Azure, Azure SQL Database, Business Intelligence - BI, Fabric Administrator, Fabric Capacity, Microsoft Fabric, Power BI, Power BI Governance, Power BI Service, Purview

Sharing Power BI Reports with External Users – Part 3: Sensitivity Labels, Encryption, and Secure Sharing

Sharing Power BI Reports with External Users the Right Way, Part 3: Sensitivity Labels, Encryption, and Secure Sharing

In Part two of this series, we walked through how to configure your Microsoft Fabric environment to securely share Power BI reports with external users across Microsoft 365 tenants. We covered licensing requirements, admin portal settings, how to invite guest users, and how to share reports directly with them.

Now, in the third and final part of this blog series, we focus on two important areas that are often overlooked:

  • What happens when Microsoft Purview sensitivity labels are applied to a report
  • How to refine admin portal settings to better control guest users’ access to Fabric

This series was originally created to support a YouTube video I published in April 2025. The topic turned out to be too broad to explain well in one blog, so I decided to split it into three parts.

Here is the complete series:

  • Part 1: Understanding the Problem and Core Concepts
    This post explains why external sharing can be tricky, the key requirements to get it working, important terminology, user roles, and how the whole process fits together.
  • Part 2: Hands-On Guide to Setup and Sharing
    A step-by-step walkthrough of how to share reports across tenants, covering licensing, admin portal settings, inviting guest users, and how report access looks from the guest’s side.
  • Part 3: Sensitivity Labels, Encryption, and Secure Sharing (this blog)

In this last part, we will look at what happens when Microsoft Purview sensitivity labels are applied, including access control, and will also discuss key admin settings you may need to adjust for more secure collaboration.

https://biinsight.com/wp-content/uploads/2025/06/Secure-Power-BI-Sharing_-Labels-Encryption-and-Admin-Control.wav

If you like to listen to the content on the go, here is the AI generated podcast explaining everything about this blog 👇.

If you are someone who prefers video over reading, you can watch the full walkthrough here 👇.

Let’s now get into the final piece of this guide.

Sensitivity Labels in Microsoft Fabric

Microsoft Purview sensitivity labels are part of a broader Purview Information Protection framework. These labels are not exclusive to Microsoft Fabric or Power BI. They are designed to be consistently applied across various Microsoft services, including but not limited to Outlook, Word, Excel, SharePoint, and Azure SQL DB. This ensures that data is classified and protected uniformly, regardless of where it is created, stored, or shared. In the context of Power BI, when you apply a sensitivity label to a report, it adds classification metadata and, if configured, applies protection such as encryption and access restrictions. These protections travel with the content. For example, if a report is exported to PDF or PowerPoint, and the label has encryption enabled, that exported file will also be encrypted. So only the users who are authorised to view the content will be able to open it, even outside of the Power BI service. This means your data remains secure not only inside your tenant but also when it moves across users, devices, and even organisations.

What Happens When You Share Encrypted Reports?

Let’s walk through an example.

You share a Power BI report with a guest user. This report has a label applied that encrypts its content. Here is what the guest user can and cannot do:

  • They can open the report online if they have been invited and given read access.
  • When they export the report to any Office formats such as PowerPoint, Excel and Word or PDF, the file is protected with encryption.
  • When they try to open the file (say a PDF), they will be asked to sign in again, obviously using their own organisational account (email) to be able to see the contents.
  • If the exported file is shared or stored somewhere others can access, they will not be able to open it unless they are authorised.

This means your content remains secure, even after it leaves the Power BI service.

In my video demo, Nestor (the guest user) successfully exports a report labelled Highly Confidential to PDF, but even then, he has to authenticate again to open it. If Nestor forwards the PDF to a colleague, the colleague cannot access the contents of the file unless explicitly granted access. The following image shows what happens when the unauthorised colleague opens the PDF file:

So far, we have discussed how Sensitivity Labels in Purview Information Protection work with report sharing in Power BI. Now let’s fine tune our configuration in Fabric Admin Portal.

Refining the Admin Portal Settings: Control Guest Access to Fabric

A key setting that many admins miss is Guest users can access Microsoft Fabric, located in the Fabric Admin Portal under Tenant Settings.

When you enable this setting for the entire organisation, it allows all guest users in your Entra ID to access Fabric content, if they are given permissions on workspaces or items. But this might not be what you want.

For better governance and control, you can restrict this setting to only apply to a specific security group. That means, only guest users who are members of that group will be allowed to access Fabric features in your tenant. All other guests will remain blocked, even if they exist in your Entra directory.

Here is how it works:

  1. Create a security group either from M365 Admin Centre or Entra ID (for example, External Fabric Access)
  2. Add your selected guest users to this group manually
  1. Go to the Fabric Admin Portal, open Tenant Settings
  2. Find the setting Guest users can access Microsoft Fabric
  3. Enable it only for the security group you created

This is very useful in scenarios like:

  • Consulting firms who want to share a report with a specific customer
  • Government agencies working with external auditors or partner departments
  • Large enterprises that share information only with known and trusted third-party users

This setting lets you enable secure access without opening the door to all guest users. It gives you the balance of usability and control that many enterprises are looking for.

Summary

We’ve now reached the final part of this blog series. In this post, we covered:

  • What sensitivity labels do and how encryption affects guest access
  • The guest user experience when interacting with labelled reports
  • How to refine admin portal settings to limit Fabric access for guest users to only a trusted group

It is very important to not treat external sharing as just another Power BI feature. When done wrong, it can open up security risks. But when configured carefully, it becomes a powerful tool to collaborate with external users in a secure and controlled way.

Thanks for following this series. I hope it helped you better understand the big picture and also the technical details of sharing Power BI content across organisations.

Follow me on LinkedInYouTubeBluesky and X (formerly Twitter).

Discover more from BI Insight

Subscribe to get the latest posts sent to your email.

Published by Soheil Bakhshi

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.