Session #1 - Melissa Coates: "What You Need to Know to Administer Power BI"
YouTube channel: https://www.youtube.com/channel/UCOAWiig6JH1i8MqcniEVbTg
LinkedIn: https://www.linkedin.com/groups/8933736/
Melissa Coates
Owner of Coates Data Strategies. Microsoft Data Platform MVP.
Data architect with a background in data warehousing and business intelligence. Her current professional focus is enterprise-level Power BI governance, deployment, security, and administration. As the owner of Coates Data Strategies, Melissa produces training and consults to help companies strengthen and sustain their data-driven initiatives. Melissa is a big supporter of the technical community, and has been a Microsoft Data Platform MVP since 2013.
Topic: "What You Need to Know to Administer Power BI".
The Power BI administrator is a very high privilege role. Some administration activities apply consistently for every organization, whereas others depend on how Power BI is being used for self-service and corporate business intelligence initiatives. Each organization's needs related to security, governance, auditing, and data management influence the scope of responsibilities for a Power BI administrator.
Professional Resume Template for Software Developers
Power BI On AIR - Melissa Coates: "What You Need to Know to Administer Power BI"
1. www.CoatesDataStrategies.com > Community Resources > Presentations
What You Need to Know
to Administer Power BI
May 27, 2020
Melissa Coates
Data Architect | Consultant | Trainer
CoatesDataStrategies.com
@SQLChick | @CoatesDS
2. Goals for This Session
How and why the Power BI administrator role varies
based upon the BI approach being used
Introduce the breadth & scope of responsibilities
Suggestions for Next Steps
This session focuses on the commercial cloud service only. The
national clouds (ex: Govt, China, Germany) are not specifically covered.
Out of scope: Power BI Report Server and Power BI Embedded.
3. Agenda for Today
BI Approaches,
Roles &
Responsibilities
Power BI
Service
Auditing &
Activity
Monitoring
Automation
Security
Data
Gateways
Premium
Capacity
Suggestions
for Next
Steps,
Q&A
4. Where to Download Materials
Slides:
CoatesDataStrategies.com/Presentations
Diagram:
CoatesDataStrategies.com/Diagrams
7. Where Does Administration Start & End?
Administration
Data
Governance
Security
Data
Privacy
Data
Management
Change
Management
Development
Performance
Tuning
A lot of
overlap
with other
things
8. Business Intelligence Approaches
Business-Led
Self-Service BI
Managed
Self-Service BI
Corporate BI
Bottom-Up Approach Blended Approach Top-Down Approach
Central IT/BI
Data Prep &
Modeling:
Report
Creation:
Business Authors Central IT/BI + SME
SME = subject matter expert
Central IT/BIBusiness Authors Business Authors
10. Business Intelligence Approaches
Business-Led
Self-Service BI
Managed
Self-Service BI
Corporate BI
Data Management Maturity Level
Additional Considerations:
Data Culture
Compliance & Regulatory Requirements
Internal
Factors
External
Factors Industry & Competitive Influences
11. Assign the Power BI administrator role to very few people.
Since an administrator can update access for all workspaces,
any data in the tenant could be made available if they add
access for themself.
Who is Permitted to be a Power BI Admin?
Competent
people able to
get things done
independently
Risk of too many
people with elevated
permissions
12. How to Reduce the # of Administrators
Azure Privileged Identity Management (PIM)
Provides “just-in-time” access for Azure roles such as
Global Administrator, Power BI Administrator, etc.
Can be approval-based or time-based.
Admin sets
up PIM roles
& eligible
members
User requests
to activate a
specific role
Approve the
user request
(optional)
User becomes
member of the
PIM role &
performs
necessary activity
User is
removed from
PIM role at
expiration time
13. Power BI Administrator Role vs. Groups
User M365 Admin Role
Individual Power BI Admin
Mail-Enabled Security Group
Role
assignment
Member
Power BI Administrators
Workspace
Auditing, health,
adoption rpts
Tenant Settings
Service
notifications &
capabilities
Misc
Communications,
workflow, etc.
Alert Policies
Alert
notifications
Power BIGlobal Admin
14. Power BI Administrator Roles
Power BI Service Administrator
Power BI Data Gateway Administrator
Power BI Premium Capacity Administrator
Power BI Workspace Administrator
Power BI Report Server System Administrator
Power BI Embedded Owner (Azure resource)
Not really an
administrator in the
same sense
A generic reference to
Power BI Administrator
often means this
15. Common Power BI Administrative Responsibilities
Tenant settings
Gateways & data sources
Workspace creation
Data delivery
Power BI Report Server
Integration w/ other apps
Desktop software
Supporting users
Auditing & monitoring
Premium capacity
Security & access
Deployment & DevOps
16. Other Administrators & Teams Involved
Global Office 365 admin
SharePoint administrator
OneDrive administrator
Teams administrator
Azure AD administrator
Database administrators
Licensing & billing admin
Intune administrator
Desktop support
Infrastructure team
Networking
Security & compliance
Legal & risk management
Internal audit
18. Tenant Settings
The tenant settings are among the most important
things to get right.
1. Document decisions made (who, when, why).
2. Document the settings for decentralized users to view
+ which groups are used for functionality
+ how to get approved for a group.
3. Track the ‘UpdatedAdminFeatureSwitch’ operation in
the activity log.
4. Alerts set up for if any changes occur.
20. E-Mail Alert
if a Tenant
Setting
Changes
This information is
also contained in the
Power BI Activity Log.
It does not provide
values before & after,
nor which security
group changed.
This e-mail is not sent
in real-time. Takes 1-2
hours to arrive.
21. Workspaces
View & update metadata for all workspaces in the
tenant: Name, description, and security access
22. Embed Codes
1. Ensure tenant setting permits very few people to use
Publish to Web.
2. Track use of the ‘GenerateEmbedToken’ operation
in the activity log.
3. Validate the list of embed codes on a regular basis.
23. Organizational Visuals
1. Enable tenant setting to use certified visuals only in the
Power BI Service.
2. Enable group policy to use certified visuals only in Power BI
Desktop.
3. Handle exceptions to that using organizational visuals.
Specific allowed visuals may include:
-Internally developed visuals
-Non-certified, but trustworthy & approved for use
Custom visuals give report
creators significantly more
flexibility
24. Dataflow Settings
Be very cautious with doing a technical proof of concept.
Currently the dataflow capabilities are limited to:
• One dataflow account per tenant
• Cannot be changed or removed
Additional dataflows/ADLS Gen 2 integration at the
workspace level is on the release plan.
Azure Data Lake
Storage Gen 2 account
25. Featured Content
Featured content should be used somewhat sparingly.
Regularly review the activity log to ensure featured
content has enough usage to warrant being promoted.
A tenant-wide view of
objects being “promoted” as
featured content on Home.
26. Monitoring Power BI System Health
https://powerbi.microsoft.com/en-us/support/
Power BI Support Site Azure Status
https://status.azure.com/en-us/status
Microsoft 365
Admin Center
https://admin.microsoft.com
Includes:
Root cause
Scope & user impact
Start & end time
Next steps
28. Why Usage Monitoring is Critical
Critical content
What content is most frequently used?
Is it adequately supported?
Change tracking
What changes occur, when, and by whom?
Internal and external auditing
Are you able to satisfy requests from auditors?
29. Why Usage Monitoring is Critical
Monitoring adoption efforts
Can we analyze not only usage stats, but that the system is
being used consistently and optimally/as it was intended?
Data trustworthiness levels
How many certified vs. non-certified datasets? How many
datasets support > 1 report?
License usage
Who is (and is not) using Power BI, at what frequency?
30. Why Usage Monitoring is Critical
Understanding usage patterns
How are users *really* using Power BI?
Finding training opportunities
Is training actively made available to new users, or to
encourage specific behaviors?
Suspicious usage patterns
Are any concerning activities occurring?
31. Typical Power BI Auditing Solution
Data Lake,
NoSQL, or
File System
Original JSON Files
Office 365
Audit Log
Power BI
REST APIs
Azure Active Directory Graph
REST APIs
Power BI
Activity Log
Users &
Service Prin
Power BI
Pro Licenses
Workspace
Inventory
Workspace
Security
Gateway
Servers
Gateway
Logs
PowerShell Scripts
Accessed by
users with
row-level
security
Raw Data
Power BI
Auditing
Database
Transactions &
Historical Snapshots
Prepared
Data
Reports:
Adoption,
Security,
Auditing
Group
Membership
Accessed by auditors
& administrators Azure Monitor integration is on the release plan
32. Tips for Successful Usage Monitoring
Recognize when something is unusual to take
action early
Know what your
“normal” is
Accumulate
history
Comply with auditing requests & do useful
trending analysis
Securely retain
raw data files
Retain raw files in a secure and immutable (no
modifications or deletions) location so you can:
•Re-parse the data if you missed a new attribute
•Rely on this data for formal auditing
Correlate data
Improve usefulness by correlating with other
related data
33. How to Get Usage Monitoring Data
Power BI Activity Log PowerShell Module
M365 Management
Activity API
Option for Retrieving Data Programmatic User Interface
M365 Security &
Compliance Center
Power BI Service
Power BI Service
Microsoft 365 Unified Audit Log
Admin Usage Metrics
Report/Dashboard Usage Metrics
Easiest to get started:
Power BI Activity Log
Improvements to the
admin usage metrics is on
the release plan
There’s an older PowerShell cmdlet
(Search-UnifiedAuditLog)-don’t use it
35. Most Common Automation Options
PowerShell
Both modules are maintained by
Microsoft. There are other 3rd
party and open source options.
Power BI REST APIs
Power BI Management Module
Data Gateway Module
Two scopes: organization & individual
36. Power BI Management Module
Several modules for managing Power BI:
Rollup
Profile
Data
Reports
Admin
Capacities
Workspaces
Common things you can do:
Get activity log data
Create workspace
Get list of workspaces, reports, dashboards, datasets, dataflows
Get users per workspace
Get list of capacities
37. Data Gateway Module
Two modules currently for managing gateway clusters:
DataGateway Profile
Common things you can do:
Get list of clusters
Get list of data sources
Install gateway cluster
Update data source credentials
Update data source users
Update gateway policies
Supported only on PowerShell Core 7.0+
38. Power BI REST APIs
The APIs cover embedding as well as administration:
Admin
Apps
Available Features
Capacities
Dashboards
Dataflow Storage
Dataflows
Datasets
Embed Token
Gateways
Groups
Imports
Push Datasets
Reports
Users
The REST APIs:
• Have more options than the Power BI Mgmt Module
• Have less options than in the Power BI Service browser
• Can be called in conjunction with the Mgmt Module
39. Managing User Machines & Devices
Power BI Software
Power BI Desktop (monthly updates + bug fixes)
Power BI Desktop Optimized for Report Server (3x/year updates)
Power BI Report Builder
Power BI Mobile App
Power BI App for Windows 10
Other Common Items
Drivers (ex: Oracle, HANA, MS Access Engine, etc.)
Analyze in Excel Provider
Group Policy settings (ex: use of custom visuals)
Custom connectors
Ideally pushed to
users so everyone
is on same version
41. Azure AD Users and Groups
All users need a Power BI Free or Power BI Pro account for
identity management. Exceptions:
• Content published publicly with Publish to Web
• Power BI Embedded (when application is managing authentication)
User identity is critical:
integrated with
Azure Active Directory
Groups from Azure AD & Microsoft 365 are supported.
42. Azure AD Conditional Access Policies
Meet security and compliance requirements, such as:
• Multi-factor authentication
• Block unauthorized access, such as:
• Non-trusted locations
• Non-corporate network
• Non-domain-joined machines
• Machine which isn’t compliant with network policy
• Only allow logins to Power BI from a particular AAD group
• IP address ranges which can connect (ex: block non-office loc)
• What type of devices can connect
43. Azure AD Identity Governance
Terms of Use
Users consent to specific terms before gaining access.
Access Review
Review & attest group memberships and user permissions.
Ex: administrator groups or depts at certain intervals
Privileged Identity Management
Just-in-time access to roles and resources
44. Permissions Managed by Content Authors
Workspace
Dashboards & Reports
Dataflows
Admin | Member | Contributor | Viewer
Power BI
Desktop
Row-Level
Security
Owner
Apps
Copy Reports
Reshare
File locations for
original & exported files
Subscriptions
Recipients
Read
Read
(Share one item)
Read
Datasets
Owner
Read Reshare
Build
45. Permissions Managed by Gateway Administrator
Administrators
Stored credentials
User permissions
Use of single sign-on
Data privacy levels
Per
gateway
Per data
source
46. File Location Permissions
Have a clear policy for users regarding use of
approved file storage locations:
• Source PBIX files
• Source data files
• Saved subscription e-mail attachments
• Exports of data
• Exports of reports
49. Data Sensitivity Labels
Have a data handling policy for each sensitivity
label which explains what can, and cannot,
happen with the data. For instance:
• Data access permitted (ex: internal only)
• Download allowed to local PC
• Content markings required
• Anonymization required
51. Encryption Keys
•Data gateway recovery key
•Data gateway credentials
•Power BI Premium encryption key (if ‘byok’ is used)
•Azure Premium encryption key (if large models is enabled)
•Power BI Report Server
Keys to be securely managed:
53. Two Types of Gateways
Personal
Mode
Gateway
Standard
Mode
(Enterprise)
Gateway
54. Standard Mode Gateway The different apps
don’t share data
sources
If using Azure Data
Factory or Azure
Machine Learning,
install that gateway
on a different server
55. When is a Gateway Needed?
Refreshing imported
datasets
Refreshing dataflows
Using DirectQuery
Using Live
Connection for
Analysis Services
In the Power BI Service: Data Source Is Located:AND
On-premises data center
Cloud-based IaaS (infrastructure as
a service)
Cloud-based PaaS (platform as a
service) in a VNet (virtual network)
Certain Functionality is Used:OR
Web.Page() function
Single M query combines cloud &
on-prem data
56. No
Where Gateways are Managed
Manage gateway settings
Manage gateway administrators
Manage gateway tenant policies
Manage data sources & users
View personal gateways
View gateway online status
View data source online status
View logs & system health
Power Platform
Admin Center
Power BI
Service
No
No
No
Gateway
Server
Power
Shell
No
No No
No
No
No
No
No
No
No
57. Managing Who Can Install Gateways
Only accepts
users
(not groups)
currently
PowerShell:
Set-DataGatewayInstaller+
Set-DataGatewayTenantPolicy
58. Gateway Cluster Environments
Production gateway cluster
Should have at least 2 machines for:
• High availability (eliminate single point
of failure)
• Rotating updates to ensure uptime
• Load balancing (distribute workload)
Dev/test gateway cluster
Can have less servers & less resources
Most useful for testing monthly updates
59. Gateway Server Specs
CPU: Important for DirectQuery
& Live Connection
Memory: Important for data refresh
Network bandwidth: Always important
The GW server handles more than just connectivity.
When it can’t be pushed to the source system, work is
performed, requiring memory & CPU, such as:
• Transformations
• Data merges & matching
• Filtering
60. Gateway Setup
Install on each gateway server:
• Gateway software
• Custom drivers (Oracle, HANA, etc.)
• Power BI custom connectors
The gateway software is updated each month.
61. Gateway Administrators vs. Users
Administrators
Gateway
Cluster
Data Source 1
Data Source 2
Data Source 3
Users
Users
Users
Called ‘Users’ in
Power Platform
Admin Center &
called
‘ClusterUser’ in
PowerShell cmdlet
62. Monitoring Gateway Health & Activity
Enable the gateway performance monitoring log files
on each gateway server. Produces 4 log files:
• Query Execution Report
• Query Execution Aggregation Report
• Query Start Report
• System Counter Aggregation Report
64. Why Is Premium Used?
Capacity-based licensing
Large number of read-only users is
more cost-effective
Scalability
Large datasets, more frequent
refreshes
Unify Enterprise BI & SSBI
Deployment pipelines, paginated
reports, XMLA read/write, full
featureset for dataflows, change
detection for automatic page refresh
Compliance
Isolated/dedicated hardware,
bring-your-own-key, specific
geography for data storage
Hybrid Cloud
Use of Power BI Report Server
Integration with Other Apps
AI: Azure Cognitive Services and
Azure Machine Learning
65. Two Types of Capacity
Power BI Premium Power BI Embedded
P-series & EM-series SKUs
M365 Admin Center
By the month
N/A
A-series SKUs
Azure
By the hour
Designed to scale up,
down, and pause
SKUs:
Purchased:
Priced by:
Scalability:
Use Power BI Embedded capacity as a lower-cost
alternative when Premium isn’t needed 24x7, or to evaluate
Premium features before making a commitment.
Premium: Some people mean either
type of capacity; some people literally
mean the SKU
66. Key Tasks For Setting Up Premium Capacity
Allocating capacity to what’s been purchased
Assigning capacity administrators to each capacity
Assigning workspaces to a capacity
P3
purchased
(32 v-cores)
Capacity 1: 16 v-cores
Capacity 2: 8 v-cores
Capacity 3: 8 v-cores
Workspace A
Workspace B
Workspace C
68. Deciding on Capacity Size
Multiple smaller capacities
Isolated workloads
Separate capacity admins
Single larger capacity
Larger model size
Greater parallelism
69. Monitoring Capacity Health
Power BI Premium Capacity Metrics App
Built-in health monitoring reports
Custom reports from dataset using template app
Email notifications (tenant setting)
Outages or incidents
Capacity overload alerts
Data from activity log
Usage doesn’t align with workload expectations
71. Just Getting Started Overseeing Power BI?
Begin capturing activity log data if you are not already.
Validate and document tenant settings are optimal.
Validate who has been granted Power BI administrator role.
Add additional gateway server if currently a single node.
72. Got the Basics Taken Care Of? What’s Next?
Create analytical reporting for activity log data.
Augment activity log with security snapshots, Azure AD, etc.
Review workspace+apps use, including naming conventions.
End-to-end security review.
73. Getting Pretty Mature? What To Tackle Next
Begin looking for certain circumstances with data so you can
be proactive rather than reactive.
Work with governance & support teams on improving
trustworthiness & consistency with shared & certified
datasets.
Work with governance & security teams on data
classifications, including relevant data handling policies.
Ensure that policies can be managed & audited.
74. Information With High Pace of Change
Follow the Power BI blog closely.
Crucial information is shared here.
Follow the release plan closely. Some
items will require planning, updated
training, or a change in process.
Be cautious with information found online as it gets
out of date quickly.
75. Final Thoughts
Don’t make administrative
decisions on the fly.
Focus on:
• Transparency
• Consistency
• Communication
• Documenting
decisions & policies
Think of your role as helping
people get things done.
Evolve to being proactive,
rather than reactive, as much
as possible using repeatable
process and automation.
Always do a technical proof of concept to verify your
expectations. Maturity of features takes time.
77. Where to Find More Info
Slides:
CoatesDataStrategies.com/Presentations
Blog:
CoatesDataStrategies.com/Blog-Posts
Videos:
Link.CoatesDataStrategies.com/YouTube
Diagrams:
CoatesDataStrategies.com/Diagrams
Attribute to me
as original author
if you share these
materials
No derivatives or
changes to these
materials
No usage of
these materials
for commercial
purposes
79. Additional Resources
Planning a Power BI Enterprise Deployment whitepaper
https://aka.ms/PBIEnterpriseDeploymentWP
https://docs.microsoft.com/en-us/power-bi/guidance/whitepapers
Power BI Release Plan (Roadmap)
https://docs.microsoft.com/en-us/power-platform-release-plan
80. Additional Resources
Operations available in the Power BI activity log
https://docs.microsoft.com/en-us/power-bi/admin/service-admin-auditing#operations-
available-in-the-audit-and-activity-logs
Power BI admin and enterprise documentation
https://docs.microsoft.com/en-us/power-bi/admin/
PowerShell cmdlets, REST APIs, & .NET SDK for Power BI admin
https://docs.microsoft.com/en-us/power-bi/admin/service-admin-reference
Working with PowerShell in Power BI
https://powerbi.microsoft.com/en-us/blog/working-with-powershell-in-power-bi/
Announcing APIs and PowerShell Cmdlets for Power BI Administrators
https://powerbi.microsoft.com/en-us/blog/announcing-apis-and-powershell-cmdlets-
for-power-bi-administrators/
81. Additional Resources
Power BI Management Module: Download Module from PowerShell Gallery
https://docs.microsoft.com/en-us/powershell/power-bi/overview?view=powerbi-ps
Power BI Management Module: Documentation
https://github.com/Microsoft/powerbi-powershell
Power BI Management Module: Cmdlet Reference
https://docs.microsoft.com/en-us/powershell/power-bi/overview?view=powerbi-ps
82. Additional Resources
Data Gateway Module: Download Module from PowerShell Gallery
https://www.powershellgallery.com/packages/DataGateway/3000.37.39
Data Gateway Module: Cmdlet Reference
https://docs.microsoft.com/en-
us/powershell/module/datagateway/?view=datagateway-ps
On-Premises Data Gateway Management
https://powerbi.microsoft.com/en-us/blog/on-premises-data-gateway-management-
via-powershell-public-preview/
83. Additional Resources
Power BI REST API Reference
https://docs.microsoft.com/en-us/rest/api/power-bi/
Power BI REST API with ‘Try It’ Tool
https://azure.microsoft.com/en-us/updates/power-bi-rest-api-tryit-tool/