PowerBI Secure Architecture
Making sense of PowerBI its architectural diagram and creating a secure setup for accessing on-premises data
PowerBI is an amazing dashboarding and report creation tool for BI, but with amazing tools come difficult architectures that we should try to fully understand to get the fullest out of it.
To better illustrate the architecture, let’s define a practical use case.
Example Use Case
Suppose a user needs to upload a CSV file to a local NFS share, generate a report from this data, and then publish the report.
While this workflow may seem straightforward at first glance, it introduces several important challenges—particularly around security and user isolation. For instance, if person X publishes a report, how can we ensure that their access is properly isolated? How do we control and audit secure read and write permissions for these files?
As a user, I want to be able to put a CSV file on a local NFS share, which I then can use to create a report and publish it.
Addressing these questions requires a thorough understanding of Power BI and its security capabilities. To proceed, let’s first define the key components involved in this scenario.
Architecture Components
Online
| Component | Description |
|---|---|
| Workspace | The cloud workspace where reports are created and published |
| Report | The visualization created from the data in the CSV files |
| Semantic Model | Formerly called a dataset, this represents the data model in Power BI derived from the CSV data |
| Gateway Configuration | Settings in Power BI Service that configure how the gateway connects to on-premise data sources |
| PBI Connection | The configuration that maps the Semantic Model to the on-premise data source via the gateway |
| AAD Group | Manages administrative permissions for gateway configuration and connection creation. |
On-Premise
| Component | Description |
|---|---|
| NFS Share | Stores the files uploaded by users. |
| Active Directory (AD) Group | Grants read/write access to the NFS share. |
| Service Account | Runs the Power BI Gateway and is a member of the AD Group (enforcing least privilege access). |
| PowerBI Gateway | Acts as a secure bridge between on-premises data and Power BI Cloud, using the Service Account’s credentials. |
This focuses on Key Security Mechanisms:
- User Isolation
Users never directly access the NFS share or Service Account. They interact only with the Power BI Workspace and reports in the cloud. - Access Control Layers
- AD Group: Limits NFS share access to the Service Account.
- AAD Group: Restricts gateway configuration to authorized admins.
- Service Account: Runs the gateway with minimal privileges.
- Data Flow Security: As our flow is
User → NFS Share (write) → Power BI Gateway (read via Service Account) → Semantic Model → Report, The gateway acts as a security proxy—users can’t directly query or modify the CSV after upload.
Architecture
Putting this all together generates the architecture below, ensuring that users can only create and publish reports, but they don't have direct access to underlying data infrastructure, providing a correct isolation of activities.
(runs as Service Account)"] AD_Group["Local AD Group
(Share Access)"] SA["Service Account"] end %% Cloud Components subgraph Cloud Workspace["Power BI Workspace"] Report["Power BI Report"] Semantic["Semantic Model"] Gateway_Config["PBI Gateway Configuration"] AAD_Group["AAD Group
(ADMIN + CONN CREATOR)"] PBI_Conn["PBI Connection"] end %% Data and Control Flow User -- "Places CSV" --> NFS User -- "Creates" --> Workspace Workspace -- "Contains" --> Report Report -- "Uses" --> Semantic Semantic -- "Connects via" --> PBI_Conn PBI_Conn -- "Configured by" --> Gateway_Config Gateway_Config -- "Managed by" --> AAD_Group PBI_Conn -- "Uses" --> PBI_GW PBI_GW -- "Runs as" --> SA SA -- "Member of" --> AD_Group AD_Group -- "Has access to" --> NFS PBI_GW -- "Reads CSV" --> NFS %% Visual separation classDef cloud fill:#E3F2FD,stroke:#90CAF9; classDef onprem fill:#FFF3E0,stroke:#FFB300; class Cloud,Workspace,Report,Semantic,Gateway_Config,AAD_Group,PBI_Conn cloud; class On-Premise,User,NFS,PBI_GW,AD_Group,SA onprem;
Comments ()