Setting Up Power BI Sentinel
Getting started with Power BI Sentinel is a straightforward and quick process, but there are some pre-requisites that you need to sort out first:
- You must have an existing Power BI licence
- For Power BI Premium customers, to get documentation, search and table level lineage, you need to enable read access to the XMLA endpoint in Power BI
- Create an Azure Storage account to hold your backups, and get the connection string
- Create an Azure SQL DB to store your usage logging and lineage metadata , and get the connection string
- Request an Office 365 Global Admin to authorize Sentinel
Once these are done, setting Sentinel up is a very quick process. So let's work through these in turn.
Azure Storage Account
In order to backup your reports, Sentinel needs somewhere to store them, and as you don't want your sensitive data leaving your organization, you need to have your own storage.
This is done through the Azure portal at https://portal.Azure.com and you can accept all of the default options, you just need to choose a name, billing subscription, and data center location, all of which should follow your organization's standard conventions.
Recommended Specification: This is to store backups, so performance is not important. We therefore recommend 'Standard Performance', 'StorageV2', 'Cool', and either LRS (Locally Redundant) or GRS (Globally Redundant) depending on your redundancy needs.
It is also recommended to enable the 'Hierarchical Namespace', as this will give you the ability to back up bigger datasets.
Make a note of the 'Connection String', which you'll find on the 'Access Keys' page. Either of the two connection strings will work. It should look something like:
DefaultEndpointsProtocol=https;AccountName=powerbisentinelstorage;AccountKey=UM2CmBqw.....kGqQ==;EndpointSuffix=core.windows.net
Microsoft Guide to Creating an Azure Storage Account
Firewall (option 1)
If you enable the firewall on the Azure storage by only allowing specific private addresses to access the storage, please ensure that you add the following IP addresses to the authorized list.
vNet (option 2)
In some cases, Microsoft Azure network routing will not allow Power BI Sentinel to access your storage when a firewall is enabled.
If this is the case, you will need to add a storage account firewall rule to the Sentinel vNet, to enable Sentinel to store your backups. This is instead of adding the Sentinel IP addresses to your firewall.
This is actually more secure than a simple firewall, but does require a few more steps. So if you want to add a vNet connection instead of the firewall IP addresses you're welcome to do so to increase your security.
The process for creating a vNet connection is in the section below.
Cost
The cost of the storage account will depend on your Azure pricing contract with Microsoft, amount of data, and region. However as a rough guide, LRS Standard Cool Block Blob storage on Pay As You Go in East US costs approximately $0.015/£0.012 per GB per Month. (*Pricing as at September 2022)
Azure Storage Account - vNet Connection
In some cases, Microsoft Azure networking prevents access to services between different tenants; e.g. between your tenant and Power BI Sentinel.
In that case, you will need to create a vNet (Virtual Network) connection between your storage account firewall and Power BI Sentinel, so that it can then save your backup files.
This is done using a few lines of Powershell.
Step 1) Open your Azure portal, at https://portal.Azure.com
Step 2) Go to the storage account that you are using for Power BI Sentinel backups, and make a note of the Resource Group name and the Storage Account name, as highlighted in the screenshot below.
Step 3) Edit the following script in Notepad (or similar) and enter your Resource Group Name and Storage Account Name where required, in the first two lines (as indicated in red).
For ALL credit card customers, and those invoiced customers using the default USA datacentre:
$storage = "ENTER YOUR STORAGE ACCOUNT NAME HERE"
$resourceGroup = "ENTER YOUR RESOURCE GROUP NAME HERE"
az feature register --namespace Microsoft.Network --name AllowGlobalTagsForStorage
az storage account network-rule add --resource-group $resourceGroup --account-name $storage --subnet "/subscriptions/0839b4b1-4655-4957-ae0c-faadffc6f38d/resourceGroups/PowerBISentinel_Prod_US/providers/Microsoft.Network/virtualNetworks/PowerBISentinel_Prod_US-vnet/subnets/default" --tenant-id "7e3de8e7-4d84-476e-98b0-8c195a3a2a1e"
az storage account network-rule add --resource-group $resourceGroup --account-name $storage --subnet "/subscriptions/0839b4b1-4655-4957-ae0c-faadffc6f38d/resourceGroups/PowerBISentinel_Prod_US/providers/Microsoft.Network/virtualNetworks/pbiProdUSVNetwork/subnets/default" --tenant-id "7e3de8e7-4d84-476e-98b0-8c195a3a2a1e"
For customers using the EU datacentre:
$storage = "ENTER YOUR STORAGE ACCOUNT NAME HERE"
$resourceGroup = "ENTER YOUR RESOURCE GROUP NAME HERE"
az feature register --namespace Microsoft.Network --name AllowGlobalTagsForStorage
az storage account network-rule add --resource-group $resourceGroup --account-name $storage --subnet "/subscriptions/0839b4b1-4655-4957-ae0c-faadffc6f38d/resourceGroups/PowerbiSentinelProdEU/providers/Microsoft.Network/virtualNetworks/PowerBISentinelProdEU-vnet/subnets/default" --tenant-id "7e3de8e7-4d84-476e-98b0-8c195a3a2a1e"
az storage account network-rule add --resource-group $resourceGroup --account-name $storage --subnet "/subscriptions/0839b4b1-4655-4957-ae0c-faadffc6f38d/resourceGroups/PowerbiSentinelProdEU/providers/Microsoft.Network/virtualNetworks/powerbisentinelprodeuvnet/subnets/powerbisentinelprodeusubnet" --tenant-id "7e3de8e7-4d84-476e-98b0-8c195a3a2a1e"
For customers using the AU datacentre:
$storage = "ENTER YOUR STORAGE ACCOUNT NAME HERE"
$resourceGroup = "ENTER YOUR RESOURCE GROUP NAME HERE"
az feature register --namespace Microsoft.Network --name AllowGlobalTagsForStorage
az storage account network-rule add --resource-group $resourceGroup --account-name $storage --subnet "/subscriptions/0839b4b1-4655-4957-ae0c-faadffc6f38d/resourceGroups/PowerBISentinelProdAU/providers/Microsoft.Network/virtualNetworks/PowerBISentinelProdAU-vnet/subnets/default" --tenant-id "7e3de8e7-4d84-476e-98b0-8c195a3a2a1e"
az storage account network-rule add --resource-group $resourceGroup --account-name $storage --subnet "/subscriptions/0839b4b1-4655-4957-ae0c-faadffc6f38d/resourceGroups/PowerBISentinelProdAU/providers/Microsoft.Network/virtualNetworks/pbiProdAUVNetwork/subnets/default" --tenant-id "7e3de8e7-4d84-476e-98b0-8c195a3a2a1e"
Note, if you have multiple subscriptions, you may need to add an additional parameter to the final line “--subscription {GUID}” to indicate the guid of the subscription that contains your storage account.
Step 4) Open a PowerShell CLI, using the icon on the top right of your portal window
Step 5) Once the CLI window has loaded, and shows you a "PS /home/xxx>" prompt, paste the script into the powershell window, and press [Enter] if necessary to run the script
If you get a "Gateway Authentication Error", then this is usually caused by an error/typo in the script, please check it carefully to make sure it is complete, and matches the script above.
Step 6) Once completed (it should only take a few seconds), open up the ‘Networking’ page for your storage account, and you should see a Virtual Networked named either “PowerBISentinel_Prod_US-vnet”, “PowerBISentinelProdEU-vnet”, or “PowerBISentinelProdAU-vnet”.
[Ignore the orange warning triangles, they’re expected]
Power BI Sentinel should now be able to access your backup storage.
Azure SQL DB
If you want to capture usage logs of which users are accessing which reports, and when, then you'll need an Azure SQL DB database to store this information.
This is done through the Azure portal at https://portal.Azure.com and you can accept all of the default options, you just need to choose a name, size, billing subscription, and data center location, all of which should follow your organization's standard conventions.
We recommend starting with a minimum of 'Standard, 250GB, 50 DTU' database initially for customers with smaller Power BI tenants, you can then size it up or down depending on your quantity of data, logs and performance requirements. Larger customers will need a more powerful database. We do not recommend using the default 'vCore' pricing model in Azure purely due to the significantly increased costs of this, however this is supported.
This database can either be standalone, or part of an Elastic Pool, or a Managed Instance, it's up to you.
Make a note of the ADO.NET (SQL Authentication or Active Directory Password Authentication) connection string, which you'll find on the 'Connection String' page. It should look something like:
Server=tcp:mydatabase.database.windows.net,1433;Initial Catalog=powerbisentinel_logging;...
Just be sure to edit the password in your connection string; when you copy the ADO.NET connection string from the Azure portal it contains {your_password} instead of your actual password!
Please be aware that if you are using Active Directory logging you will need to disable any multi-factor authentication in order for the database connection string to work.
The easiest way to configure the permissions is to use the database admin user that you created along with the database. However you can create your own user account if required, a local SQL account or an Active Directory account, and it must have permissions to create tables, views & stored procedures, and permissions to execute Stored Procedures and insert records into tables.
Microsoft Guide to Creating an Azure SQL DB
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-single-database-get-started?tabs=azure-portal
Firewall
If you enable the firewall on the Azure SQL server, please ensure that you "Allow Azure services and resources to access this server", and add the following IP addresses to the authorized list
Cost
The cost of this will depend on your Azure pricing contract with Microsoft, amount of data, and region. However as a rough guide, an S2 50 DTU 250Gb database in East US costs approximately $74/£55 per Month, dropping to $30/£22 for an S1 20 DTU database. (*Pricing as at September 2022)
Admin Permissions
In order for Sentinel to access your Power BI estate, it needs to be granted permissions by your Office 365 Global Administrator.
To do this, ask your Office 365 Global Admin to authorize Sentinel using the following link, using the 'Power BI Admin Login' button:
https://portal.powerbisentinel.com
It makes it easier if this is done prior to you signing up for Sentinel.
Further details on the admin permissions
Power BI Permissions
The primary account used to configure the day to day running of Sentinel should be a Power BI Admin account.
This is sufficient for most functionality to operate, however in order for backups to be taken, this account will also require permissions on each and every workspace. This can either be Contributor, Member or Admin.
You may therefore decide to create a dedicated user account to run Sentinel under, which has these permissions.
If you need help bulk-allocating workspace permissions let us know and we can provide a script to speed this up.
Now to set up Sentinel
Now that you have all of these details set up, we can get Sentinel up and running using the following steps:
[If you already have an account, you can skip the payment section and jump to step 7]
- Sign in at https://portal.PowerBISentinel.com using the 'Login' link. Note that if you're using one of our regional datacentres, the login page will be:
- Use your existing PowerBI.com credentials (using a Power BI Admin account)
- If you get asked to authorize Sentinel, click 'Accept'
- [If you have already paid for Sentinel via invoice, then you can skip straight to the configuration section, step 8.]
- Choose your pricing tier, which is based on the number of reports in your PowerBI.com estate, this will be either up to 250, up to 1000 or up to 5000 reports. You can also upgrade or downgrade these later.
- Go through the signup process, entering credit card details for your monthly billing.
- Once signed in, Sentinel needs to be configured
Configuring Sentinel
- Use the 'Configure' screen to set up the following:
- 'Server Config', Enable 'Use your own storage' and enter the Azure Storage connection string you created earlier
- Enter the Azure database connection string you created earlier (double check the username and password are correct).
- Scroll to the bottom and click 'Save Changes'
- Go to Backup Configure then 'Global Workspaces', and alter the Global Schedule if required between Daily/Weekly to determine if and when you want them included in the backup/change tracking/monitoring process, and override any Workspaces or Reports as required
Scroll to the bottom and click 'Save Changes' - please be patient, it can take some time for the confirmation message to display
- Sentinel will then start backing up and initializing the change tracking in the background. You don't need to stay logged in for this, you can continue browsing.
- To grant other users access to Sentinel, invite them using the 'User Administration' section of the 'Home' page
Note that the first backup and change tracking initialization could take a few hours for a medium sized organisation, after which Sentinel will be ready for use.
We recommend leaving it to process, and check on the results the following day.
In order to consume the usage logs, and view the exported lineage, documentation and permissions, you can use our Power BI templates to get you started. Download these from https://www.powerbisentinel.com/reports
Which Workspaces can I back up?
Sentinel works by acting on your behalf to back up and change track your reports. This means your PowerBI.com user account has to have access to a workspace before Sentinel can back it up.
'Old Style' Workspaces (based on Office 365 groups)
If you're using 'old style' workspaces, you need to ask all workspace owners to grant you permission to see their workspaces.
'New Style' Workspaces (now the default, after April 2019)
Sentinel is able to automatically grant you permission to see all 'new style' workspaces. Enable this by selecting the "Automatically add yourself as admin to all workspaces" option on the "Configure -> Server Config" screen within the Sentinel portal.
Which user account is used to do the backup?
The user account who sets or changes the backup schedule is used for all subsequent backup operations.
i.e. whoever last clicked the 'Save Changes' button in the Sentinel 'configure' screen.
Using Sentinel
You'll be able to access Sentinel's information the morning after you've set it up - it takes an overnight scan before you can see anything.
You can use the Sentinel portal, or access the data in your own Sentinel database.
The Sentinel portal provides access to configuration, backups, documentation, change tracking, data lineage, search, etc. which should all be self explanatory.
You'll probably however spend most time using Power BI to view Sentinel's data, which you can do by pointing our template reports at your own database.
This allows you to use and build rich reports that you have full control over, showing usage logs, audit logs, lineage, documentation, and permissions.
