Setting Up Power BI Sentinel

Getting started with Power BI Sentinel is a straightforward and quick process, but there are some pre-requisites that you need to sort out first:

  • You must have an existing Power BI licence
  • Create an Azure Storage account to hold your backups, and get the connection string
  • Create an Azure SQL DB to store your usage logging (Optional), and get the connection string
  • Request an Office 365 Global Admin to authorize Sentinel

Once these are done, setting Sentinel up is a very quick process. So let's work through these in turn.

Azure Storage Account

In order to backup your reports, Sentinel needs somewhere to store them, and as you don't want your sensitive data leaving your organization, you need to have your own storage.

This is done through the Azure portal at and you can accept all of the default options, you just need to choose a name, billing subscription, and data center location, all of which should follow your organization's standard conventions.

Recommended Specification: This is to store backups, so performance is not important. We therefore recommend 'Standard Performance', 'StorageV2', 'Cool', and either LRS (Locally Redundant) or GRS (Globally Redundant) depending on your redundancy needs.

Sentinel Storage Specification

Make a note of the 'Connection String', which you'll find on the 'Access Keys' page. Either of the two connection strings will work. It should look something like:


Microsoft Guide to Creating an Azure Storage Account

Azure SQL DB

If you want to capture usage logs of which users are accessing which reports, and when, then you'll need an Azure SQL DB database to store this information.

This is done through the Azure portal at and you can accept all of the default options, you just need to choose a name, size, billing subscription, and data center location, all of which should follow your organization's standard conventions.

We recommend starting with a 'Standard, 250GB, 50 DTU' database initially, you can then size it up or down depending on your quantity of logs and performance requirements. We do not recommend using the default 'vCore' pricing model in Azure due to the significantly increased costs of this.

This database can either be standalone, or part of an Elastic Pool, or a Managed Instance, it's up to you.

Make a note of the ADO.NET (SQL Authentication or Active Directory Password Authentication) connection string, which you'll find on the 'Connection String' page. It should look something like:,1433;Initial Catalog=powerbisentinel_logging;...

Just be sure to edit the password in your connection string; when you copy the ADO.NET connection string from the Azure portal it contains {your_password} instead of your actual password!

The easiest way to configure the permissions is to use the database admin user that you created along with the database. However you can create your own user account if required, a local SQL account or an Active Directory account, and it must have permissions to create tables, views & stored procedures, and permissions to execute Stored Procedures and insert records into tables.

Microsoft Guide to Creating an Azure SQL DB


If you enable the firewall on the Azure SQL server, please ensure that you "Allow Azure services and resources to access this server", and add the following IP addresses to the authorized list


Admin Permissions

In order for Sentinel to access your Power BI estate, it needs to be granted permissions by your Office 365 Global Administrator.

To do this, ask your Office 365 Global Admin to authorize Sentinel using the following link:

If you also want to enable Power BI usage logging, then they will also need to authorize at the following link:

Important: open the following link in an in-private window or a different browser than used above

It makes it easier if these are done prior to you signing up for Sentinel.

Further details on the admin permissions

Now to set up Sentinel

Now that you have all of these details set up, we can get Sentinel up and running using the following steps:

[If you already have an account, you can skip the payment section and jump to step 7]

  1. Sign in at using the 'Power BI Admin Sign In' link
  2. Use your existing credentials
  3. If you get asked to authorize Sentinel, click 'Accept'
  4. [If you have already paid for Sentinel via invoice, then you can skip straight to the configuration section, step 8.]
  5. Choose your pricing tier, which is based on the number of reports in your estate, this will be either up to 250, up to 1000 or up to 5000 reports. You can also upgrade or downgrade these later.
  6. Go through the signup process, entering credit card details for your monthly billing.
  7. Once signed in, Sentinel needs to be configured

Configuring Sentinel

  1. Use the 'Configure' screen to set up the following:
    • 'Server Config', Enable 'Use your own storage' and enter the Azure Storage connection string you created earlier
    • Scroll to the bottom and click 'Save Changes'
    • Go to Backup Configure then  'Global Workspaces', and alter the Global Schedule if required between Daily/Weekly to determine if and when you want them included in the backup/change tracking/monitoring process, and override any Workspaces or Reports as required
      Scroll to the bottom and click 'Save Changes' - please be patient, it can take some time for the confirmation message to display
  2. Sentinel will then start backing up and initializing the change tracking in the background. You don't need to stay logged in for this, you can continue browsing.
  3. To grant other users access to Sentinel, invite them using the 'User Administration' section of the 'Home' page
  4. Set up logging by entering the Azure SQL DB connection string at, in a new in-private browser window.
    1. The first time visiting this URL, an Office 365 Global Admin will need to authorize the logging application to run by accepting the Microsoft pop up dialogue box.
    2. After saving the connection string, Sentinel will validate this within the next 30 minutes, and report whether it is able to connect to the database.

Note that the first backup and change tracking initialization could take a few hours for a medium sized organisation, after which Sentinel will be ready for use.

We recommend leaving it to process, and check on the results the following day.

Which Workspaces can I back up?

Sentinel works by acting on your behalf to back up and change track your reports. This means your user account has to have access to a workspace before Sentinel can back it up.

'Old Style' Workspaces (based on Office 365 groups)

If you're using 'old style' workspaces, you need to ask all workspace owners to grant you permission to see their workspaces.

'New Style' Workspaces (now the default, after April 2019)

Sentinel is able to automatically grant you permission to see all 'new style' workspaces. Enable this by selecting the "Automatically add yourself as admin to all workspaces" option on the "Configure -> Server Config" screen within the Sentinel portal.

Which user account is used to do the backup?

The user account who sets or changes the backup schedule is used for all subsequent backup operations.

i.e. whoever last clicked the 'Save Changes' button in the Sentinel 'configure' screen.

Using Sentinel

With Sentinel set up, you then get access to see details about your reports within the Sentinel portal. This includes accessing backups, documentation, change tracking, data lineage, search, etc. which should all be self explanatory.

You can also access Usage Analytics from the Sentinel portal, however you can also build more rich reports by accessing the data from Azure SQL DB directly from Power BI.