To make sure sensitive information is encrypted when sensitivity labels are used in Power BI, you need to set both Power BI settings and Microsoft Purview Information Protection labels to enforce encryption policies. Sensitivity labels by themselves label and categorize data, but when combined with encryption-enabled labels, they assist in implementing data protection on Microsoft 365 services, such as Power BI.
The following are the most important steps to ensure encryption:
Set up sensitivity labels with encryption in Microsoft Purview:
In the Microsoft Purview compliance portal, create or modify labels to add encryption settings, for example, "Encrypt content," and set user access permissions, expiration, and offline access rules.
Turn on sensitivity label support in Power BI:
Navigate to the Power BI Admin Portal under Information Protection, and switch on the feature that enables sensitivity labels to be used on Power BI content.
Assign encryption-enabled labels to Power BI reports, datasets, or dataflows:
When these labels are used, any data exported out of Power BI (e.g., Excel, PDF) is encrypted by Microsoft 365. This way, even if it's exported or shared outside, the file is still encrypted at rest.
Take advantage of Microsoft-managed encryption for data in transit and at rest:
Power BI automatically encrypts data in transit via TLS and encrypts at rest with Microsoft-managed keys by default. In more complex scenarios, you can turn on Bring Your Key (BYOK) in Azure for increased control.
Monitor and audit label use:
Employ Microsoft 365 audit logs to monitor access and verify compliance with your encryption policies across labeled Power BI content.
Although sensitivity labels reinforce encryption enforcement beyond Power BI (such as in exported files or shares via email), inside Power BI, the service's native encryption covers in-transit and at-rest security. Sensitivity labels guarantee this security is extended and appropriately categorized for regulatory compliance.