Today I want to issue a warning to anyone considering using Publish to Web to share corporate data internally within an organisation. Publish to Web is a standard feature on all Power BI accounts (free and Pro) – I first wrote about it two years ago here. This is a great feature that is designed to let you share non sensitive data publicly on the web, but despite what you may think it is definitely not secure.
Sample Embedded Report
Here is an example of one of my publicly shared reports from my blog article a few weeks ago.
Prior to Power BI, it was very difficult to share non-sensitive data on the web in this way and I think this is a great public service offering from Microsoft. But the key word here is “public”.
There are Plenty of Warnings
There are plenty of warnings given to the report author not to use this feature for sensitive corporate data. Let’s look at the process. When you want to share your report publicly on the web, you simply click File\Publish to Web as shown below (from the Power BI Service).
Warning Message 1
You will then get the following information and warning message.
Note there are several references above that you will be sharing this information publicly. Also note that it explicitly states the following:
You may not use this function to share content internally, including through email, your internal network, or intranet site.
This sounds like it is part of the terms of service agreement, although I checked here https://powerbi.microsoft.com/en-us/terms-of-service/ and couldn’t find any reference. I am not sure of the legal status of this message, but you should still take note to the warning. Read on to find out why.
Warning Message 2
Then you get the following warning message.
In the above dialog, there is some additional important information.
Microsoft may display the report on a public website or public gallery.
More on this important message shortly. Finally, you are presented with the sharing URL. Here is mine
These Links are NOT Secure
Now I know what some of you are thinking. Some of you are looking at that long GUID (Globally Unique Identifier http://guid.one/guid) and are thinking “no one is going to be able to guess that URL”. And if you are thinking this, then you are 100% correct – no one will guess it. But there are 2 big issues that directly affect the privacy of these links.
- Anyone in the organisation that can see this link can share it publicly – a disgruntled employee for example. I was able to easily grab the URL for my Simpson embedded report at the start of this post using my browser developer tools.
- Microsoft searches these reports using Bing and may use and re-share your data publicly, or serve up the reports during a public Bing search.
I am sure there are not too many people that would be happy to have their sensitive corporate data appear in a Bing search. I was not able to find any of my publicly shared reports via Bing (except those explicitly shared embedded in other blog articles) but that doesn’t mean it can’t/wont happen.
How to Undo a Mistake
If you have previously used this feature and are now having second thoughts, then great. In the top right hand corner of the service, click on the cog and then “Manage Embed Codes” as shown below.
This will give you a list of all embed codes you have previously created. You can click on the ellipsis next to the report and either fetch a new copy of the code, or you can delete the code altogether.
Free for Personal Use
Power BI is free for personal use. Once you are ready to share, then you need to pay. This is a very fair licencing model that allows anyone to learn and get started. You only have to pay when you extract value (by sharing), and then it is still dirt cheap at just US$120 per user per year. If you are living life on the edge trying to get the sharing benefits for free, then you would be well advised to simply pay for what you benefit from.