Power BI Lesson 50 – Power BI Admin | Dataplexa

Visualisation & Service · Lesson 50

The Power BI Admin Portal, Tenant Settings, and Governance

Most Power BI users never see the Admin Portal — but every organisation deploying Power BI at scale needs someone who does. This lesson covers the Admin Portal end to end: tenant settings that control what users can and cannot do, usage metrics for understanding adoption, data export and sharing controls, capacity management on Premium, and the governance policies that keep a large deployment secure, compliant, and audit-ready.

Accessing the Admin Portal

The Admin Portal is only visible to users assigned the Power BI Administrator or Global Administrator role in Microsoft Entra ID (formerly Azure Active Directory). You access it from the Power BI Service by clicking the gear icon in the top navigation bar and selecting Admin portal. If you do not see this option, you do not have the required role.

Admin Portal — top-level navigation sections

⚙️

Tenant settings

Controls what every user in the organisation can do — publish, share, export, use AI features, connect to external data, etc.

📊

Usage metrics

Organisation-wide view of active users, report opens, dashboard views, dataset refreshes, and capacity consumption.

👥

Users

Lists all Power BI users in the tenant. Links through to Microsoft Entra for licence assignment and role management.

🔑

Audit logs

Every user action — report viewed, data exported, workspace created, permission changed — logged with timestamp and user identity.

💎

Capacity settings

Manage Premium and Embedded capacities — assign workspaces, monitor memory and CPU, configure workload limits.

🌐

Embed codes

View and revoke all public embed codes published in the organisation. Essential for controlling what is publicly accessible.

Tenant Settings — Controlling What Users Can Do

Tenant settings are the most powerful section of the Admin Portal. Each setting can be toggled on or off for the entire organisation, or scoped to specific security groups — enabled for some users, disabled for others. Changes take effect within 15 minutes and apply to every workspace in the tenant. Think of tenant settings as the constitution of your Power BI deployment: they define the boundaries within which every user operates.

Tenant setting	What it controls	Recommended default
Export to Excel	Whether users can export underlying data from visuals to Excel. Disabling this prevents raw data from leaving the Service.	Restrict to groups
Publish to web	Generates a public embed code that anyone on the internet can use to view a report — no authentication required. High risk if enabled broadly.	Disabled (or admins only)
Share to external users	Whether internal users can share reports with people outside the organisation (guest users via Entra B2B). Needed for client-facing reporting.	Enabled for named groups
Allow XMLA endpoints	Enables third-party tools (Excel PivotTables, Tabular Editor, SSMS) to connect to Premium datasets via the XMLA read/write endpoint.	Enabled (Premium only)
Create workspaces	Whether regular users can create new workspaces. Disabling this gives IT control over workspace sprawl — new workspaces require a request process.	Restrict to groups
AI insights (Copilot)	Enables Power BI Copilot features — AI-generated summaries, Q&A on data, smart narratives. Data is sent to Azure OpenAI when enabled.	Review data residency first

// HOW TO SCOPE A TENANT SETTING TO A SECURITY GROUP
// Example: Allow "Publish to web" only for the Marketing team

// Step 1 — Create a security group in Microsoft Entra ID
// Entra Admin Centre → Groups → New group
// Group type: Security
// Group name: PBI-PublishToWeb-Allowed
// Members: add the specific users who need this capability
// Save the group

// Step 2 — Apply the scope in the Admin Portal
// Admin Portal → Tenant settings
// Find: "Publish to web"
// Toggle: Enabled
// Apply to: Specific security groups
// Add group: PBI-PublishToWeb-Allowed
// Save

// Step 3 — Confirm the scope is applied
// A user in PBI-PublishToWeb-Allowed will see:
//   Report → File → Embed report → Publish to web   (visible)
// A user NOT in the group will see:
//   Report → File → Embed report → Publish to web   (grayed out or hidden)

// IMPORTANT: Security group membership changes take up to 15 minutes
// to propagate in the Power BI Service. If a user does not see the
// expected change immediately, wait 15 minutes and refresh the browser.

Tenant settings panel — scoped setting example

Publish to web

Enabled

Allows users to publish reports accessible to anyone on the internet.

Apply to:

Entire organisation Specific security groups

PBI-PublishToWeb-Allowed

14 members

Apply

Cancel

Usage Metrics — Understanding Adoption

Usage metrics tell you which reports and dashboards people actually use, and which ones no one has opened in months. Workspace admins see metrics for their own workspace. Power BI Administrators see tenant-wide metrics through the Admin Portal. This data is invaluable for two purposes: demonstrating ROI of your Power BI investment to leadership, and identifying unused content that should be archived or deleted.

// Accessing usage metrics — two levels

// WORKSPACE LEVEL (for workspace admins)
// Workspace → select a report → "..." → View usage metrics report
// Shows a pre-built report with:
//   - Unique viewers in the last 90 days (by day)
//   - Total views per report page
//   - Views by platform (web, mobile, embedded)
//   - Distribution method (direct access, app, shared link)
//   - Top viewers by name and view count

// TENANT LEVEL (for Power BI Administrators)
// Admin Portal → Usage metrics
// Shows the organisation-wide picture:
//   - Monthly Active Users (MAU) trend
//   - Most viewed reports and dashboards across the tenant
//   - Report opens and dashboard views by workspace
//   - Dataset refresh counts
// Export to Excel for deeper analysis

// MICROSOFT 365 AUDIT LOG (for compliance teams)
// Admin Portal → Audit logs → Go to Microsoft 365 admin centre
// Search audit logs for specific activities:
//   Activity: "Viewed Power BI report"
//   Date range: last 90 days
//   User: specific user or all users
// Results show: user, timestamp, report name, workspace, IP address
// Export as CSV for compliance reporting

// POWER BI ACTIVITY LOG (via PowerShell API)
// For automated monitoring, use the REST API or PowerShell:
// Install-Module -Name MicrosoftPowerBIMgmt
// Connect-PowerBIServiceAccount
// Get-PowerBIActivityEvent -StartDateTime "2025-01-01" -EndDateTime "2025-01-31"
//   | Where-Object {$_.Activity -eq "ExportArtifact"}
//   | Export-Csv -Path "C:\Audit\ExportEvents.csv"
// This approach logs every export event — essential for data loss prevention audits

Tenant usage metrics — Admin Portal summary (mock data)

1,284

Monthly Active Users

47,321

Report Views (30 days)

312

Active Datasets

Refresh Failures (7 days)

Top 5 reports by views (last 30 days)

#	Report	Workspace	Views	Unique viewers
1	Sales Executive Dashboard	Sales Leadership	8,412	243
2	Operations KPI Report	Operations	6,107	180
3	HR Headcount Tracker	Human Resources	3,884	92
4	Finance Monthly Close	Finance	2,991	67
5	Marketing Campaign ROI	Marketing	2,240	54

Capacity Management on Premium

Power BI Premium gives an organisation a dedicated block of compute and memory that workspaces can be assigned to. Unlike the shared capacity (where all Pro users compete for the same pool of resources), Premium capacity is yours alone — you control which workloads run on it and how much memory each workload gets. The Admin Portal's Capacity settings section is where you manage all of this.

Premium capacity — memory workload allocation

P1 capacity: 25 GB total memory — workload allocation

Datasets (Import & DirectQuery) 20 GB (80%)

Dataflows 3 GB (12%)

Paginated Reports (SSRS) 2 GB (8%)

Capacity overload behaviour: When total memory demand exceeds the allocated limit, Power BI evicts the least recently used datasets from memory first. Evicted datasets reload on the next query — users experience a slower first query, then normal speed. If overloads are frequent, upgrade the capacity SKU (P1 → P2) or assign workspaces more selectively.

// Managing Premium capacity — Admin Portal steps

// Step 1 — Assign a workspace to Premium capacity
// Admin Portal → Capacity settings → select your capacity → Workspaces
// Or: Workspace → Settings → Premium → Capacity name → select from dropdown
// Only Premium administrators or capacity administrators can reassign workspaces

// Step 2 — Monitor capacity health
// Admin Portal → Capacity settings → [your capacity] → Health
// Key metrics to watch:
//   CPU %:      if consistently above 70%, workloads are competing for compute
//   Memory %:   if consistently above 80%, datasets are being evicted frequently
//   Wait time:  how long queries queue before execution begins
// Download the "Power BI Premium Capacity Metrics" app from AppSource
// for the best detailed capacity monitoring dashboard

// Step 3 — Configure workload settings
// Capacity → Workload settings
//   Datasets max memory: 20 GB (default) — max memory for a single dataset refresh
//   Dataflows compute engine: on/off (Enhanced compute engine accelerates dataflows)
//   Paginated Reports: enable/disable for this capacity
//   AI/ML workloads: enable for AutoML and cognitive services in dataflows

// Step 4 — Set capacity administrators
// Capacity → Administrators → add users who can manage this capacity
// Capacity admins can: assign/remove workspaces, change workload settings,
//                      pause/resume the capacity (Embedded only)
// Capacity admins CANNOT: see tenant settings, access other capacities

// Step 5 — Scale the capacity SKU (when needed)
// Pausing and resizing is only available for Embedded (A SKUs), not Premium (P SKUs)
// For Premium P SKUs, scaling up requires a support ticket to Microsoft
// Plan capacity sizing before deployment — P1 (8 v-cores), P2 (16 v-cores), P3 (32 v-cores)

Capacity health panel — P1 capacity (mock data)

CPU Utilisation (last 7 days avg)

62%

Moderate — acceptable but rising

Memory Utilisation (last 7 days avg)

84%

⚠ High — evictions likely occurring

Avg Query Wait Time

1.4s

Acceptable — below 2s threshold

Recommendation: Memory utilisation at 84% — consider upgrading to P2 or removing low-usage workspaces from this capacity to reduce memory pressure.

Governance Policies for Large Deployments

Governance is the set of policies, processes, and guardrails that keep a large Power BI deployment from becoming an unmanaged sprawl of thousands of workspaces, duplicated datasets, and reports showing contradictory numbers. Good governance does not slow people down — it gives them a safe, well-signposted highway to drive on fast.

Endorsed content — Promoted and Certified

Datasets and dataflows can be marked Promoted (by the workspace owner) or Certified (by an authorised certifier set in tenant settings). Certified content appears at the top of search results with a blue badge, signalling to users that this is the trusted, approved version.

✓ Promoted — owner marks their own content

✓ Certified — requires authorised certifier role

✓ Prevents duplicate "which dataset is correct?" confusion

Sensitivity Labels (Microsoft Purview)

Sensitivity labels from Microsoft Purview (formerly MIP) can be applied to datasets, reports, and dashboards. Labels like Confidential or Highly Confidential travel with the data when exported to Excel or PDF — the exported file inherits the label and its protection policies.

✓ Labels travel with data on export

✓ Mandatory label policies prevent unlabelled publishing

✓ Integrates with DLP policies in Microsoft 365

// GOVERNANCE CHECKLIST — large Power BI deployment
// Use this as a baseline for any enterprise Power BI rollout

// 1. WORKSPACE NAMING CONVENTION
//    Enforce: [Department] – [Purpose] – [Environment]
//    Example: Finance – Monthly Close – Production
//             Finance – Monthly Close – Development
//    Prevents: "John's workspace", "Test", "New workspace 3"

// 2. WORKSPACE LIFECYCLE POLICY
//    Every workspace must have:
//      - A designated workspace admin (not just "members")
//      - A documented purpose in the workspace description
//      - A review date (quarterly) to assess active use
//    Workspaces with no activity in 90 days: archive or delete

// 3. DATASET OWNERSHIP AND CERTIFICATION
//    Identify 5–10 "golden datasets" (Sales, Finance, HR, etc.)
//    Assign each a data owner (business + IT co-ownership)
//    Certify golden datasets → they appear first in searches
//    Policy: all certified datasets must have:
//      - Row-level security configured where needed
//      - A documented refresh schedule and an on-call contact
//      - Incremental refresh enabled for tables > 1 million rows

// 4. EXPORT CONTROLS
//    Sensitive datasets: disable Export to Excel at the dataset level
//    Dataset → Settings → Export data → "Users can export summarised data only"
//    OR disable completely if classification requires it
//    Combine with sensitivity labels for audit-trail on exports

// 5. EXTERNAL SHARING POLICY
//    Approved use cases for external sharing defined in writing
//    Approvals logged in a SharePoint register
//    All external shares reviewed quarterly — revoke stale access
//    "Publish to web" disabled globally (enable only via named security group)

// 6. ROW-LEVEL SECURITY SIGN-OFF
//    Every report that contains HR, payroll, or financial data
//    must have RLS reviewed by the data owner before publishing
//    RLS review checklist:
//      - Correct roles defined?
//      - Users assigned to roles?
//      - Tested with "View as" for each role?
//      - Edge case: what does a user with NO role assignment see?

Endorsed content — search results showing certified vs standard datasets

📊

Sales Master Dataset ✓ Certified

Sales Leadership workspace · Refreshed 2h ago · 14,382 rows

Certified by: Data Governance Team

📊

Sales Data ↑ Promoted

Regional Analysis workspace · Refreshed 1 day ago · 9,804 rows

Promoted by owner

📊

Sales (copy)

John's workspace · Never refreshed

No endorsement

Users naturally select the Certified dataset first. Governance team can delete "Sales (copy)" after confirming it has no dependents.

Teacher's Note: The single most impactful governance action in a growing Power BI deployment is certifying 5 to 10 "golden datasets" and making sure every analyst knows they exist. Without this, every team builds their own version of the Sales dataset using slightly different filters and date logic — and within a year you have 40 datasets all called "Sales something" and a boardroom where two slides contradict each other. Certified datasets with a documented owner and a clear refresh schedule eliminate this problem. Start small: certify the datasets people already trust most, set up a Dataflows layer so those datasets all pull from a single cleaned source, and let the certification badge do the cultural work of redirecting analysts away from building their own copies.

Practice

Practice 1 of 3

In the Power BI Admin Portal, tenant settings can be enabled for the entire organisation or scoped to specific ___ so that only certain users have access to a particular capability.

Practice 2 of 3

A dataset or dataflow marked as ___ appears at the top of search results with a blue badge, signalling to users that it is the authoritative, approved version — this endorsement requires a designated certifier role set in tenant settings.

Practice 3 of 3

When Premium capacity memory utilisation consistently exceeds 80%, Power BI begins evicting the least recently used ___ from memory, causing slower first-query response times for users accessing those evicted items.

Lesson Quiz

Quiz 1 of 3

Your CISO asks you to ensure that no employee can share Power BI reports with users outside the organisation without explicit approval. At the same time, the Client Services team legitimately needs to share reports with named clients. What is the correct approach in the Admin Portal?

Disable the "Share to external users" tenant setting entirely — this blocks all external sharing. Tell the Client Services team to export reports to PDF and email them to clients instead. Enable the "Share to external users" tenant setting but scope it to a specific security group — for example, "PBI-ExternalShare-Approved". Add only the Client Services team members to this group. All other users will be unable to share externally. New Client Services members require an IT request to be added to the group, creating an auditable approval trail. Leave the "Share to external users" setting enabled for the entire organisation — it is safe because external users still need to authenticate with Microsoft before accessing any shared report. Brief users on acceptable use instead of restricting the setting. Create a separate Power BI tenant for Client Services so their external sharing activity is completely isolated from the main corporate tenant. This prevents any cross-contamination of data or permissions.

Quiz 2 of 3

A finance director opens the company's monthly P&L report and sees numbers that are different from those in a second "Finance Summary" report opened by the CFO. Both reports claim to show the same period's revenue. What governance failure most likely caused this, and what is the correct fix?

Both reports are showing the correct data — the difference is caused by a currency conversion applied in one report's DAX measures that was not applied in the other. Fix: standardise the DAX measure for revenue across both reports and redeploy. The Power BI Service cached stale data in one report. Fix: perform a manual refresh on both datasets simultaneously so they pull from the source at the same timestamp. The two reports are built on two different datasets, each applying slightly different filters or business logic (for example, one includes returns, the other excludes them). This is a classic governance failure — no single certified golden dataset exists. Fix: (1) identify or create one authoritative Finance dataset with agreed business rules; (2) certify it through the Admin Portal; (3) rebuild both reports on the same certified dataset; (4) delete the duplicate dataset. Row-level security is applied differently on the two datasets — the finance director's RLS role excludes some transactions that the CFO's role can see. Fix: align the RLS roles so both users see the same revenue figure.

Quiz 3 of 3

Your organisation's compliance team needs to produce a list of every instance where a user exported data from Power BI to Excel over the past 60 days, including the user's name, the report name, and the timestamp. Where do you get this information?

The Microsoft 365 Unified Audit Log (accessible via Admin Portal → Audit logs → Go to Microsoft 365 admin centre, or via the Power BI Activity Log REST API / PowerShell Get-PowerBIActivityEvent). Filter by activity "ExportArtifact" for the required date range. This log captures every export event with user identity, report name, workspace, and timestamp. Export the results to CSV for the compliance report. The dataset refresh history in the Admin Portal — refresh history shows all data movement including exports. Filter the history by "Export" event type and export the table for the compliance report. The workspace usage metrics report — each workspace's usage report includes a breakdown of export events alongside view counts and user activity. Compile the export rows from each workspace's usage report and merge them into a single compliance file. Power BI does not log individual export events at the user level. The only available data is aggregate export counts per report visible in workspace usage metrics. For user-level export auditing, a third-party DLP tool integrated with Microsoft 365 is required.

Course Complete

You've completed the Power BI course.

From connecting your first data source to governing an enterprise deployment — 50 lessons, one continuous goal: turning raw data into decisions that get acted on.

Lessons 1–15: Beginner — interface, data sources, data types, first reports

Lessons 16–30: Power Query — M language, transformations, parameters, data cleaning

Lessons 31–40: DAX — measures, CALCULATE, time intelligence, iterator functions

Lessons 41–50: Visualisation & Service — charts, sharing, refresh, admin & governance

← Previous Course Index

Power BI Course