Private endpoints for accessing Power BI - Power BI (2023)

You can use the Azure Private Link feature to provide secure access to traffic in Power BI. Azure networks provide the Azure Private Link feature. This configuration uses private endpoints from Azure Private Link and Azure Networking to privately send traffic over the Microsoft backbone infrastructure. The data is not transmitted over the Internet, but rather through the backbone of Microsoft's private network.

When you use private link connections, these connections traverse the Microsoft private network backbone when Power BI users access Power BI service resources.

verWhat is Azure Private Link?for more information on Azure Private Link.

Understand private endpoints

Private endpoints ensure traffic keeps flowingnoYour organization's Power BI items (such as reports or workspaces) always follow your organization's configured private link network path. User traffic to your Power BI items must go through the private link that you set up. You can configure Power BI to reject all requests that do not come from the configured network path.

private endpointsnoMake sure Power BI traffic to your external data sources, whether in the cloud or on-premises, is protected. Configure virtual network and firewall rules to further protect your data sources.

Power BI integration and private endpoint

Azure Private Endpoint for Power BI is a network interface that connects you privately and securely to the Power BI service provided by Azure Private Link.

Private endpoint integration enables the deployment and private access of platform-as-a-service (PaaS) services from the customer's local and virtual networks, while the service continues to run outside the customer's network. Private endpoints are a unique, targeted technology that allows clients to initiate connections to a specific service, but the service cannot connect to the client's network. This private endpoint integration pattern provides management isolation, allowing the service to function regardless of the client's network policy settings. For multi-tenant services, this private endpoint model provides connection identifiers to prevent access to resources by other clients hosted on the same service. When private endpoints are used, services using the integration can only access a limited set of other features of the PaaS service.

The Power BI service implements private endpoints and not service endpoints.

Using private endpoints with Power BI provides the following benefits:

1. Private endpoints ensure that traffic flows through the Azure backbone to a private endpoint for Azure cloud-based resources.

2. Isolating network traffic from non-Azure infrastructure, such as on-premises access, for example, would require customers to have ExpressRoute or a virtual private network (VPN) configured.

Using secure private endpoints to access Power BI

In Power BI, you can set up and use an endpoint that allows your organization to privately access Power BI. To set up private endpoints, you must be a Power BI administrator and have permissions in Azure to create and configure resources such as virtual machines (VMs) and virtual networks (V-Nets).

The steps that will allow you to securely access Power BI from private endpoints are:

1. Enable private endpoints for Power BI
2. Create a Power BI resource in the Azure portal
3. Create a virtual network
4. Creating a virtual machine (VM)
5. Create a private endpoint
6. Connecting to a virtual machine via Remote Desktop (RDP)
7. Access Power BI privately from the virtual machine
8. Disable public access for Power BI

The following sections provide additional information for each step.

Enable private endpoints for Power BI

First, log in toenergy BIService as administrator, and then do the following:

1. Select from page headerDefinitions>administration portal.

2. Choosetenant setupand scroll toadvanced network. Toggle the radio button to activate itAzure private link.

   

It takes about 15 minutes to set up a private link for your tenant, which involves setting up a separate FQDN for the tenant to communicate privately with Power BI services.

After completing this process, you can proceed to the next step.

Create a Power BI resource in the Azure portal

Then login toAzure-Portaland create a Power BI resource with ablue template. Substitute the parameters in the sample ARM template shown in the following table to create a Power BI resource.

Create the ARM model

{ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {}, "resources": [ { "type":"Microsoft.PowerBI/privateLinkServicesForPowerBI", "apiVersion": "2020-06-01", "name": "<resource name>", "location": "global", "properties": { "tenantId": "<id-object-tenant>" } } ]}

In the dialog that appears, check the box to accept the terms of use and selectKaufen.

Create a virtual network

The next step is to create a virtual network and a subnet. Replace the example parameters in the following table with your own to create a virtual network and subnet.

1. Select in the upper left corner of the screenCrear recurso > Red > Red virtualthe fetchred virtualin the search field.

2. NoCreate a virtual networkenter or select the following informationFundamentalsAba:

   Definitions	Wert
   project details
   Inscription	Select your Azure subscription
   resource group	Choosecreate a new, get into<resource group name>, then selectOKor select an existing one<resource group name>based on parameters.
   instance details
   Name	Get into<Virtual Network Name>
   Region	Choose<Region Name>

   The following image shows theFundamentalsAba.

   

3. Then select theIP addressestab or select itNext: IP Addresses buttonat the end of the form. On the IP Addresses tab, enter the following information:

   Definitions	Wert
   IPv4 address	Get into<Rum of IPv4 addresses>

   

4. Nosubnet nameselect the wordOriginally, is inedit subnet, enter the following information:

   Definitions	Wert
   subnet name	Get into<subnet name>
   subnet address range	Get into<subnet address range>

   

5. then selectsave not computerand then select thecheck + createtab or select itcheck + createKnopf.

6. then selectIn tears.

After completing these steps, you can create a virtual machine (VM) as described in the next section.

Creating a virtual machine (VM)

The next step is to create a virtual network and subnet to host the virtual machine (VM).

1. In the Azure portal, select in the upper left corner of the screenCreate Resource > Calculate > Virtual Machine.

2. NoCreating a virtual machine: basicsEnter or select the following information:

   Definitions	Wert
   project details
   Inscription	Select your Azure subscription
   resource group	Choosemy resource groupthat you created in the previous section.
   instance details
   Name	Get intomy virtual machine
   Region	ChooseCentral US
   availability options	Leave default settingsNo infrastructure redundancy required
   photo	ChooseWindows 10 profesional
   Size	Leave default settingsStandard-DS1 v2
   ADMINISTRATOR ACCOUNT
   Username	Enter a username of your choice
   password	Enter a password of your choice. Password must be at least 12 characters and meet the requirementsdefined complexity requirements
   confirm password	put the password again
   PORT ENTRY RULES
   public entrance doors	Leave default settingsNeither
   SAVE
   Already have a Windows license?	Leave default settingsno

3. then selectNext: Hard Drives

4. NoCreate a virtual machine - disks, leave the default settings and selectNext: networks.

5. NoCreate a virtual machine - network, select the following information:

   Definitions	Wert
   red virtual	Leave default settingsMinhaRedeVirtual
   address space	Leave default settings10.5.0.0/24
   sub-anti-redeposition	Leave default settingsmisubred (10.5.0.0/24)
   public IP	Leave default settings(neu) myVM-ip
   public entrance doors	Select **Allow Selection**
   select ports of entry	ChoosePDR

6. Choosecheck + create. you will be taken tocheck + createPage where Azure validates your configuration.

7. when you see themapproved validationmessage, selectIn tears.

Create a private endpoint

The next step is to create a private endpoint for Power BI.

1. In the upper left side of the Azure portal screenCreate Resource > Network > Private Link Center (Preview).

2. NoPrivate Links Center Overview, by optionCreate a private connection to a service, selectCreate a private endpoint.

3. NoCreating a Private Endpoint (Preview) - BasicsEnter or select the following information:

   Definitions	Wert
   project details
   Inscription	Select your Azure subscription
   resource group	Choosemy resource group. He created them in the previous section.
   instance details
   Name	Get intomyPrivateEndpoint. If this name is used, create a unique name
   Region	ChooseCentral US

   The following image shows theCreating a Private Endpoint - BasicsVentana.

   

4. After completing this information, selectnext: resourceMy noCreate a private endpoint: resourceEnter or select the following information:

   Definitions	Wert
   connection method	Select Connect to an Azure resource in my directory
   Inscription	Choose your subscription
   resource type	ChooseMicrosoft.PowerBI/privateLinkServicesForPowerBI
   Resource	miPowerBIRecurso
   destination sub-resource	tenant

   The following image shows theCreate a private endpoint: resourceVentana.

   

5. Once this information has been entered correctly, selectNext: SettingsMy noCreate a Private Endpoint (Preview) - Configurationand enter or select the following information:

   Definitions	Wert
   RED
   red virtual	ChoosemiRedVirtual
   sub-anti-redeposition	Choosemy subnet
   PRIVATE DNS INTEGRATION
   Private DNS zone integration	Choosemi
   Private DNS zone	Choose (Neu) privatelink.analysis.windows.net (Neu)privatelink.pbidedicated.windows.net (Neu)privatelink.tip1.powerquery.microsoft.com

   The following image shows theCreate a private endpoint - ConfigurationVentana.

   

   select nextcheck + create, which indicates thecheck + createPage where Azure validates your configuration. when you see themapproved validationmessage, selectIn tears.

Connecting to a virtual machine via Remote Desktop (RDP)

After creating your virtual machine, go tomy virtual machine, connected via the Internet with the following steps:

1. Type in the portal search barmy virtual machine.
2. ChooseTo connectButton. After selecting theTo connectknopf,Connect to the virtual machineopened.
3. ChooseDownload the rdp file. Azure creates a Remote Desktop Protocol (RDP) file and downloads it to your computer.
4. Open the RDP file.
5. If prompted, selectTo connect.
6. Enter the username and password you provided when you created the virtual machine in the previous step.
7. ChooseOK.
8. You may receive a certificate warning during the enrollment process. If you get a certificate warning, selectmioContinue.

Access Power BI privately from the VM

The next step is to access Power BI privately from the virtual machine you created in the previous step by following these steps:

1. En myVM Remote Desktop, abra PowerShell.

2. Type nslookuptenant-object-id-without-hyphens-api.privatelink.analysis.windows.net.

3. You will receive a response similar to the message shown below:

   Server: Unknown address: 168.63.129.16 Unauthorized response: Name: 52d40f65ad6d48c3906f1ccf598612d4-api.privatelink.analysis.windows.net Address: 10.5.0.4

4. Open your browser and go to app.powerbi.com to access Power BI privately.

Disable public access for Power BI

Lastly, you need to disable public access for Power BI.

get connectedenergy BIservice as administrator and navigate to theadministration portal. Choosetenant setupand scroll toadvanced networkSection. Activate the toggle button on theBlock public internet accesssection as shown in the following image. It takes about 15 minutes for the system to disable your organization's access to Power BI from the public internet.

And that's it: after following these steps, Power BI will only be accessible to your organizations from private endpoints and not over the public internet.

Considerations and limitations

There are a few considerations to keep in mind when working with private endpoints in Power BI:

• Any use of external images or designs is not available when using a private link environment.

• If Internet access is disabled and the dataset or dataflow connects to a Power BI dataset or dataflow as a data source, the connection will fail.

• Each private endpoint can only be connected to one tenant.

• Data marts do not support private links with SSMS. Even with a private link configured, connections to data marts using SSMS are only supported over public Internet access.

• If your organization usesAzure private linkIn Power BI, modern usage metrics reports include partial data (report open events only). A current limitation on transferring customer information through private links prevents Power BI from collecting report page views and performance data through private links. If your organization usesAzure private linkmiBlock public internet accessIn Power BI, the dataset refresh fails and the usage metrics report shows no data.

• The Power BI Premium Capacity Metrics app doesn't work when private links are enabled.

• Web publishing is not supported when enabledAzure private linkand PowerBI.

• Exporting a report as PDF or PowerPoint is not supported when enabledAzure private linkand PowerBI.

• Email signatures are not supported when enabledBlock public internet accessand PowerBI.

• Microsoft Purview-Informationsschutzcurrently does not support private links. This means that inPower BI desktopis running on an isolated network, the "Sensitivity" button is grayed out, the tag information is not displayed, and the decoding of.pbixthe files will fail.

  Admins can configure these features in Power BI Desktopservice tagsfor underlying services that support MIP,EOPand AIP. Make sure you understand the implications of using service tags in an isolated network of private links.

• Gateways enabled for Power BI private endpoints don't work correctly in non-Power BI scenarios. For some scenarios, a possible solution is to disable private bindings, set the gateway to a "remote" region (a region other than the recommended region), and then re-enable private bindings. After you reactivate Private Link, the gateway in the remote region no longer uses Private Link.

• When private links are enabled for Power BI, you can't register an on-premises data gateway (personal mode).

• The REST APIs for private link resources do not support tags.

• You cannot set up a private link used by more than one tenant.

Next steps

• Manage Power BI in your organization
• Understand the Power BI admin role
• Review Power BI in your organization
• How to find your Azure Active Directory tenant ID

The following video shows how to connect a mobile device to Power BI using private endpoints:

More questions?Try asking the Power BI community