Power BI: Report Sharing Explained
Whether you are part of a small team or a large enterprise, sharing your reporting content in Power BI can be confusing at first glance. Connecting to data sources, creating semantic models, and publishing the report is one thing, but securly configuring the sharing of the reports is an entirely different story. I often find that organizations are eager to migrate their reporting environments to Power BI, but do not head into the process with a proper roadmap for report sharing. In this article, I will try and outline some best practices for report sharing on Power BI Service and answer common questions that I have experienced with my clients.
Understanding Workspace Access Levels
First, we must understand the Power BI Service workspace and what their intended use is. Workspaces are meant to be used as a collaboration environment for report development teams. Often, a group of data analysts will have Contributor level access to a product team workspace, or the development workspace of a deployment pipeline if Power BI Premium is available. For example, a security group of finance report developers could be granted Contributor level access to the Finance workspace at an organization. Contributor level access is recommended for report developers since it will grant the group access to publish reporting content to the workspace and access any semantic models that have been published to the workspace. Most importantly, Contributor level access will not allow someone to add other users to the workspace since Member level access is required to do so. It is best practice to only grant Admin and Member level access on a workspace in very unique scenarios. If a user within the organization needs access to reporting content located in a workspace, they should be accessing the report via the Power BI Application. Viewer access on the workspace should not be granted to individual users or groups since it does not allow fine-grain access to specific reports. If a user or group has Viewer level access on a workspace they will immediately gain access to view all reports in the workspace, regardless if they should be able to view them or not. In short, do not grant access directly at the workspace level to enable report sharing and report viewership.
Understanding Power BI Applications
The Power BI Application has plenty of tools to help facilitate a simplified and secured reporting environment. Each Power BI Service workspace can create one Power BI App, and the App that is created will have access only to include reports in the workspace that created it. Think of the Power BI Application as the “logical layer” that sits on top of the workspace. Power BI Applications allow for the configuration of up to 10 separate audience groups. Audiences can be used to organize viewership of reporting content in the workspace where some users or groups can view specific reports and not others, even in the same workspace. Remember how granting Viewer level permissions on the workspace is not recommended? Audiences allow for complex divisions of viewership, even across reports in the same workspace. For example, if an organization had three finance reports intended for Sales department viewership and two finance reports for Engineering department viewership, it could use the Finance workspace Power BI Application audience groups to create that secured division of viewership. When a user or security group is added to an audience in a Power BI App and the App is published, those users or groups will immediately be granted access to view the reports in the Power BI App. Users or groups will not however immediately get an email notifying them that they have been granted access, the App will simply become available in the App menu from Power BI Service. Keep in mind that Power BI App consumers can’t modify the contents of the App. There is also an option in the Setup phase of the Power BI App (can be accessed later in update app) under advanced settings to Install this App automatically, which will automatically make the App available in the Apps menu on Power BI Service.
Steps to Share a Power BI Report
- Connect to a Power BI semantic model in Power BI Desktop.
- Develop a report in Power BI Desktop and publish to a Power BI Service workspace (where Contributor level access is granted).
- Update the App to include the report by clicking Add Content, selecting the report name, and clicking Add (create the App if the workspace does not already have one). Member level access on the workspace is required to create or update an App, unless an Admin alters the workspace settings to allow Contributors to make these changes.
- Optional: Organize the reports in the App with Sections. Sections are often based on audience groups and can be very useful to organize report content based on viewership.
- Assign the report to an audience group by clicking on the audience and ensuring that the eye icon is open on the reports that you want them to view (Sections can simplify this process by organizing reports under a Section, otherwise the eye icon will need to be opened or close on a per report basis).
- If the report needs to be shared with an audience that does not already exist, then a new audience can be created by clicking New Audience. The new audience will need to be assigned individual users or a security group in the Edit Audience menu on the right-hand side, then click Update App (Microsoft 365 groups can also be used).
- Access to the App will be available to the audiences in Power BI Service (and Teams) by navigating to Apps and selecting Get Apps (or the App will be readily available if automatic installation is selected).
- If Power BI Apps are used as the read-only report serving tool in Power BI Service as intended, users will be able to view and interact with Power BI reports that are made available to them, but they will not have access to the workspace where the reports are located. This structure is considered best practice for larger organizations on Power BI Premium.
- If an audience can’t access the reports in the Power BI Application or the report content does not load, try granting Viewer access on the Power BI semantic model that the report is pulling data from. This can be done by clicking the three dots next to the semantic model in the workspace and navigating to Manage permissions. Click Add User, enter the email of the user or security group for the audience that needs read access on the semantic model, and uncheck every option on the pop-up menu (modify, share, and build) since we do not want to grant anything but read access to the data. This will allow the data to flow properly from the semantic model through to the report in the Power BI App.
Tips to Note:
- You can also share the Power BI Application by opening it, clicking Share, copying the link, and sending the link to audience groups, often a distribution list.
- Users who have access to the Power BI Application can set up Subscriptions to individual reports by clicking Subscribe to report in the App. Users can set up subscriptions to any of the pages of a report, enter their email, attach the report as a PDF or PowerPoint, and select a scheduled start and end date as well as frequency of delivery. The email subject and message can also be customized. Changes to the report can also be saved and subscribed to in advanced settings (changes include filters, slicers, bookmarks, drill down, and personalized visuals).
- Do not use the Share icon on the report name in the workspace to share reporting content. This method is not recommended because it is difficult to track which users have access to the report.
- Power BI Applications can only be shared with users within your organization (users in your Active Directory). If you need to share reports with users outside the organization you can explore Power BI Embedded or Azure AD Guest User accounts.
Take Aways for Report Sharing
- Workspaces are intended to be used as team collaboration and development environments, not report sharing environments.
- If the organization has Power BI Premium, all users in the organization can be given read-only access to view reports in via the Power BI App.
- Use Power BI App sections to organize reports into different folders, typically based on audience viewership.
- Enable automatic installation of the Power BI App if you would like audiences to automatically see the App available in Power BI Service and Teams.
- Use Contributor level access on workspaces whenever possible, do not use Member or Admin level access since it is best practice to use the method of least privilege.
- The Power BI Application is a read-only environment for the report consumer. The audience members will not have access to the underlying semantic model and will not be able to create new report content from it.
Please feel free to leave comments or questions below and I will do my best to respond quickly.
Thank you for reading!