Today I want to issue a warning to anyone considering using Publish to Web to share corporate data internally within an organisation. Publish to Web is a standard feature on all Power BI accounts (free and Pro) – I first wrote about it two years ago here. This is a great feature that is designed to let you share non sensitive data publicly on the web, but despite what you may think it is definitely not secure.
Sample Embedded Report
Here is an example of one of my publicly shared reports from my blog article a few weeks ago.
Prior to Power BI, it was very difficult to share non-sensitive data on the web in this way and I think this is a great public service offering from Microsoft. But the key word here is “public”.
There are Plenty of Warnings
There are plenty of warnings given to the report author not to use this feature for sensitive corporate data. Let’s look at the process. When you want to share your report publicly on the web, you simply click File\Publish to Web as shown below (from the Power BI Service).
Warning Message 1
You will then get the following information and warning message.
Note there are several references above that you will be sharing this information publicly. Also note that it explicitly states the following:
You may not use this function to share content internally, including through email, your internal network, or intranet site.
This sounds like it is part of the terms of service agreement, although I checked here https://powerbi.microsoft.com/en-us/terms-of-service/ and couldn’t find any reference. I am not sure of the legal status of this message, but you should still take note to the warning. Read on to find out why.
Warning Message 2
Then you get the following warning message.
In the above dialog, there is some additional important information.
Microsoft may display the report on a public website or public gallery.
More on this important message shortly. Finally, you are presented with the sharing URL. Here is mine
These Links are NOT Secure
Now I know what some of you are thinking. Some of you are looking at that long GUID (Globally Unique Identifier http://guid.one/guid) and are thinking “no one is going to be able to guess that URL”. And if you are thinking this, then you are 100% correct – no one will guess it. But there are 2 big issues that directly affect the privacy of these links.
- Anyone in the organisation that can see this link can share it publicly – a disgruntled employee for example. I was able to easily grab the URL for my Simpson embedded report at the start of this post using my browser developer tools.
- Microsoft searches these reports using Bing and may use and re-share your data publicly, or serve up the reports during a public Bing search.
I am sure there are not too many people that would be happy to have their sensitive corporate data appear in a Bing search. I was not able to find any of my publicly shared reports via Bing (except those explicitly shared embedded in other blog articles) but that doesn’t mean it can’t/wont happen.
How to Undo a Mistake
If you have previously used this feature and are now having second thoughts, then great. In the top right hand corner of the service, click on the cog and then “Manage Embed Codes” as shown below.
This will give you a list of all embed codes you have previously created. You can click on the ellipsis next to the report and either fetch a new copy of the code, or you can delete the code altogether.
Free for Personal Use
Power BI is free for personal use. Once you are ready to share, then you need to pay. This is a very fair licencing model that allows anyone to learn and get started. You only have to pay when you extract value (by sharing), and then it is still dirt cheap at just US$120 per user per year. If you are living life on the edge trying to get the sharing benefits for free, then you would be well advised to simply pay for what you benefit from.
Hi! Thank you for the post. I have a question when you say “anyone can acces to the report and its data” do you mean that not only the report is public, also the database behind it?
Good question. I meant the data on the screen, not the underlying DB.
I have a 3 step process idea to nevertheless use embedded power bi report. Please suggest if this would still cause a security issue:
1. Obfuscating the entire embed code snippet with a tool like snapbuilder.com (url > > http://snapbuilder.com/code_snippet_generator/obfuscate_html_source_code/)
2. pasting the generated (obfuscated) code inside a password-protected wordpess page
3. Banning indexing of the website by Bing
After doing all of above, will it still be possible for someone to guess the report url AND/OR Bing to crawl website and make the power bi report public?
There are 2 things from my perspective. 1) Microsoft specifically states “You may not use this function to share content internally, including through email, your internal network, or intranet site”. To me, if you do so, you are infringing the software licence (aka stealing). 2) Microsoft goes on to state “Microsoft may display the report on a public website or a public gallery”. In other words, you may wake up one morning and find your confidential business data appearing here https://community.powerbi.com/t5/Data-Stories-Gallery/bd-p/DataStoriesGallery Or worse, you may never realise that your confidential data is being displayed at the link above.
Hi Matt
This is really helpful thank you. We have an analytics platform for our clients to support their business development activities. It is delivered through a cloud SAAS. I was hoping that we would be able to embed Power BI Dashboards within our application but now reading your post I don’t think it is possible.
All our clients have professional licenses to Power BI.
Do you know if this is possible?
You say “clients”. Do your clients have pro licences? If so, why not create “apps”. First create an app workspace and then publish as an app and share with clients (different domains are supported). It is not as customisable as embedding in your application. The other approach is to use one of the Embedded SKUs. These are designed to do exactly what you ask, but the starting price is about $650 per month I think.
Steven, Matt,
Here is another brand new option I just came across today! https://docs.microsoft.com/en-us/power-bi/service-embed-secure. I’ve been wrestling with finding an alternative to the insecure embed code for a while now, and this is a much awaited for option! Hope this helps!
Previously, the options have been 1) Create a Power BI Embedded solution (requires a programmer, and Azure hours), or 2) Use the built-in Power BI webpart (requires SharePoint Online, Modern Pages, and Pro licenses for viewers). This new option of a secure embed code allows for embedding in a website or, more importantly for me, a classic SharePoint site. A Power BI pro license is still required, but at least it’s a solution where previously I had none, especially now that we can assign Pro licenses to guest users using Azure B2B.
EDIT to my previous post: The article I linked states that Azure B2B is actually not supported. However, this is still a great option for Classic SharePoint sites or other Intranet sites.
Found it interesting that much of the last portion of the Publish to Web URL is the same for all reports in a tenant. Turns out it is Base64 encoded JSON with two GUIDs: one for tenant and one for report.
Nice blog post Matt! Hey a couple more things to call out: Power BI Admins have a UI in the Power BI Admin portal where they can review all existing Embed Codes and delete any they want to address. Read about it here: https://docs.microsoft.com/en-us/power-bi/service-admin-portal#embed-codes
Also, Power BI Admins can set who within an organization can publish to web. It’s in Power BI Admin portal under Tenant settings. Look for Publish to web. You can disable Publish to web for the tenant or choose which users have the ability to create Publish to web embed codes. Read about it here: https://docs.microsoft.com/en-us/power-bi/service-admin-portal#tenant-settings