How Much Data Can a Power BI Administrator Access?

decorative security icon

Post last updated: Jan 22, 2023

Let’s have a chat at what privileges a Power BI administrator has with respect to accessing metadata and data throughout the Power BI tenant.

This is a topic that I’ve written about previously, but it’s so important that it warrants revisiting from time to time.

The short version of what an admin can access:

  • Tenant metadata: Power BI admin can access all metadata including activity logs and lots of data from various APIs

  • Standard workspaces: Power BI admin can add themselves (or others) to any workspace in the tenant

  • Personal workspaces: Power BI admin can provide themselves temporary access to anyone’s personal workspace; this access is automatically revoked after 24 hours

The remainder of this post talks about each of these three a bit further.

Access to Tenant Metadata

A Power BI administrator can access all metadata throughout the tenant, such as:

  • Viewing all user activities. This data is absolute gold. It includes a wealth of information about what’s happening in your Power BI tenant. Any Power BI admin can verify who did what in the Power BI service for the previous 30 days.

  • Running admin APIs. There’s lots of information can you access from the admin APIs. One example: build a tenant inventory of all workspaces, reports, datasets, etc. that reside in your tenant.

  • Viewing (and updating!) all of the Power BI tenant settings. These settings have a very big impact on the user experience.

Keep in mind that the tenant metadata includes some sensitive information. The admin will be aware of what exists in the tenant (ex: that Executive Bonus Report that’s stored in the Executive workspace). They’ll also see the identities of who did what (ex: that Sally views the Executive Bonus Report every week).

A Power BI admin is also able to access service health information, incident summaries, and advisory messages in the Microsoft 365 Admin Center. They can also view the activity log, sign-in events, and events related to the Power BI service within Defender for Cloud Apps (if you choose to use it - it’s a separate service with separate licensing).

So, we know that a lot of tenant metadata is available to the Power BI administrator.

But what about access to the actual data?

Access to the Data in Standard Workspaces

Technically speaking, no one - including Power BI administrators - can access content or the actual data in Power BI unless they have permission to that content. For content creators, a workspace role is required to edit content. Viewing (by report consumers) can be handled a few ways.

However...

In the Workspaces area in the Admin Portal: a Power BI administrator can grant access to themselves, or a colleague, to any workspace in the Power BI tenant.

Which means that…

All data *could* potentially become available to a Power BI administrator if the need arises.

That previous statement is a big one. They have the proverbial keys to the kingdom (so you need to make sure everyone that’s assigned the Power BI admin role is very trustworthy - and it should only be a few people).

One scenario where this is helpful: the central BI team discovered an app had been published widely but it shouldn't have been because there were concerns about data quality and/or security. The Power BI administrator was able to gain access to that workspace and assist with getting the situation rectified.

Another scenario: a business user is the only person with permissions on a workspace (which is not advised). While that person is on vacation something goes wrong (like a data refresh failure) or something needs to happen (like a critical change that can’t wait). Gaining access to the workspace by the Power BI administrator (from the admin portal) to themselves or someone else is really helpful in situations like this.

Light bulb icon for emphasis

This ability to grant themselves (or anyone else) workspace permissions, and in turn access all data, means the Power BI administrator is a very high privilege role. Note that the global administrator from Azure or Microsoft 365 since global admins are also Power BI administrators. Don’t forget that Power Platform administrators are implicitly Power BI administrators as well.

Access to Data in Personal Workspaces

The earlier section focused on standard workspaces. What about personal workspaces (aka My Workspace)?

Starting in Jan 2023, a Power BI administrator can now access personal workspaces when needed.

A scenario when that’s useful: A business user has left the organization. You’ve learned that a critical report has been shared from their personal workspace, and it’s no longer working. In this situation, a Power BI admin can gain access to My Workspace and arrange for the content to be migrated to a standard workspace.

Admin access to a personal workspace is intended to be temporary. Therefore, it’s automatically revoked after 24 hours.

Keep in mind that the admin will have access to everything in the personal workspace during this time (so I’ll say it again… you need to make sure everyone that’s assigned the Power BI admin role is very trustworthy - and it should only be a few people).

Psst… if you have critical data stored & shared from personal workspaces - that’s a high priority to get it moved over to a standard workspace. A personal workspace should only be used for personal BI, temporary content, and testing.

Who should be allowed to be a Power BI administrator?

Hopefully this post convinced you that a lot of metadata (and potentially a lot of actual data) is available to Power BI administrators.

As we all know, data is highly valuable and more and more of it is being considered personally identifiable or sensitive to varying degrees - which in turn means it's subject to compliance requirements. This means that we want to follow the principle of granting the least amount of privilege necessary to be productive.

Go have a look at who you've defined as Power BI administrators if you’re not sure who has been assigned that role.

If you’re planning for security in Power BI, see this tenant-level security planning article we published recently for considerations like this one about administrators…plus a lot more.

Also check out this blog post about managing who your administrators are (it includes some tips about how to use one group for managing the members in the admin role and a security group).

Like This Content?

We talk about this sort of thing all the time in our Power BI Deployment and Governance online course. We invite you to check it out.