Admin Permissions Required

security

In order for Sentinel to backup your Power BI documents, and scan your tenant to generate documentation and data lineage, it is necessary to request permission for Sentinel to access your Power BI tenant.

There are three levels of access that you can choose from:

Limited access

To access this, use 'My Sentinel' at https://my.PowerBISentinel.com

This allows you to access all functionality of Power BI Sentinel, with the exception of:

  • No visibility of Personal Workspaces
  • Sentinel will not be able to automatically grant admins access to all workspaces (for backup purposes)

When you first sign in, you will be presented with the list of permissions in the following screenshot.

This only needs to be done once.

Full access

To access this, use 'Portal' at https://portal.PowerBISentinel.com

This access can only be granted by a Power BI Service Admin (or an Office 365 Global Administrator) so you will need to get a Admin to grant this using the above link before you sign up to Sentinel.

Note: Power BI Service Admin is a new permission level added in late 2019, which is different from (and superior to) a Power BI Admin.

The process is:

  1. Ask your Admin to authorize Sentinel by signing in at https://portal.powerbisentinel.com
  2. If you are shown a tick box asking to provide "consent on behalf of your organisation", please select it. This enables other users in your organisation to use Sentinel, and may be shown in some tenants. This only needs to happen once.
  3. You can then log into the same portal and sign up for Sentinel https://portal.powerbisentinel.com

This only needs to be done once.

Note that all of the permissions requested ONLY apply to PowerBI, and not your entire organisation, despite the ambiguous wording in the request message.

Given the risk associated with Personal Workspaces, and the risk of not knowing whether you're backing everything up or not, we strongly recommend that you grant the full Admin permissions.

What's the risk of not doing this?

  • You will have no visibility of what reports or data are being stored in Personal Workspaces. You will not know which data sources are being accessed by these reports, or whether users are hoarding critical reports in an area that only they have access to.
  • Even though you may be a Power BI Administrator, you will not automatically have access to see all workspaces. If you're responsible for governance and disaster recovery it's important that you can see everything. Sentinel has an option where it can automatically grant you access to new workspaces ensuring you always have full visibility, but this only works with this Admin approval.

For more details about Microsoft Consent, please see Microsoft's consent explanation page here.

For details about Power BI Service Administrators, please see this page

Usage Analysis

Power BI's internal usage logs are stored in o365 and not Power BI, so it needs a different type of authorization.

This needs to be done by a Office 365 Global Administrator.

If you want to enable usage logging and analytics, you need the Admin to authorize this separately by navigating to https://portal.powerbisentinel.com/logging

This process will need to be repeated when the authorization token expires. The person who previously authorized it will get a reminder email from Sentinel when this is needed, which should be every 2-3 months in most organisations, depending on your organisations internal security policy.

Why are permissions requested by Purple Frog Systems?

Power BI Sentinel is a service created and run by Purple Frog Systems Ltd, a Business Intelligence consultancy with over a decade of experience helping large global organisations with their Microsoft Data Platform analytics needs. Power BI Sentinel is a brand name that operates within the Purple Frog company, and it is hosted in Azure, within the Purple Frog tenant.

What happens if I don't grant permissions?

In order for Sentinel to work it has to have access to your Power BI tenant.

It is however up to you which of the above permission levels you grant the application.

If you're unable to grant any permissions then there is an option (at additional cost) to have your own corporate 'Self-Host' copy of Sentinel deployed into your own Azure tenant. If you would like to discuss this please get in touch with us.