Power BI Security & Architecture

Are you an enterprise, CIO or IT decision maker?

Before investing your budgets in a modern BI tool for your organization, we strongly advise to evaluate your BI vendors security and architecture. Whether the tool is Power BI, Tableau, Qlik or Looker, each of these tools provide a cloud BI solution for your needs.

You have cloud and on-premise versions. Using the cloud version offers several known advantages. However, data security becomes the key. There are several questions that might be bothering you.

Is my data secure?

Where is my data stored?

What security options and best practices does the vendor implement?

How is the data movement?

Is the data encrypted? What all is encrypted?

Does this sound like you?


If you are looking for answers to above questions or evaluating Power BI as your go to modern Enterprise BI tool, I invite you to read Power BI security whitepaper which talks about Power BI security and architecture in detail.

To summarize

Power BI is a SaaS platform by Microsoft hosted on Azure. It uses Azure services for its operation. There are Web Front End clusters and Back End clusters.

The WFE and Back End
Image source: Microsoft

Front End cluster

The frontend cluster (WFE) is responsible for initiation and authentication to the Power BI service, sending static files and content.

The WEF Cluster
Frontend (WFE) cluster

Back End cluster

The Back-end cluster role comes into play once the authentication is done. This cluster is responsible for data, storage, visualization, connections, refresh, and other user interactions etc.

The Back-End Cluster
Back-end cluster

The Back End cluster is the heart. If you consider your data as your asset, then the Back End cluster is a critical asset.

You should particularly focus on items to the left of the dotted line above and items to the right of the dotted line. A request to get data, dashboards or reports goes to “Gateway Role” only. This Gateway Role decides where to route the request.

Snippet from the security paper:

The Gateway Role acts as a gateway between user requests and the Power BI service. Users do not interact directly with any roles other than the Gateway Role.

Important: It is imperative to note that only Azure API Management (APIM) and Gateway (GW) roles are accessible through the public Internet. They provide authentication, authorization, DDoS protection, Throttling, Load Balancing, Routing, and other capabilities.

The dotted line in the Back-End cluster image, above, clarifies the boundary between the only two roles that are accessible by users (left of the dotted line), and roles that are only accessible by the system. When an authenticated user connects to the Power BI Service, the connection and any request by the client is accepted and managed by the Gateway Role and Azure API Management, which then interacts on the user’s behalf with the rest of the Power BI Service. For example, when a client attempts to view a dashboard, the Gateway Role accepts that request then separately sends a request to the Presentation Role to retrieve the data needed by the browser to render the dashboard.

The Gateway role
Back End cluster Gateway Role

Top questions asked by customers

Where is my data stored?

The data that you upload along with Power BI Report (PBIX) is stored in Azure Blob Storage. The metadata – data about dashboards, reports, refresh cycles etc. is stored in Azure SQL Database.

The data is stored in the region same as the Power BI tenant’s region.

Read more here: https://docs.microsoft.com/en-us/power-bi/whitepaper-powerbi-security#data-storage-and-movement

Is my data encrypted?

In the Power BI service, data is either at rest (data available to a Power BI user that is not currently being acted upon), or it is in process (for example: queries being run, data connections and models being acted upon, data and/or models being uploaded into the Power BI service, and other actions that users or the Power BI service may take on data that is actively being accessed or updated). Data that is in process is referred to as data in process. Data at rest in Power BI is encrypted. Data that is in transit, which means data being sent or received by the Power BI service, is also encrypted.The data at rest and in transit is encrypted.

Source: Power BI Whitepaper

Is Power BI Pro secure?

Power BI Pro is a shared environment. The Frontend and backend clusters could be shared between customers. Azure Blob Storage and Azure SQL Database could be shared between customers.

Is Power BI Premium secure?

When you initiate a Power BI Premium subscription, behind the scenes the back-end clusters are deployed to dedicated VMs. These VMs are dedicated to you and should not be shared between customers.

What happens when I login to app.powerbi.com?

Check this section in the whitepaper to know what happens behind the scenes when you try to access app.powerbi.com

All Power BI features in one page?

Check out this blog to see all Power BI features in one page!

Planning to migrate to Power BI?

Read this first: https://bigintsolutions.com/2020/04/21/migrate-to-power-bi/

What licensing options does Power BI support?

Power BI supports Power BI Pro and Power BI Premium licensing options. It also has a free version. If you need to know more about different licensing options, check out our Power BI Licensing guide.

I have more questions on security:

Read more here: https://docs.microsoft.com/en-us/power-bi/whitepaper-powerbi-security#power-bi-security-questions-and-answers

Conclusion

Power BI is a great Modern BI tool. When evaluating Power BI for Enterprises, we walk them through the architecture and security implementations in Power BI. This boosts enterprise customer confidence to take next big step in modernizing their reporting and analytics.


Next Steps?

Don’t hesitate to contact us today if you are looking for Power BI Enterprise deployment or want us to evaluate Power BI as your go to modern Enterprise BI tool.

Power BI Premium or Power BI Pro – the answer is here!

Power BI comes with multiple licensing model

  1. Power BI Pro
  2. Power BI Premium
  3. Power BI Embedded
  4. Power BI Free

In this post we will cover Power BI Pro and Power BI Premium licensing model.

The licensing model to go with is determined by following three factors:

  1. Cost
  2. Number of users (creators, viewers, occasional viewers)
  3. Features required

The first two factors are the most critical in deciding the licensing model.

It’s a choice between multiple Pro licenses or multiple Premium licenses.

What is Power BI Pro/Power BI Premium?

A Power BI Pro is a per user license currently costing around $10 per user per month, while Power BI Premium is a capacity license currently costing around $5000 per capacity node per month.

Yes, the cost difference is huge. But, wait, there are lots of things hidden in that $5000.

  1. Power BI Premium is a capacity license. It can support 450 users report viewing needs (see example below)
  2. Power BI Premium is for content consumption rather than content creation
  3. Large number of external readers (out of org users with no Power BI license)
  4. AI, Paginated reports, XMLA read/write and many other features
  5. Note: With 1 Premium capacity node you get 8 cores, 25 GB RAM and 6 parallel refreshes.

What does all this mean?

If you want to create, author and publish reports, you definitely need Power BI Pro licenses. You cannot get away with that. Whether to go with Power BI Premium or not, it depends.

Scenarios

Say, if you have 500 users in your org and out of 500 users

  1. 50 users will be creating content
  2. 200 users will be frequently accessing the content
  3. 250 users will be occasionally accessing the content

Then, you require

  1. 50 Power BI Pro licenses
  2. 1 Premium capacity node

With the premium capacity node we can serve the “consumption” needs for 450 users.

How did we come up with that conclusion? A simple Power BI Premium calculator is available to help us decide number of licenses (link below).

But, say your org has 100 users with 50 creating content and 50 viewing, it’s recommended to go with 100 Pro licenses (total cost $1000 per month) than a premium capacity node unless you need additional features like AI, external readers etc.


Power BI Premium vs Power BI Pro – Which licensing model should I choose? The answer is here!


Next steps?

If you are still not sure of the licensing model or worst, if you are not sure if Power BI is fit for your organization’s BI needs then you may request a free consultation.

You may fill the form below or directly setup a call

Or, fill up this form and we will get back to you with time slots within 12-24 business hours.

Notes

Power BI Premium Calculator: https://powerbi.microsoft.com/en-us/calculator/

Power BI premium also comes with additional feature sets including AI, Incremental refresh, Power BI Report Server, Paginated (SSRS types) reports, XMLA read/write and others – or better to say Enterprise features.

Power BI Pro vs Power BI Premium

If you need a quick comparison between Power BI Pro and Power BI Premium feature sets, please check this table provided by Microsoft. (Click the image to view the entire table)

https://powerbi.microsoft.com/en-us/pricing/#powerbi-comparison-table

Resolved – Request is not a valid SAML 2.0 protocol message – when embedding Power BI Reports with federated authentication

Phew! Finally, we were able to resolve the error “Request is not a valid SAML 2.0” when embedding Power BI Reports with federated authentication. It took us some time but thanks to the wonderful Microsoft support team who worked with us in debugging and isolating the issues.

Our scenario: Enterprise customer with Power BI Premium capacity planning to embed Power BI reports in an internal application using “App Owns Data” approach. There are scenarios why would you embed for enterprises (also called as organizational embedding), and scenarios why would you use “App Owns Data” approach over “User owns Data” approach. More about this in another blog post.

Ok, then why this error? How to solve it?

Why this error:

When you authenticate using master account the request goes to a federated server (in this case customer’s Identity Provider (IdP)), the IdP validates the credentials, sends back SAML assertion and TokenType, the Azure AD .NET libraries check the TokenType and assigns granttype. This granttype and SAML assertion is sent to Azure AD for confirmation.

In our particular case, the PingFederate Identity server was using a TokenType which Azure AD .NET SDK assumed to be of 2.0 and hence tagged granttype as “2.0” (urn:ietf:params:oauth:grant-type:saml2-bearer). But the assertion was not 2.0, it was actually 1.1.

Hence the error – Request is not a valid SAML 2.0 protocol message.

How to solve this error?

There are two ways to solve this error:

  1. Create a cloud account on customer’s tenant which would not be federated (simple solution), example: abc@tenantname.onmicrosoft.com
  2. Create SAML requests manually, fire to your IdP, modify the TokenType in the code and send this request to Azure AD. You will have to bypass using Azure AD libraries and construct your own requests. (complex solution)

We went ahead with solution 1, used this cloud account as our master account and were able to successfully embed the reports in enterprise internal applications.

You will not face this issue if your IdP is ADFS.

Hope this helps,

Until then,

Ranbeer Makin

Let me show you the secrets of setting up Power BI Premium for embedding scenarios

Hola!

One of our enterprise customers approached us for embedding their Power BI reports, dashboards and Q&A in their application. They had purchased Power BI Premium SKU and want to use Power BI embedded capabilities. In this blog post, we will explain how we helped our customer setup workspace with premium capacity and use it for embedding reports.

A quick recap of embedding your reports in Power BI:

  1. A master account (a user basically) with Power BI pro license in Azure AD tenant
  2. An application in Azure AD and with permissions setup (more on this in next blog)
  3. A workspace (or groups) to publish reports to be used in embedding
  4. User created in #1 to be admin of this newly created workspace

How do we assign premium capacity to this newly created workspace?

1. Go to “Settings icon” in PowerBI.com, and select “Admin portal”

AdminPortal

 

 

 

 

 

 

2. Inside of the Admin portal, select premium settings

PremiumSettings

3. On premium settings screen, select the capacity that you want to use

4. Click on “Assign Workspaces” in the capacity you have selected

AssignWorkspaces

5. You will be presented with a screen, add the user that you created initially (a master user, remember?)

AssignWorkspaces2

6. After this, go to this new workspace, edit it, and ensure in advanced settings “Premium” is ON. You need to have workspace assignment permissions in order to enable it.

PremiumOff

7. When selecting “ON”, select the appropriate Premium capacity that you want to assign to this new workspace

PremiumOn

Hit Save, you are done!

Now this workspace has Premium capacity turned ON. How do you verify it?

Go to this capacity in premium settings and check if this workspace is assigned.

workspacelisted

You are ready to embed your reports. You need to get a token, write some JavaScript and backend code and you are done!

Do you have questions? Let us know.

Contact us if you want to embed Power BI Reports, Dashboards or Q&A. We have helped enterprises, medium to small sized businesses develop and embed Power BI reports using varied sources of data with data sourcing, modeling, and compelling visualizations and analytics.

Or, head to our premium showcase section to see some of our work live in action.

 

Reference: https://www.youtube.com/watch?v=0Cy1V6LYjng