Graphed LogoGraphed
Login

What Are Sensitivity Labels in Power BI?

Cody Schneider

Protecting your data in Power BI goes beyond just managing who can see your reports. Once someone exports that data to an Excel file, you lose all control - unless you’re using sensitivity labels. This article will show you how to use Microsoft Purview sensitivity labels within Power BI to protect and classify your data even after it leaves the Power BI service.

Why Do Sensitivity Labels Matter?

Working with data comes with a huge responsibility. Your Power BI reports might contain anything from customer personal identifiable information (PII) and internal financial projections to confidential employee salaries. While Power BI's access controls are great for managing who can view content within the platform, they can't protect the data once it's exported.

This is a common blind spot for many organizations. A user with legitimate access can innocently export a report containing sensitive data to an Excel or PDF file and then email it to someone who shouldn't have access. Without the right controls, that sensitive information is now "in the wild."

Sensitivity labels solve this exact problem. They act as a tag that classifies your data and applies protection policies that follow the data everywhere it goes. This helps you:

  • Meet Compliance Requirements: Regulations like GDPR, CCPA, and HIPAA demand strict control over sensitive data. Labels are a critical tool for demonstrating compliance.

  • Prevent Accidental Data Leaks: By applying encryption or access restrictions to exported files, you reduce the risk of sensitive data falling into the wrong hands.

  • Build a Data-Aware Culture: Visual labels remind users that they are handling sensitive information, encouraging more responsible data handling across your team.

How Sensitivity Labels Work in Power BI

Sensitivity labels aren't a feature that exists only within Power BI. They are part of a larger data governance framework called Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP). Your IT or security team typically defines a set of labels for the entire organization in the Microsoft Purview compliance portal. These are the same labels you might already see in apps like Outlook, Word, and Excel.

Power BI integrates directly with this framework. When you enable the feature, those centrally-managed labels become available inside Power BI. You can apply them to:

  • Datasets

  • Reports

  • Dashboards

  • Dataflows

The key concept to understand is persistence. When a label is applied to a Power BI report, it doesn't just sit there. If a user exports data from that report to an Excel, PowerPoint, or PDF file, the sensitivity label and its associated protection policies (like encryption) are automatically applied to the exported file. The protection travels with the data, securing it regardless of where it ends up.

Common Types of Sensitivity Labels

Your organization can create any labels it needs, but most companies start with a simple, hierarchical structure. Here are a few common examples to illustrate the concept:

  • Public: Data that is safe to be shared with anyone, inside or outside the company. (e.g., promotional materials, public website analytics).

  • Internal General: Data that should only be accessible to employees within the company but is not considered highly sensitive. (e.g., team-wide project updates, general operational reports).

  • Confidential: Sensitive data restricted to a specific group, team, or department. Accidental disclosure could cause moderate damage. Sub-labels are often used here.

    • Confidential - Leadership Team

    • Confidential - Finance Only

  • Highly Confidential: The most sensitive information, where unauthorized disclosure could cause significant damage to the business. This label often applies encryption and strict access controls. (e.g., unreleased financial results, employee salary data, strategic plans).

Step-by-Step: How to Enable and Apply Sensitivity Labels

Getting started with sensitivity labels involves a few steps, some for your Power BI admin and some for report creators. Let's walk through the process.

Prerequisites Before You Begin

First, make sure you have the basics in place:

  • Licensing: All users who need to apply or view labels need a Power BI Pro or Premium Per User (PPU) license.

  • Permissions: You need to be a Power BI Administrator to enable the feature for your organization.

  • Labels Defined: Your organization must have already created sensitivity labels in the Microsoft Purview compliance portal. This is usually handled by a different compliance or IT admin.

Step 1: Enabling Sensitivity Labels in the Admin Portal (For Admins)

A Power BI admin needs to turn this feature on at the tenant level.

  • Navigate to the Settings gear icon in the Power BI Service and select Admin portal.

  • Go to Tenant settings and scroll down to the "Information protection" section.

  • Find the setting for "Allow users to apply sensitivity labels for Power BI content" and enable it. You can choose to apply it to the entire organization or specific security groups.

Step 2: Applying a Label in Power BI Desktop

Once enabled by your admin, report creators will see a new option in Power BI Desktop. In the Home ribbon, you'll find a Sensitivity dropdown menu.

  • Click on the Sensitivity dropdown.

  • You'll see the list of labels defined by your organization (e.g., Public, Confidential, etc.).

  • Select the appropriate label for your report before you save and publish it. The label will be visible in the status bar at the bottom of the Power BI Desktop window.

That's it! When you publish the .pbix file to the Power BI Service, the sensitivity label will be published along with it.

Step 3: Applying or Changing Labels in the Power BI Service

You can also apply or modify labels directly in the Power BI Service on content that's already been published.

  • Navigate to a report, dashboard, dataset, or dataflow in a workspace.

  • Go to the Settings for that asset.

  • In the settings pane, look for the Sensitivity labels section.

  • From the dropdown, select the label you want to apply and click Save.

You will now see the label displayed next to the asset's name in the list view and in the header of the report or dashboard, making it visible to all viewers.

What Happens When You Apply a Sensitivity Label?

Applying a label does more than just add a visual tag. It triggers a cascade of protection features that help control your data.

Visual Tagging

The most immediate effect is that the label is clearly visible to anyone viewing the content in the Power BI service. This acts as a constant reminder of the data's sensitivity level, guiding users to handle it appropriately.

Persistent Protection on Export

This is where the real power lies. Let’s say you apply a "Highly Confidential - Finance" label to a quarterly earnings report in Power BI. That label might be configured by your IT admin to encrypt the content and restrict access to members of the "Finance Team" security group.

Now, when a user who has access clicks Export -> Data and downloads an Excel file, that exported .xlsx file automatically inherits the "Highly Confidential - Finance" label. This means the Excel file itself is now encrypted. If someone outside the Finance Team tries to open it, they will be denied access, even if the file was accidentally emailed to them. The protection followed the data outside of Power BI.

Inheritance from Datasets

To ensure consistency, labels cascade downstream. If you apply a sensitivity label to a dataset, any reports and dashboards connected to that dataset will automatically inherit the same label. This prevents a situation where a report containing confidential data from a protected dataset is left unlabeled and unprotected.

Admins can also set up policies to require users to apply a label to new content (mandatory labeling) or to apply a default label, making sure nothing slips through the cracks.

Best Practices for Using Sensitivity Labels

To get the most out of this feature, follow a few simple guidelines:

  • Start Simple: Begin with a small, clear set of labels recognized across your company. Overly complex schemes can confuse users and lead to incorrect labeling.

  • Educate Your Users: Your team needs to understand what each label means and their responsibility when handling data at that level. A "Confidential" label is useless if no one knows what it implies.

  • Use Default Labeling: Admins should consider setting a default sensitivity label for all new Power BI content. This ensures a baseline level of protection and prompts users to think about classification from the start.

  • Audit and Monitor: Power BI provides administrators with reporting on how sensitivity labels are being used. Regularly review these reports to see where your sensitive data resides and ensure policies are being followed correctly.

Final Thoughts

Sensitivity labels are an essential tool for any organization that takes data governance seriously. They bridge the gap between in-app security and real-world data handling, ensuring your sensitive information remains protected even after it's exported from Power BI. It transforms your analytics platform into a truly secure environment for making data-driven decisions.

Connecting all your company's data sources to produce valuable reports is a challenge in itself, long before you even think about classifying them. At Graphed, we simplify that first crucial step by helping you connect scattered sources like Google Analytics, Shopify, and Salesforce in seconds. Our AI-powered platform lets you build powerful, real-time dashboards using simple, natural language - no complex setup is required - freeing up your team to focus on finding insights instead of manually wrangling data.