Publish to web vs Embed

Hi,

Scenario:

Client wishes to include data sensitive Power BI reports within intranet for internal use only. To avoid having to setup Pro accounts for every user they have not used “embed” but have used “Publish to web”. They have then used code to change the link so it can not be accessed by anyone outside the org.

Questions:

  1. I believe that although they have amended the URL with code manually, Power BI still created the original Publish to web and anyone outside of the organisation could access this if they searched the internet.
  2. Is there a way to use embed but not require a pro licence for each user?

Thanks

@Hitman,

danger
DANGER, WILL ROBINSON!

You are correct that once you create the publish to web link, it is effectively “out in the wild”. And embedding Publish to Web behind a secure portal doesn’t necessarily make it secure. Watch this scary episode of Guy in a Cube for one example.

There is really no way to confidently secure sensitive Power BI reports without proper licensing. If there were, Microsoft would have no way to recoup any of the massive investment they’ve made in this platform.

-Brian

2 Likes

Hi Brian.

Thanks for responding (it seems quite quiet on forum).

Prior to posting on here i had also gone to GIAC video (yours is newer and also poses another issue)

Here is my thinking:

  • List item

Currently - At the point of wanting to share a report the client has 3 options of selecting either 1) Embed, 2) embed to sharepoint or 3) Publish to web.

  • List item

They have chosen to select publish to web and then make the link safe with PHP code (To avoid license purchase).

The point that I have raised is that (Please can you tell me if you agree), once they select publish to web, regardless of where they then add PHP code after which presumably helps stop it being forwarded, as it has already been published to web the data is available on the web. If people search hard enough with the right tools they can find it.

Do you agree and if so do you agree that i should tell the org their data is not safe?

I have also just found out that they have Azure so does this not open them up to embedded solutions?

@Hitman,

I agree with your assessment 100%. The PGP “fix” is closing the barn door long after the horses are out.

The warning from Microsoft before confirming creation of the publish to web link explicitly states that the data will not be secure, and in addition you are in effect giving Microsoft rights to do whatever they want with that report.

The ability to access Azure alone doesn’t change the equation here. We have secure access to Azure at work, but still need individual Pro licenses, because we don’t have Premium capacity. There are paid secure embedded solutions – I don’t know much about these, since I remember looking at them originally as them as a way to save money relative to purchase of Pro licenses, but found these solutions to be pretty limited and unable to meet our needs so I didn’t dig further into them.

I hope this is helpful. There are lots of folks here far more knowledgeable about administration than me, so I would invite them to chime in here if there are any issues that I’ve overlooked. However, I can say with confidence that using publish to web with sensitive data as a way to avoid licensing costs is a terrible approach. If they are really committed to not paying licensing, I think securely distributing the PBIX file and having users access it via the desktop client is a relatively better (but still bad) approach.

  • Brian

image

2 Likes

Hi @Hitman, did the response provided by the contributors help you solve your query? If not, how far did you get, and what kind of help you need further? If yes, kindly mark the thread as solved. Thanks!

Thanks Brian. (Sorry i only just saw this reply)

Seems like we are both on the same page but always nice to get confirmation from others in the business :wink:

Is it just me or does the forum seem a lot more quiet now days?

@Hitman,

It’s just you. :grinning:

I did some analysis on the forum usage data recently, and the trend is a straight, steep-sloped line upwards. Since the advent of the Data Challenges, the traffic has boomed even further. You may not be perceiving it this way if you are frequently on over the weekends, where there definitely is a pattern of lower traffic than during the week.

  • Brian

It is probably me :wink:

What i think would be amazing would be if you could find someone of a similar skillset and have a kind of “buddy” system where you could share and bounce ideas / learning. I know on power BI journey it would have reduced learning time and now i am going on a power platform / dynamics learning route i am thinking how useful it would be again…

Maybe an idea for the site but not sure how it would work…Also you run the risk of getting someone crazy or even worse me :wink: