One of the important tasks as a Power BI administrator is to ensure compliance and auditing requirements of shared reports. The Scanner API and the activity log can give us many really good insights, but not all, when it comes to widely shared report. To get this information, we need to call two other Power BI Admin API’s:
As the names imply, we can get the list of reports that have an active embed code allowing public access and the list of reports that have been shared with everyone in the company.
Head over to my Power BI Monitor GitHub to download a Data Factory Pipeline template and Synapse Serverless SQL views to query the JSON output. The template uses the same authentication mechanism with the Managed Identity that I described in my first blog post about extracting the Power BI activity log.
There indeed is use cases for both types of widely shared reports, but only in very specific scenarios. I generally recommend to only allow “Publish to web” to specific trusted users with this tenant setting
And then I recommend turning sharing links to the whole organization off with this tenant setting.
The feature is fine enough – specially if you monitor it’s use. The problem is that it’s the default option if you allow it.
I would love to be able to have it turned on, but have it in the bottom of the sharing options. “Specific people” should be in the top and be the default option, so we force people to take a stand.
Generally sharing reports with links should be limited and instead you should educate your users to share content trough Apps. The Scanner API can give the full overview of how all the reports in your tenant is shared. Is it direct or through apps?
