 3 step process:
- In the Power BI Service, go to the App Workspace of that report and click on the settings button in the top right of the portal.
- Select ‘Manage embed codes’.
- Delete the embed code 🗑.
How to govern public sharing of Power BI content
You can (and should IMO) disable the ‘Publish to Web’ feature for the whole organization. Then – only for specific security groups – enable it on a case-by-case basis. This makes it possible to govern who uses this feature and if they use it wisely.
- In the Power BI Service, click on the settings button in the top right of the portal and open to the Admin Portal (if you have permissions).
- Select ‘Tenant settings’.
- Browse to the ‘Publish to web’ setting and disable it, or only enable it for the specific security group(s) that know when not to use this feature. Click Apply.