Setting Up Power BI Sentinel
Getting started with Power BI Sentinel is a straightforward and quick process, but there are some pre-requisites that you need to sort out first:
- Create an Azure Storage account to hold your backups, and get the connection string
- Create an Azure SQL DB to store your usage logging (Optional), and get the connection string
- Request a Power BI Service Admin to authorize Sentinel
Once these are done, setting Sentinel up is a very quick process. So let's work through these in turn.
Azure Storage Account
In order to backup your reports, Sentinel needs somewhere to store them, and as you don't want your sensitive data leaving your organization, you need to have your own storage.
This is done through the Azure portal at https://portal.Azure.com and you can accept all of the default options, you just need to choose a name, billing subscription, and data center location, all of which should follow your organization's standard conventions.
Recommended Specification: This is to store backups, so performance is not important. We therefore recommend 'Standard Performance', 'StorageV2', 'Cool', and either LRS (Locally Redundant) or GRS (Globally Redundant) depending on your redundancy needs.
Make a note of the 'Connection String', which you'll find on the 'Access Keys' page. Either of the two connection strings will work. It should look something like:
Microsoft Guide to Creating an Azure Storage Account
Azure SQL DB
If you want to capture usage logs of which users are accessing which reports, and when, then you'll need an Azure SQL DB database to store this information.
This is done through the Azure portal at https://portal.Azure.com and you can accept all of the default options, you just need to choose a name, size, billing subscription, and data center location, all of which should follow your organization's standard conventions.
We recommend starting with a 'Standard, 250GB, 50 DTU' database initially, you can then size it up or down depending on your quantity of logs and performance requirements. We do not recommend using the default 'vCore' pricing model in Azure due to the significantly increased costs of this.
This database can either be standalone, or part of an Elastic Pool, or a Managed Instance, it's up to you.
Make a note of the ADO.NET 'Connection String', which you'll find on the 'Connection String' page. It should look something like:
Microsoft Guide to Creating an Azure SQL DB
If you enable the firewall on the Azure SQL server, please ensure that you "Allow Azure services and resources to access this server", and add the following IP addresses to the authorized list
In order for Sentinel to access your Power BI estate, it needs to be granted permissions by your Power BI Service Administrator.
To do this, ask your Power BI Service Admin to authorize Sentinel using the following link:
If you also want to enable Power BI usage logging, then they will also need to authorize at the following link:
It makes it easier if these are done prior to you signing up for Sentinel.
Further details on the admin permissions
Now to set up Sentinel
Now that you have all of these details set up, we can get Sentinel up and running using the following steps:
[If you already have an account, you can skip the payment section and jump to step 7]
- Sign in at https://portal.PowerBISentinel.com using the 'Power BI Admin Sign In' link
- Use your existing PowerBI.com credentials
- If you get asked to authorize Sentinel, click 'Accept'
- Choose your pricing tier, which is based on the number of reports in your PowerBI.com estate, this will be either up to 250, up to 1000 or up to 5000 reports. You can also upgrade or downgrade these later.
- Go through the signup process, entering credit card details for your monthly billing.
- Once signed in, Sentinel needs to be configured
- Use the 'Configure' screen to set up the following:
- 'Server Config', Enable 'Use your own storage' and enter the Azure Storage connection string you created earlier
- 'Server Config', Enable 'Automatically add yourself as admin to all workspaces' in order to make sure you have access to backup all reports (Optional)
- 'Your Workspace Reports', alter the Global Schedule if required between Daily/Weekly to determine if and when you want them included in the backup/change tracking/monitoring process, and override any Workspaces or Reports as required
- Scroll to the bottom and click 'Save Changes'
- Go to Backup Confgure then 'Global Workspaces', and alter the Global Schedule if required between Daily/Weekly to determine if and when you want them included in the backup/change tracking/monitoring process, and override any Workspaces or Reports as required
Scroll to the bottom and click 'Save Changes'
- Sentinel will then start backing up and initializing the change tracking in the background. You don't need to stay logged in for this, you can continue browsing.
- To grant other users access to Sentinel, invite them using the 'User Administration' section of the 'Home' page
- Set up logging by entering the Azure SQL DB connection string at https://portal.powerbisentinel.com/logging
- The first time visiting this URL, an Office 365 Global Admin will need to authorize the logging application to run by accepting the Microsoft pop up dialogue box.
- If the connection string will not save, please check the firewall configuration in the Azure SQL DB section above.
- If this still will not save, please disable the firewall temporarily, save the configuration, and then re-enable the firewall straight afterwards.
Note that the first backup and change tracking initialization could take a few hours for a medium sized organisation, after which Sentinel will be ready for use
Which Workspaces can I back up?
Sentinel works by acting on your behalf to back up and change track your reports. This means your PowerBI.com user account has to have access to a workspace before Sentinel can back it up.
'Old Style' Workspaces (based on Office 365 groups)
If you're using 'old style' workspaces, you need to ask all workspace owners to grant you permission to see their workspaces.
'New Style' Workspaces (now the default, after April 2019)
Sentinel is able to automatically grant you permission to see all 'new style' workspaces. Enable this by selecting the "Automatically add yourself as admin to all workspaces" option on the "Configure -> Server Config" screen within the Sentinel portal.
Which user account is used to do the backup?
The user account who sets or changes the backup schedule is used for all subsequent backup operations.
i.e. whoever last clicked the 'Save Changes' button in the Sentinel 'configure' screen.
With Sentinel set up, you then get access to see details about your reports within the Sentinel portal. This includes accessing backups, documentation, change tracking, data lineage, search, etc. which should all be self explanatory.
You can also access Usage Analytics from the Sentinel portal, however you can also build more rich reports by accessing the data from Azure SQL DB directly from Power BI.
If you want a quick starting point for looking at your Power BI usage, you can use the following Power BI Template file. Just download and open it, and then enter your Azure SQL DB details into the parameters.
Free Download to get you started: PowerBIUsageSentinel.pbit