Power BI Premium Security Overview

Questions and Answers

What role in the Power BI Premium architecture is specifically protected from direct internet access?

• Gateway Role
• Presentation Role (correct)
• Data Movement Role
• Background Job Processing Role

Which of the following is NOT a part of the dedicated Back-End service cluster in Power BI Premium?

• Azure SQL Database
• Data Role
• User Authentication Role (correct)
• Gateway Role

What is a key responsibility of Power BI designers regarding sensitive data in their reports?

• Control access to Power BI content for consumers. (correct)
• Ensure data is modified frequently.
• Automatically share all dashboards with external users.
• Verify all data sources use single sign-on.

How does communication occur between the dedicated Premium cluster and the shared Back-End cluster?

Via the Gateway Role (C)

Which data storage options are included in the Back-End cluster of Power BI Premium?

Azure Blob and Azure SQL Database (A)

What storage solution does Power BI primarily use for large amounts of unstructured data?

Azure Blob Storage (D)

In which scenario is DirectQuery used in Power BI?

Data is accessed using a reference to an external source. (D)

What happens to data accessed via DirectQuery after it has been processed?

It is immediately deleted from the Analysis Services database. (C)

Which of the following roles can perform all administrative tasks within an environment in Power Apps?

Environment Admin (B)

What is a significant feature of the layered security model used by Power Apps?

It includes Azure Active Directory for user account management. (A)

Which type of security role allows users to run apps while having specific permissions on records they own?

Basic User (B)

What does the Microsoft Dataverse database provide in terms of user security roles?

Three standard security roles and the ability to create custom roles. (C)

What is the primary purpose of environment boundaries in Power Apps?

To define separate containers for apps, flows, and data. (D)

When a flow is created in Power Automate requiring third-party application access, what must the user provide?

User authentication credentials for connectors (B)

During which state of data is it stored in Azure Blob or Azure SQL Database encrypted?

At rest (D)

Flashcards

Power BI Premium Back-End cluster

A dedicated service cluster in Power BI Premium that provides users with a secure environment for data storage and processing, separate from the shared Back-End cluster.

Data Role

A role in the Back-End cluster responsible for handling data movement, data preparation, and background operations.

Background Job Processing Role

A role responsible for handling background tasks, such as scheduling and processing data updates, and providing notification functionality.

Azure SQL Database in Power BI Premium

A secured Azure SQL Database instance that stores data relevant to the Power BI Premium cluster, ensuring the protection of sensitive information.

Gateway Role in Power BI Premium

A crucial component of Power BI Premium that provides a secure connection point for users to access and refresh data from external sources.

What does Power BI use for large datasets?

Azure Blob is a storage solution for unstructured data that is used for large datasets like Excel worksheets imported into Power BI.

Where does Power BI store tenant data?

Azure SQL Database stores all other Power BI data, including tenant information, workspaces, dashboards, reports, and metadata.

What are the two ways Power BI accesses data?

Power BI accesses data in two ways: Import for data from files like Excel, and DirectQuery for data from external sources like databases.

Where does Power BI store imported data?

Imported data in Power BI is stored in an in-memory Analysis Services database for up to an hour. Data is also encrypted and stored in Azure Blob storage for long-term retention.

Where does Power BI store DirectQuery data?

DirectQuery data in Power BI is only stored in the Analysis Services database when it's actively being used or refreshed, and it is not encrypted.

How does Power Apps control access to its portal and apps?

Power Apps uses Azure Active Directory (Azure AD) authentication to control user access to its portal and specific apps. Users require appropriate Azure AD credentials and licenses to access and use Power Apps.

What are the two built-in roles in Power Apps environments without a Dataverse?

Power Apps environments without a Dataverse database have two built-in administrative roles: Environment Admin and Environment Maker. These roles determine the actions users can perform within those environments.

How can Power Apps developers share their apps?

App sharing in Power Apps allows developers to share apps with other Azure AD users. Developers can choose to make users either standard users or co-owners, granting varying levels of control over the app.

What is a Power Apps environment?

A Power Apps environment is a container for apps, flows, and data, acting as a separate space within a tenant. Administrators can create multiple environments for different purposes, such as development, testing, or different teams.

How are permissions on Dataverse database records managed?

Dataverse user security roles control user actions on data stored in a Dataverse database. Standard roles like System Customizer and Basic User, along with custom roles, grant specific permissions for creating, reading, writing, and deleting records.

Study Notes

Power BI Premium Security

• Power BI Premium provides a dedicated back-end cluster in the same data center as the tenant.
• This cluster contains roles like the Gateway Role, Data Role, and Job Processing Role, plus an Azure SQL Database.
• All communication with the Premium cluster goes through a shared back-end cluster, routing traffic to the Gateway Role within the Premium cluster.
• The Presentation Role (and other back-end roles) are protected from direct internet access.

Power BI Data Security

• Power BI designers need separate credentials to connect to data sources.
• Designer credentials are then used to access/update data, even when shared with others.
• Designers are responsible for ensuring user access to sensitive data when sharing content.

Power BI Data Storage

• Power BI uses Azure Blob storage for large, unstructured data (e.g., Excel imports).
• Azure SQL Database stores other data types, including user information, workspaces, dashboards, and reports.

Data Access Methods

• Import: Data is accessed from a file (e.g., Excel).
• DirectQuery: Data is accessed by referencing an external source (e.g., SharePoint, database).

Data Processing

• Imported data is read into an Analysis Services in-memory database (up to 1-hour retention, encrypted in Azure Blob).
• DirectQuery data is stored in Analysis Services only while the process accessing it is active; when at rest, it's stored encrypted in Azure Blob or Azure SQL.

Power Apps Security

• Power Apps uses Azure Active Directory authentication and licensing to control access to the portal and specific apps.
• Administrators can assign Power Apps licenses, and regulate access with features like Azure tools and Intune policies.
• Environments have built-in roles (Environment Admin, Environment Maker) for administrative tasks.
• Developers can share apps with other Azure AD users (standard or co-owner).
• Co-owners can edit and share, but not delete or change ownership.
• Environments are isolated containers for apps, flows, and data; they are region-specific.
• Data connections used by apps require appropriate user credentials.

Power Automate Security

• Power Automate requires authentication credentials for connectors to external services.
• User share options (co-owners, run-only users) impact credential access.
• Co-owners have full access to existing connections, while run-only users have controlled access based on the creator's choice or themselves.