Publish to Web is not Secure - Excelerator BI

Publish to Web is not Secure

Today I want to issue a warning to anyone considering using Publish to Web to share corporate data internally within an organisation. Publish to Web is a standard feature on all Power BI accounts (free and Pro) – I first wrote about it two years ago here.  This is a great feature that is designed to let you share non sensitive data publicly on the web, but despite what you may think it is definitely not secure.

Sample Embedded Report

Here is an example of one of my publicly shared reports from my blog article a few weeks ago.

Prior to Power BI, it was very difficult to share non-sensitive data on the web in this way and I think this is a great public service offering from Microsoft. But the key word here is “public”.

There are Plenty of Warnings

There are plenty of warnings given to the report author not to use this feature for sensitive corporate data.  Let’s look at the process.  When you want to share your report publicly on the web, you simply click File\Publish to Web as shown below (from the Power BI Service).

Warning Message 1

You will then get the following information and warning message.

image

Note there are several references above that you will be sharing this information publicly.  Also note that it explicitly states the following:

You may not use this function to share content internally, including through email, your internal network, or intranet site.

This sounds like it is part of the terms of service agreement, although I checked here https://powerbi.microsoft.com/en-us/terms-of-service/ and couldn’t find any reference. I am not sure of the legal status of this message, but you should still take note to the warning.  Read on to find out why.

Warning Message 2

Then you get the following warning message.

image

In the above dialog, there is some additional important information.

Microsoft may display the report on a public website or public gallery.

More on this important message shortly.  Finally, you are presented with the sharing URL. Here is mine

https://app.powerbi.com/view?r=eyJrIjoiZTk3MWRlY2UtMzI3Yy00NWYxLWI1MzctNTFhOTVmY2Q1MjI3IiwidCI6IjZmMG U5YzQyLTk2Y2UtNDU1MS05NzAxLWJhMzFkMGQ2ZDE5ZSJ9

These Links are NOT Secure

Now I know what some of you are thinking.  Some of you are looking at that long GUID (Globally Unique Identifier http://guid.one/guid) and are thinking “no one is going to be able to guess that URL”.  And if you are thinking this, then you are 100% correct – no one will guess it.  But there are 2 big issues that directly affect the privacy of these links.

  1. Anyone in the organisation that can see this link can share it publicly – a disgruntled employee for example.  I was able to easily grab the URL for my Simpson embedded report at the start of this post using my browser developer tools.
  2. Microsoft searches these reports using Bing and may use and re-share your data publicly, or serve up the reports during a public Bing search.

I am sure there are not too many people that would be happy to have their sensitive corporate data appear in a Bing search.  I was not able to find any of my publicly shared reports via Bing (except those explicitly shared embedded in other blog articles) but that doesn’t mean it can’t/wont happen.

How to Undo a Mistake

If you have previously used this feature and are now having second thoughts, then great.  In the top right hand corner of the service, click on the cog and then “Manage Embed Codes” as shown below.

image

This will give you a list of all embed codes you have previously created.  You can click on the ellipsis next to the report and either fetch a new copy of the code, or you can delete the code altogether.

image

Free for Personal Use

Power BI is free for personal use.  Once you are ready to share, then you need to pay.  This is a very fair licencing model that allows anyone to learn and get started.  You only have to pay when you extract value (by sharing), and then it is still dirt cheap at just US$120 per user per year.  If you are living life on the edge trying to get the sharing benefits for free, then you would be well advised to simply pay for what you benefit from.

10 thoughts on “Publish to Web is not Secure”

  1. Hi! Thank you for the post. I have a question when you say “anyone can acces to the report and its data” do you mean that not only the report is public, also the database behind it?

  2. I have a 3 step process idea to nevertheless use embedded power bi report. Please suggest if this would still cause a security issue:

    1. Obfuscating the entire embed code snippet with a tool like snapbuilder.com (url > > http://snapbuilder.com/code_snippet_generator/obfuscate_html_source_code/)

    2. pasting the generated (obfuscated) code inside a password-protected wordpess page

    3. Banning indexing of the website by Bing

    After doing all of above, will it still be possible for someone to guess the report url AND/OR Bing to crawl website and make the power bi report public?

    1. There are 2 things from my perspective. 1) Microsoft specifically states “You may not use this function to share content internally, including through email, your internal network, or intranet site”. To me, if you do so, you are infringing the software licence (aka stealing). 2) Microsoft goes on to state “Microsoft may display the report on a public website or a public gallery”. In other words, you may wake up one morning and find your confidential business data appearing here https://community.powerbi.com/t5/Data-Stories-Gallery/bd-p/DataStoriesGallery Or worse, you may never realise that your confidential data is being displayed at the link above.

  3. Hi Matt
    This is really helpful thank you. We have an analytics platform for our clients to support their business development activities. It is delivered through a cloud SAAS. I was hoping that we would be able to embed Power BI Dashboards within our application but now reading your post I don’t think it is possible.
    All our clients have professional licenses to Power BI.
    Do you know if this is possible?

    1. You say “clients”. Do your clients have pro licences? If so, why not create “apps”. First create an app workspace and then publish as an app and share with clients (different domains are supported). It is not as customisable as embedding in your application. The other approach is to use one of the Embedded SKUs. These are designed to do exactly what you ask, but the starting price is about $650 per month I think.

    2. Steven, Matt,
      Here is another brand new option I just came across today! https://docs.microsoft.com/en-us/power-bi/service-embed-secure. I’ve been wrestling with finding an alternative to the insecure embed code for a while now, and this is a much awaited for option! Hope this helps!

      Previously, the options have been 1) Create a Power BI Embedded solution (requires a programmer, and Azure hours), or 2) Use the built-in Power BI webpart (requires SharePoint Online, Modern Pages, and Pro licenses for viewers). This new option of a secure embed code allows for embedding in a website or, more importantly for me, a classic SharePoint site. A Power BI pro license is still required, but at least it’s a solution where previously I had none, especially now that we can assign Pro licenses to guest users using Azure B2B.

      1. EDIT to my previous post: The article I linked states that Azure B2B is actually not supported. However, this is still a great option for Classic SharePoint sites or other Intranet sites.

  4. Found it interesting that much of the last portion of the Publish to Web URL is the same for all reports in a tenant. Turns out it is Base64 encoded JSON with two GUIDs: one for tenant and one for report.

  5. Nice blog post Matt! Hey a couple more things to call out: Power BI Admins have a UI in the Power BI Admin portal where they can review all existing Embed Codes and delete any they want to address. Read about it here: https://docs.microsoft.com/en-us/power-bi/service-admin-portal#embed-codes

    Also, Power BI Admins can set who within an organization can publish to web. It’s in Power BI Admin portal under Tenant settings. Look for Publish to web. You can disable Publish to web for the tenant or choose which users have the ability to create Publish to web embed codes. Read about it here: https://docs.microsoft.com/en-us/power-bi/service-admin-portal#tenant-settings

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top