What is the difference between Row-Level Security (RLS) and Object-Level Security (OLS) in Power BI?

Row-Level Security (RLS) controls which rows of data a user can see by applying DAX filter expressions based on user identity. For example, a sales manager in the US region only sees US data. Object-Level Security (OLS) controls which columns and tables are visible to a user — a restricted column disappears entirely from the field list and cannot be referenced in DAX. RLS filters horizontally (rows), while OLS filters vertically (columns). Both can be combined in a single semantic model for maximum data protection.

Does Power BI support HIPAA compliance for healthcare organizations?

Yes. Microsoft signs a Business Associate Agreement (BAA) for Power BI as part of Microsoft 365 E5 or Azure Enterprise Agreement, which is required for HIPAA compliance. To meet HIPAA requirements, you must also implement Row-Level Security to restrict PHI access, enable sensitivity labels for data classification, configure DLP policies to detect patient identifiers, retain audit logs for 6 years, and deploy Private Endpoints for encrypted data transit. EPC Group has extensive experience implementing HIPAA-compliant Power BI environments for health systems and payers.

How do I prevent users from exporting sensitive data from Power BI reports?

Use a multi-layered approach. First, apply Microsoft Purview sensitivity labels (such as Highly Confidential) to semantic models and reports — labeled exports retain encryption and access restrictions. Second, configure Conditional Access App Control through Microsoft Defender for Cloud Apps to block downloads from untrusted networks or unmanaged devices. Third, disable the "Export data" tenant setting in the Power BI admin portal for specific security groups. Fourth, enable DLP policies that restrict sharing when sensitive information types are detected. Fifth, disable "Publish to web" tenant-wide to prevent unauthenticated public access.

What is the recommended approach for Power BI audit logging in regulated industries?

Stream Power BI activity logs to Azure Log Analytics for long-term retention beyond the default 90-day window. Use a PowerShell script or Azure Function running daily to call the Power BI Activity Log REST API and ingest events into Log Analytics. For organizations with Microsoft Sentinel, create analytics rules to detect anomalous patterns such as mass data exports, external sharing to unauthorized domains, sensitivity label downgrades, or administrative credential access. HIPAA requires 6-year log retention, SOC 2 requires demonstrable monitoring and alerting, and FedRAMP requires continuous monitoring aligned with NIST SP 800-137.

Can Power BI be deployed in Azure Government for FedRAMP compliance?

Yes. Power BI is available in Microsoft Azure Government cloud, which is a physically separated environment from commercial Azure. Azure Government meets FedRAMP High, DoD IL4, and DoD IL5 requirements. Power BI in Azure Government provides FIPS 140-2 compliant encryption, US-only data residency, and personnel with US citizenship background checks. You must use separate Azure Government URLs and endpoints, and Private Endpoints are available for network isolation. EPC Group has deployed Power BI in Azure Government environments for federal agencies and defense contractors.

How often should we review Power BI workspace access and security roles?

Conduct formal access reviews quarterly at minimum. SOC 2 auditors expect evidence of periodic user access reviews (Trust Services Criteria CC6.2), and most compliance frameworks require documented access certification. Use the Power BI REST Admin API to export workspace membership lists programmatically, compare against HR active employee rosters, and flag stale accounts (employees who have left or changed roles). Automate this process using Azure AD Access Reviews, which can trigger re-certification workflows for workspace admins. Between formal reviews, monitor the audit log for AddWorkspaceAccess and ShareReport events to catch ad-hoc access grants.

How is a Power BI engagement priced for enterprise workloads?

Pricing is modeled against three variables: the complexity of the semantic layer, the volume and velocity of source data, and the governance footprint required after go-live. A scoped implementation typically runs as a fixed-fee discovery sprint followed by a time-and-materials build, because dataset refresh patterns and row-level security rules almost always evolve once real user personas review early drafts. Licensing is separated from consulting fees and mapped against Power BI Pro, Premium Per User, and Fabric capacity SKUs so finance teams can plan capacity uplift independently of delivery cost. A typical mid-market rollout lands between 120 and 480 consulting hours across data modeling, DAX optimization, report design, and deployment pipelines. Fabric workloads add capacity sizing sessions to avoid over-provisioning F-SKUs on day one.

How long does a production-ready Power BI rollout take?

A single subject-area workspace with a conformed star schema, deployment pipeline, and row-level security ships in roughly six to eight weeks once source access is granted. Multi-domain rollouts that span finance, operations, and customer analytics typically run three to five months because the semantic model has to reconcile calendar, product, and organizational hierarchies that rarely align across source systems. Fabric lakehouse projects add four to six weeks for medallion design, Direct Lake tuning, and OneLake shortcut setup. Timelines compress when an authoritative data dictionary already exists and lengthen when stakeholders are discovering definitions (for example, what counts as "active customer") for the first time. Governance, training, and center-of-excellence enablement are run in parallel rather than sequentially.

What delivery methodology do you use for Power BI and Fabric projects?

Delivery runs on a five-stage pattern: Discover, Model, Visualize, Operationalize, and Enable. Discover captures questions stakeholders actually want answered, not just source tables. Model builds a Kimball-style star schema (or a medallion lakehouse in Fabric) with conformed dimensions and documented grains. Visualize produces reports against a shared theme file, applies accessibility tokens, and uses bookmarks and field parameters instead of bespoke page duplication. Operationalize wires up deployment pipelines, dataset refresh monitoring, and Azure DevOps or GitHub source control via TMDL. Enable delivers hands-on training for citizen developers and a lightweight center-of-excellence charter. Each stage ends with a demo and a written acceptance checklist, so scope creep is visible before it becomes rework.

How do you secure sensitive data inside Power BI reports?

Security is layered rather than relying on a single control. Row-level security and object-level security are enforced inside the semantic model using DAX filter expressions driven by Entra ID group membership, so filters survive refresh and cannot be bypassed by report-level tricks. Sensitivity labels from Microsoft Purview are applied at dataset and report scope and follow exports into Excel and PDF. Workspace roles follow a least-privilege pattern (Admin, Member, Contributor, Viewer) and are granted to Entra ID groups, never individuals. Private endpoints and VNet data gateways keep on-premises sources off the public internet, and tenant-level settings restrict publish-to-web, external sharing, and guest access. Every production dataset is audited quarterly against a written RLS test plan.

Can existing Excel and Tableau reports be migrated into Power BI?

Yes, but a migration is an opportunity to redesign rather than a literal port. Excel financial models usually translate cleanly into a semantic model: named ranges become dimensions, pivot tables become matrix visuals, and SUMIFS chains become well-formed DAX measures with variables. Tableau workbooks require more interpretation because Tableau extracts and Power BI datasets have different refresh and relationship semantics; calculated fields are rewritten as DAX, LOD expressions become CALCULATE patterns, and dashboard actions are rebuilt using bookmarks and drillthrough. A discovery audit catalogs every report, ranks them by business value, and retires the long tail of duplicates before migration starts. This typically reduces the report estate by 30–50 percent.

How do you optimize DAX performance on large semantic models?

DAX performance starts with the model, not the measure. Star schemas with integer surrogate keys, single-direction relationships, and calculated columns materialized in Power Query outperform ambiguous snowflakes every time. Measures are written using variables (VAR/RETURN) to avoid repeated context transitions, and expensive patterns like FILTER over entire tables are replaced with KEEPFILTERS and Boolean filter arguments. Aggregation tables and composite models offload detail-level queries from imported caches to Direct Lake or DirectQuery sources. Every measure that appears in a production report is profiled with DAX Studio and VertiPaq Analyzer; queries above a 2-second threshold on representative hardware are rewritten before release. Fabric capacity metrics are reviewed weekly to catch runaway refreshes and interactive CPU spikes.

Do you support Microsoft Fabric, OneLake, and Direct Lake workloads?

Fabric is now the default landing zone for new analytics workloads unless a client has a specific reason to stay on legacy Power BI Premium capacity. Engagements cover medallion architecture design in lakehouses, data engineering pipelines built in Fabric notebooks or Dataflows Gen2, shortcut-based integration with Azure Data Lake Storage and Amazon S3 through OneLake, and Direct Lake semantic models that skip import refresh entirely. Capacity sizing is based on measured workload patterns rather than vendor rules of thumb, and F-SKU scaling is automated through Azure Logic Apps or the Fabric REST API so off-hours costs stay predictable. Copilot in Fabric is configured with tenant-level data boundaries and audit logging before it is enabled for end users.

What training and enablement do end users receive after go-live?

Training is tiered by persona. Report consumers get a 45-minute guided tour covering filters, bookmarks, subscriptions, and mobile access. Analysts get a three-session workshop on self-service semantic model extensions, composite models, and publishing to workspaces that follow the governance pattern. Data modelers receive a two-day immersion on star schema design, DAX fundamentals, and deployment pipeline usage. Every session is recorded, indexed, and paired with a sandbox workspace seeded with representative sample data. A written center-of-excellence charter defines who owns certified datasets, who can promote a report to production, and how to request enhancements. Office hours run for 30 days post-launch so questions do not pile up into a formal change request.

How are Power BI deployments managed across dev, test, and production?

Every production workspace is paired with matching development and test workspaces wired through Power BI deployment pipelines. Datasets are source-controlled as TMDL files in Azure DevOps or GitHub so pull requests can be reviewed by a second modeler before merge. Environment-specific parameters (connection strings, sensitivity label rules, capacity assignments) are swapped at deployment time using parameter rules rather than manual edits. Fabric deployment pipelines handle lakehouses, notebooks, and data pipelines with the same promotion pattern. Refresh schedules, gateway assignments, and alerting are applied through the Power BI REST API so they survive redeployment. A written change-management checklist covers dataset certification, dependency impact analysis, and rollback procedure for every promotion to production.

Which industries and data sources do you support most often?

Heaviest experience sits in healthcare, financial services, energy, manufacturing, and public sector, because each of those verticals pushes a different dimension of Power BI: HIPAA-bound PHI handling, transaction-grain reconciliation, time-series sensor data, cost-center-driven manufacturing variance, and FedRAMP-aligned government reporting. Source systems frequently include Microsoft Dynamics 365, SAP ECC and S/4HANA, Salesforce, Workday, Epic and Cerner (Oracle Health), Infor, and a long tail of legacy ODBC databases connected through on-premises data gateways. Fabric engagements add Azure Data Lake Storage, Snowflake, Databricks, BigQuery, and Amazon S3 through OneLake shortcuts. Regardless of source, the modeling discipline is identical: conformed dimensions, documented grains, and a semantic layer that hides the join complexity from report authors.

Power BI Security Best Practices for Enterprise 2026

Power BI security in 2026 requires a defense-in-depth strategy spanning eight distinct layers — from Azure AD identity and conditional access to row-level data filtering and data loss prevention policies — because a single misconfigured setting at any layer can expose regulated patient data, financial records, or classified government information to unauthorized users. If your organization deploys Power BI for more than 100 users or handles sensitive data in any form, you need every layer described in this guide.

In my 25+ years securing enterprise analytics platforms, I have conducted security assessments for organizations ranging from 500-user midmarket companies to 30,000-user global enterprises across healthcare, financial services, and government. The pattern I see repeatedly is that organizations focus on one or two layers (typically workspace permissions and maybe RLS) while leaving critical gaps in network isolation, data classification, export controls, and audit logging. Our enterprise deployment services implement all eight security layers as a unified framework, and the result is deployments that pass HIPAA, SOC 2, and FedRAMP compliance audits on the first attempt.

Why Power BI Security Requires a Layered Approach

Power BI security is not a single setting. It spans at minimum eight layers, and a failure at any single layer can undermine the entire stack:

Identity — Azure AD authentication, MFA, conditional access policies
Network — Private endpoints, firewall rules, VPN requirements
Workspace — Roles (Admin, Member, Contributor, Viewer) and access grants
Semantic Model — Row-Level Security and Object-Level Security
Data Classification — Microsoft Purview sensitivity labels
Data Loss Prevention — DLP policies preventing sensitive data exposure
Sharing and Distribution — External access controls, embed policies
Audit — Unified audit logging, activity monitoring, alerting

The principle of defense in depth applies directly: no single control should be the sole barrier between a threat actor and sensitive data. Each layer adds an independent security boundary.

Layer 1: Identity and Azure AD

Conditional Access Policies

Configure Azure AD Conditional Access policies specifically for the Power BI Service:

Require MFA for all Power BI access — this is the single highest-impact security control available
Block access from unmanaged devices — prevent users from viewing sensitive reports on personal phones or public computers
Require compliant devices — ensure devices meet corporate security baselines (encryption, patching, antivirus)
Location-based restrictions — block access from countries where your organization does not operate
Session controls — limit session duration for sensitive workspaces (e.g., 4-hour timeout for healthcare data)

Service Principal Authentication

For automated processes (REST API calls, XMLA endpoint connections, CI/CD pipelines), use Azure AD service principals instead of user accounts:

Service principals support certificate-based authentication — more secure than passwords
Permissions are scoped to specific workspaces, not tenant-wide
Activity logs distinguish automated access from human access
Service principals are not affected by MFA policies that could break automated workflows

Layer 2: Network Security

Private Endpoints (Private Link)

For organizations handling highly sensitive data, configure Azure Private Link for the Power BI Service:

Power BI traffic routes through your private network, never traversing the public internet
Configure in the Power BI Admin Portal under Tenant Settings > Networking
Requires Azure ExpressRoute or VPN for on-premises user access
Combine with Azure Firewall to log and inspect all Power BI traffic

On-Premises Data Gateway Security

The data gateway bridges on-premises data sources with the Power BI Service:

Install on a dedicated server — never on a database server or domain controller
Require HTTPS for all gateway communications (enabled by default)
Restrict gateway admin membership to two or three designated administrators
Monitor gateway logs for connection failures and unauthorized access attempts
Keep the gateway software current — Microsoft releases monthly security updates

Layer 3: Workspace Security

Role Assignment Best Practices

Role	Capabilities	Assign To
Admin	Full control including deletion	Workspace owners only (2-3 people)
Member	Create, edit, publish content	Report developers, data modelers
Contributor	Create and edit content, but cannot publish apps or manage access	Junior developers, content editors
Viewer	View reports only, cannot access underlying data or export	Business users, executives

Critical rules:

Always use Azure AD security groups for role assignment, never individual users. Groups enable centralized access management through IT governance processes
Never grant Admin or Member to a security group containing all employees
Review workspace membership quarterly and remove departed employees
Use separate workspaces for different sensitivity levels — do not mix public dashboards and confidential data in the same workspace

Layer 4: Row-Level and Object-Level Security

Row-Level Security (RLS)

RLS filters rows based on user identity. Essential for:

Multi-tenant reports where different business units must not see each other's data
Regional restrictions (each sales manager sees only their territory)
Healthcare reports where providers see only their assigned patients
Financial reports with client data isolation for advisory firms

Object-Level Security (OLS)

OLS hides entire tables or columns from unauthorized users. Use when:

Salary columns should be visible to HR but hidden from other departments
Cost data should be visible to finance but hidden from sales teams
PII columns (SSN, date of birth) should be visible only to compliance officers
Draft or preliminary data columns should be hidden from general business users

OLS and RLS work together: RLS filters which rows a user sees, OLS controls which columns and tables are visible. Both are enforced at the engine level.

Layer 5: Data Classification and Sensitivity Labels

Configure Microsoft Purview sensitivity labels for Power BI content:

Public: Reports shared externally (marketing dashboards, public metrics)
Internal: General business reports with no sensitive data
Confidential: Reports containing PII, financial data, or competitive intelligence
Highly Confidential: Reports containing PHI (healthcare), material non-public information (finance), or classified data (government)

Labels control downstream behaviors:

Export restrictions: Highly Confidential labels can block Excel export, PDF export, and screenshot capabilities
Sharing restrictions: Confidential labels can prevent sharing outside the organization
Inheritance: When a report connects to a labeled semantic model, the report inherits the label
Mandatory labeling: Require users to apply a label before publishing content

Layer 6: Data Loss Prevention

Configure DLP policies in Microsoft Purview that monitor Power BI content:

Detect semantic models containing sensitive information types (credit card numbers, SSNs, patient IDs)
Alert compliance officers when sensitive data is detected in unlabeled or under-labeled content
Block sharing of content that violates DLP policies
Generate compliance reports for auditors

Layer 7: Sharing and External Access

Tenant Settings to Restrict

In the Power BI Admin Portal, review these critical tenant settings:

Export data: Restrict or disable for sensitive workspaces
Print dashboards and reports: Disable for compliance-sensitive content
Share content with external users: Disable unless B2B collaboration is explicitly required
Publish to web: Disable entirely — this creates a public, unauthenticated URL to your report
Allow XMLA endpoints: Restrict to specific security groups who need programmatic access

Layer 8: Audit and Monitoring

Enable unified audit logging and configure automated monitoring:

Power BI activity logs capture every user action: report views, data exports, sharing events, admin changes
Export audit data to your SIEM (Splunk, Sentinel, or similar) for centralized security monitoring
Create alerts for high-risk events: external sharing, bulk data export, admin role changes
Conduct quarterly access reviews comparing workspace membership against HR records

For detailed monitoring setup, see our Power BI monitoring guide.

Compliance-Specific Guidance

HIPAA Compliance

Enable all eight layers described above
Apply Highly Confidential sensitivity labels to all PHI-containing content
Configure DLP policies to detect healthcare-specific identifiers
Maintain 6-year audit log retention (HIPAA requires 6 years)
Document your Power BI security configuration in your HIPAA Security Rule risk assessment

SOC 2 Type II

Demonstrate access controls with documented role assignments and quarterly reviews
Provide audit log exports showing access patterns and change management
Document the deployment pipeline process proving separation of duties
Show evidence of encryption at rest (automatic in Power BI) and in transit (TLS 1.2+)

FedRAMP

Deploy Power BI in the US Government cloud (GCC or GCC High)
Configure private endpoints for all data traffic
Implement FIPS 140-2 compliant encryption settings
Maintain continuous monitoring with automated compliance scanning

Ready to secure your Power BI deployment? Contact our enterprise security team for a comprehensive security assessment and remediation plan.