Power BI Tenant Settings and Admin Portal: Governance Essentials

<h2>Why Tenant Settings Are the Foundation of Power BI Governance</h2>

<p>Every Power BI deployment begins with tenant settings. These are the organization-wide configuration controls in the Power BI Admin Portal that determine what users can and cannot do across the entire Power BI environment. A misconfigured tenant setting can expose sensitive data to external users, allow uncontrolled data exports, permit unauthorized API access, or create compliance violations that put the organization at legal and financial risk. Conversely, overly restrictive settings stifle adoption and push users toward shadow IT solutions that are even harder to govern.</p>

<p>The Power BI Admin Portal contains over 100 tenant settings organized into categories. Each setting can be enabled or disabled for the entire organization, enabled for specific security groups, or disabled for specific security groups. This security group scoping is the primary mechanism for implementing graduated governance: enabling advanced features for trained power users while restricting them for general consumers. Our <a href="/services/power-bi-consulting">Power BI consulting</a> team configures tenant settings for Fortune 500 organizations across healthcare, finance, and government where compliance requirements demand precise control over every aspect of the Power BI environment.</p>

<p>This guide covers the critical tenant settings that every Power BI administrator must configure, the governance rationale behind each setting, monitoring and audit capabilities, and the expanded Fabric tenant settings that apply when your organization has enabled Microsoft Fabric.</p>

<h2>Accessing the Power BI Admin Portal</h2>

<p>The Admin Portal is accessible to users with the following roles:</p>

<ul> <li><strong>Microsoft 365 Global Administrator</strong>: Full access to all Admin Portal features</li> <li><strong>Power BI Service Administrator (Power Platform Administrator)</strong>: Full access to Power BI Admin Portal features, the recommended role for dedicated Power BI administrators</li> <li><strong>Fabric Administrator</strong>: Full access to Fabric and Power BI Admin Portal features when Fabric is enabled</li> </ul>

<p>Access the Admin Portal from the Power BI service: click the gear icon in the upper-right corner and select "Admin portal". The portal includes sections for Tenant settings, Usage metrics, Users, Audit logs, Capacity settings, Embed codes, Organization visuals, Azure connections, and Workspaces.</p>

<h3>Tenant Settings Structure</h3>

<p>Each tenant setting follows a consistent pattern:</p>

<ul> <li><strong>Enabled/Disabled toggle</strong>: Controls whether the feature is available at all</li> <li><strong>Apply to</strong>: "The entire organization" or "Specific security groups"</li> <li><strong>Except specific security groups</strong>: Exclusion groups that override the inclusion setting</li> </ul>

<p>The combination of inclusion and exclusion groups enables precise control. For example, you can enable "Export to Excel" for the entire organization except the "Restricted Data Users" security group, or enable "Publish to web" for only the "Marketing Content Publishers" group.</p>

<h2>Critical Tenant Settings to Configure</h2>

<h3>Export and Sharing Controls</h3>

<p>Export and sharing settings are the most critical from a data governance perspective because they control how data leaves the Power BI environment:</p>

<ul> <li><strong>Export to Excel</strong>: Controls whether users can export visual data to Excel. In regulated industries (healthcare, finance), this setting is often restricted to specific groups because exported Excel files are outside Power BI governance, RLS, and audit controls. Consider restricting to analysts who have completed data handling training</li> <li><strong>Export to CSV</strong>: Separate from Excel export; controls CSV file export from visuals. Apply the same governance as Excel export</li> <li><strong>Export to PDF and PowerPoint</strong>: Controls whether users can export report pages as PDF or PowerPoint files. Generally lower risk than data exports because these are visual snapshots rather than raw data, but still subject to data classification policies</li> <li><strong>Export to MHTML</strong>: Controls email subscription attachment format. MHTML files can contain embedded data and should be governed similarly to data exports</li> <li><strong>Print dashboards and reports</strong>: Controls the print function. In highly regulated environments, printing may be restricted to prevent physical copies of sensitive data</li> <li><strong>Copy and paste visuals</strong>: Controls whether users can copy visual images to the clipboard. Lower risk than data export but can still result in sensitive visualizations appearing in ungoverned contexts</li> </ul>

<p><strong>Enterprise recommendation</strong>: Enable visual exports (PDF, PowerPoint) broadly for reporting convenience. Restrict data exports (Excel, CSV) to specific security groups with documented justification. Implement <a href="/blog/power-bi-sensitivity-labels-information-protection-2026">sensitivity labels</a> to add persistent protection to exported files.</p>

<h3>External Sharing Policies</h3>

<p>External sharing settings control how Power BI content can be shared with users outside your Azure AD tenant:</p>

<ul> <li><strong>Allow Azure Active Directory guest users to access Power BI</strong>: The master switch for B2B sharing. When enabled, external users invited as Azure AD guests can access Power BI content shared with them. When disabled, no external access is possible regardless of other settings</li> <li><strong>Invite external users to your organization</strong>: Controls whether Power BI users can send B2B invitation emails directly from the Power BI sharing interface. Even when disabled, administrators and users with the Guest Inviter role can still invite guests through Azure AD</li> <li><strong>Allow external users to edit and manage content</strong>: Controls whether guest users can edit reports, create content, and manage workspace items. Most organizations restrict this to read-only access for external users</li> <li><strong>Publish to web</strong>: Creates a public embed code that makes a report accessible to anyone on the internet without authentication. This is the highest-risk sharing setting and should be disabled for the entire organization except a tightly controlled group (if needed at all). Published-to-web reports bypass all security, RLS, and authentication. In compliance-regulated industries, this setting should be disabled entirely</li> <li><strong>Allow shareable links to grant access to everyone in your organization</strong>: Controls the "People in your organization" sharing link type. When disabled, sharing links must target specific individuals or groups, preventing accidental broad internal exposure</li> </ul>

<p><strong>Enterprise recommendation</strong>: Enable Azure AD guest access for controlled B2B collaboration. Disable "Publish to web" entirely in regulated industries. Restrict external content editing to specific partnership scenarios. Require specific-user sharing links rather than organization-wide links for sensitive content.</p>

<h3>Developer Settings</h3>

<p>Developer settings control programmatic access to Power BI content and data:</p>

<ul> <li><strong>Embed content in apps</strong>: Controls whether Power BI content can be embedded in custom applications using the Power BI Embedded APIs. Enable for development teams that build custom portals or applications. Disable for the general user population to prevent unauthorized embedding</li> <li><strong>Allow service principals to use Power BI APIs</strong>: Controls whether Azure AD service principals (application identities) can authenticate to Power BI REST APIs. Essential for automated deployment pipelines, monitoring solutions, and administrative scripts. Restrict to specific security groups containing only the service principals that need access</li> <li><strong>Allow service principals to create and use profiles</strong>: Required for multi-tenant ISV applications that use service principal profiles to manage content isolation between customers</li> <li><strong>Block ResourceKey Authentication</strong>: Controls whether streaming dataset API keys can be used for authentication. Enable this block unless you specifically use streaming datasets with push API</li> </ul>

<p><strong>Enterprise recommendation</strong>: Enable embedding and service principal API access for specific development and automation security groups. Block these capabilities for the general user population. Implement API access logging and review service principal permissions quarterly.</p>

<h3>Workspace Creation Permissions</h3>

<p>Workspace creation is a critical governance control that determines who can create new Power BI workspaces:</p>

<ul> <li><strong>Create workspaces</strong>: Controls which users can create new workspaces in the Power BI service. Unrestricted workspace creation leads to workspace sprawl, inconsistent naming, orphaned workspaces, and ungoverned content. Restrict workspace creation to a specific security group (such as "Workspace Creators" or "BI Team Leads")</li> </ul>

<p>Workspace governance extends beyond the creation setting. Establish a workspace request process where users submit a request (through a form, ticketing system, or Teams channel) specifying the workspace purpose, required members, data sensitivity classification, and expected lifecycle. An administrator creates the workspace following naming conventions and assigns appropriate roles. This process ensures every workspace has a documented owner, purpose, and governance classification. Our <a href="/services/power-bi-governance">Power BI governance</a> services help organizations implement workspace governance frameworks.</p>

<h3>Audit Log Configuration</h3>

<p>Audit logging is essential for compliance, security monitoring, and usage analytics:</p>

<ul> <li><strong>Usage metrics for content creators</strong>: Controls whether workspace members can view usage metrics for reports and dashboards in their workspaces. Usage metrics show view counts, unique viewers, and viewing trends. Generally safe to enable broadly</li> <li><strong>Per-user data in usage metrics for content creators</strong>: Controls whether usage metrics include individual user names or only aggregated data. In privacy-sensitive regions (GDPR jurisdictions), consider disabling per-user data or restricting it to workspace administrators</li> <li><strong>Azure Log Analytics connections for workspace administrators</strong>: Controls whether workspace administrators can connect workspace activity data to Azure Log Analytics for advanced monitoring. Enable for organizations that use Azure Monitor for centralized operational monitoring</li> </ul>

<p>Power BI audit logs are not configured in the Admin Portal itself but through the Microsoft Purview compliance portal (formerly Microsoft 365 compliance center). Audit log events include report views, dashboard views, data exports, sharing actions, workspace changes, dataset refreshes, API calls, and administrative changes. Audit logs are retained for 90 days by default (E5 or equivalent licensing provides up to 10 years).</p>

<p>For regulated industries, configure audit log export to a long-term storage solution:</p>

<ul> <li><strong>Azure Log Analytics</strong>: For operational monitoring with KQL queries and alerting</li> <li><strong>Microsoft Sentinel</strong>: For security information and event management (SIEM) integration</li> <li><strong>Azure Event Hubs</strong>: For streaming audit events to external SIEM or data lake solutions</li> <li><strong>Power BI Activity Log API</strong>: For programmatic extraction of up to 30 days of activity data via REST API or PowerShell</li> </ul>

<h3>Sensitivity Label Enforcement</h3>

<p>Sensitivity labels from Microsoft Purview Information Protection can be applied to Power BI content (datasets, reports, dashboards, dataflows) to classify and protect data based on its sensitivity level. Relevant tenant settings include:</p>

<ul> <li><strong>Allow users to apply sensitivity labels for Power BI content</strong>: The master switch for sensitivity label support in Power BI. When enabled, users see sensitivity label options in the Power BI service and Desktop</li> <li><strong>Apply sensitivity labels from data sources to their data in Power BI</strong>: When enabled, sensitivity labels applied to data in source systems (such as SQL Server or Azure SQL) are automatically inherited by Power BI datasets that connect to those sources. This ensures classification follows data through the pipeline</li> <li><strong>Automatically apply sensitivity labels to downstream content</strong>: When enabled, a sensitivity label applied to a dataset automatically propagates to reports and dashboards built on that dataset. This ensures derived content inherits the classification of its source data</li> <li><strong>Allow workspace admins to override automatically applied sensitivity labels</strong>: Controls whether workspace admins can change labels that were automatically applied. In strict governance environments, disable this to prevent label downgrading</li> <li><strong>Restrict content with protected labels from being shared via link with everyone in your organization</strong>: Prevents broad sharing links for content with sensitivity labels, requiring explicit user or group selection</li> </ul>

<p><strong>Enterprise recommendation</strong>: Enable sensitivity labels for all Power BI content. Enable automatic label inheritance from data sources and downstream propagation. For HIPAA, SOC 2, and GDPR environments, disable workspace admin override and restrict sharing of protected content. Train all Power BI users on label meaning and selection criteria. <a href="/contact">Contact EPC Group</a> for assistance implementing sensitivity labels across your Power BI environment.</p>

<h3>Custom Visuals Governance</h3>

<p>Custom visuals (Power BI visuals from AppSource or developed internally) execute JavaScript code within the Power BI rendering environment. Governance settings control which custom visuals are available:</p>

<ul> <li><strong>Allow visuals created using the Power BI SDK</strong>: The master switch for custom visuals. When disabled, only Microsoft-certified core visuals are available</li> <li><strong>Add and use certified visuals only</strong>: When enabled, only visuals that have passed Microsoft certification review can be used. Certified visuals have been reviewed for security, performance, and functionality standards</li> <li><strong>Allow downloads from custom visuals</strong>: Controls whether custom visuals can export data to files. High-risk setting because custom visual exports bypass Power BI native export controls and audit logging</li> </ul>

<p>The Organization visuals section of the Admin Portal lets administrators deploy pre-approved custom visuals to all users in the organization. Instead of users finding and installing visuals from AppSource individually, administrators curate a set of approved visuals that appear automatically in the Visualizations pane. This provides both convenience and governance.</p>

<p><strong>Enterprise recommendation</strong>: Enable only certified visuals for the general user population. Use the organization visuals store to deploy approved custom visuals centrally. Disable downloads from custom visuals. For development teams creating internal custom visuals, enable the Power BI SDK setting for a specific development security group.</p>

<h2>Capacity Settings</h2>

<p>For organizations using Power BI Premium (Per Capacity or Premium Per User) or Microsoft Fabric capacity, the Admin Portal includes capacity management settings:</p>

<ul> <li><strong>Capacity assignment</strong>: Assign workspaces to Premium or Fabric capacity. Workspaces on capacity get dedicated compute resources, larger dataset size limits, and features like deployment pipelines, XMLA endpoint, and paginated reports</li> <li><strong>Capacity admins</strong>: Assign users who can manage capacity settings, monitor utilization, and assign workspaces</li> <li><strong>Workload settings</strong>: Configure memory allocation for different workloads (datasets, dataflows, paginated reports, AI) within the capacity</li> <li><strong>Auto-scale</strong>: Configure automatic capacity scaling when utilization exceeds thresholds, available with Fabric capacity</li> <li><strong>Notifications</strong>: Configure alerts when capacity utilization reaches defined thresholds</li> </ul>

<p>Capacity governance is critical for cost management and performance. Implement the <a href="/blog/fabric-capacity-metrics">Fabric Capacity Metrics app</a> to monitor utilization, identify workloads consuming excessive resources, and right-size capacity allocations. Our <a href="/services/power-bi-architecture">Power BI architecture</a> team helps organizations design capacity allocation strategies that balance cost, performance, and isolation requirements.</p>

<h2>Monitoring Admin APIs</h2>

<p>The Power BI REST Admin APIs provide programmatic access to tenant metadata for governance automation:</p>

<ul> <li><strong>GetGroupsAsAdmin</strong>: Returns all workspaces in the tenant with membership, state, and capacity assignment. Use for workspace inventory and orphan detection</li> <li><strong>GetDatasetsAsAdmin</strong>: Returns all datasets across all workspaces with refresh schedules, data sources, and endorsement status. Use for dataset governance auditing</li> <li><strong>GetReportsAsAdmin</strong>: Returns all reports with their dataset bindings and workspace assignments. Use for report inventory and lineage analysis</li> <li><strong>GetActivityEvents</strong>: Returns audit log events for a specified time period. Use for custom activity monitoring dashboards and compliance reporting</li> <li><strong>GetModifiedWorkspaces</strong>: Returns workspaces modified since a specified timestamp. Use for incremental metadata scanning to build a governance catalog</li> <li><strong>WorkspaceInfo APIs (Scanner APIs)</strong>: Deep metadata scanning that returns table structures, column names, measures, data sources, and lineage information. The most comprehensive metadata extraction available, essential for building data catalogs and impact analysis tools</li> </ul>

<p>Automate governance monitoring with these APIs:</p>

<ol> <li><strong>Weekly workspace audit</strong>: Scan all workspaces to identify orphaned workspaces (no active users), workspaces violating naming conventions, and workspaces without owners</li> <li><strong>Daily activity monitoring</strong>: Extract activity events to detect unusual patterns (mass exports, after-hours access to sensitive content, sharing to external users)</li> <li><strong>Monthly dataset inventory</strong>: Catalog all datasets, their refresh schedules, data sources, and endorsement status to ensure governance compliance</li> <li><strong>Quarterly access review</strong>: Generate reports of workspace membership and content sharing for manager review and access recertification</li> </ol>

<h2>Fabric Tenant Settings</h2>

<p>When Microsoft Fabric is enabled for your organization, additional tenant settings appear in the Admin Portal:</p>

<ul> <li><strong>Users can create Fabric items</strong>: Controls which users can create Fabric-specific items (Lakehouses, Warehouses, Notebooks, Data Pipelines, etc.). Restrict to data engineering and data science teams initially</li> <li><strong>Users can create and use Real-Time Dashboards</strong>: Controls access to Real-Time Intelligence dashboards powered by Eventhouse/KQL</li> <li><strong>Data Activator</strong>: Controls whether users can create Reflex triggers that monitor data and trigger automated actions</li> <li><strong>Users can synchronize workspace items with their Git repositories</strong>: Controls Git integration for version control of Fabric items. Essential for development teams; may not be needed for all users</li> <li><strong>Users can create and use deployment pipelines</strong>: Controls access to the deployment pipeline feature for promoting content through Dev > Test > Production stages. Restrict to release managers and BI team leads</li> <li><strong>OneLake settings</strong>: Control ADLS Gen2 shortcut creation, S3 shortcut creation, GCS shortcut creation, and OneLake data access via ADLS APIs. These settings determine how data flows in and out of OneLake and must be configured based on your data architecture and security requirements</li> <li><strong>Copilot and Azure OpenAI Service</strong>: Controls whether Copilot AI features are available in Power BI and Fabric workloads. Consider data privacy implications before enabling, as enabling Copilot sends data to Azure OpenAI services</li> </ul>

<p><strong>Enterprise recommendation</strong>: Enable Fabric item creation for specific teams rather than the entire organization during initial rollout. Enable Git integration and deployment pipelines for development teams. Carefully evaluate Copilot settings against your organization data classification and AI governance policies. Our <a href="/services/microsoft-fabric">Microsoft Fabric consulting</a> team helps organizations configure Fabric tenant settings aligned with their security and compliance requirements.</p>

<h2>Governance Implementation Roadmap</h2>

<p>Implementing comprehensive tenant settings governance is not a single-day task. Follow a phased approach:</p>

<h3>Phase 1: Secure the Baseline (Week 1)</h3>

<ul> <li>Disable "Publish to web" for the entire organization</li> <li>Restrict workspace creation to a specific security group</li> <li>Review and restrict external sharing settings</li> <li>Enable audit logging and verify events are being captured</li> <li>Restrict service principal API access to specific groups</li> </ul>

<h3>Phase 2: Implement Data Protection (Weeks 2-4)</h3>

<ul> <li>Configure sensitivity labels and enable auto-inheritance</li> <li>Restrict data exports (Excel, CSV) to specific security groups</li> <li>Configure custom visuals governance (certified only + organization visuals store)</li> <li>Set up Azure Log Analytics or SIEM integration for audit logs</li> </ul>

<h3>Phase 3: Automate Governance Monitoring (Weeks 4-8)</h3>

<ul> <li>Implement Admin API scanning for workspace and dataset inventory</li> <li>Build a governance dashboard showing compliance metrics</li> <li>Configure automated alerts for policy violations (mass exports, unauthorized sharing)</li> <li>Establish quarterly access review processes</li> </ul>

<h3>Phase 4: Optimize and Expand (Ongoing)</h3>

<ul> <li>Review and refine settings based on audit data and user feedback</li> <li>Expand Fabric tenant settings as new workloads are adopted</li> <li>Integrate governance metrics into organizational reporting</li> <li>Conduct semi-annual tenant settings review with stakeholders</li> </ul>

<p><a href="/contact">Contact EPC Group</a> to discuss your Power BI governance requirements. Our <a href="/services/power-bi-consulting">Power BI consulting</a> and <a href="/services/power-bi-governance">governance</a> teams implement tenant settings configurations, monitoring frameworks, and compliance automation for organizations across healthcare, finance, education, and government that require enterprise-grade governance over their Power BI and Fabric environments.</p>