Checklist Summary:

Microsoft 365 (M365) Power BI is a cloud-based product that facilitates self-service business intelligence dashboards, reports, datasets, and visualizations. Power BI can connect to multiple different data sources, combine and shape data from those connections, then create reports and dashboards to share with others. This Secure Configuration Baseline (SCB) provides specific policies to strengthen Power BI security.

Checklist Role:

• Client / Server
• Office Software

Known Issues:

Not Provided

Target Audience:

The Secure Cloud Business Applications (SCuBA) project run by the Cybersecurity and Infrastructure Security Agency (CISA) provides guidance and capabilities to secure federal civilian executive branch (FCEB) agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.

Target Operational Environment:

• Managed
• Standalone

Testing Information:

Not Provided

Regulatory Compliance:

Not Provided

Comments/Warnings/Miscellaneous:

Not Provided

Disclaimer:

The information in this document is being provided “as is” for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA. This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Product Support:

CyberSharedServices@cisa.dhs.gov

Point of Contact:

CyberSharedServices@cisa.dhs.gov

Sponsor:

Not Provided

Licensing:

Portions of this document are adapted from documents in Microsoft’s M365 and Azure GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Sources are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services.

Change History:

checklist approved - 2/12/2024
updated to final - 3/11/2024
Updated References - 08/30/2024

Dependency/Requirements:

URL	Description

References:

Reference URL	Description
https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-onprem	What is an on-premises data gateway?
https://learn.microsoft.com/en-us/fabric/security/service-admin-row-level-security	Row-level security (RLS) with Power BI
https://learn.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok	Bring your own encryption keys for Power BI
https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-sensitivity-label-overview	Sensitivity labels in Power BI
https://learn.microsoft.com/en-us/powershell/power-bi/overview?view=powerbi-ps	Microsoft Power BI Cmdlets for Windows PowerShell and PowerShell Core

NIST checklist record last modified on 08/30/2024