Up next in 10
Keeping up with your Power BI Tenant Administration || Power Platform Virtual Conference
3K views
Nov 6, 2023
For many organisations, Power BI is becoming absolute key in their Information Delivery stream. As an important cog in the chain, it's the responsibility for that organisation to keep the cog well oiled. Power BI Tenant Admins need to make sure they're on top of their game, to keep all parties involved on their good side. During this talk, we'll go through some of the key activities to optimise this process, based on my war stories as a consultant. Security, Auditing, Monitoring and Alerting are the cornerstone of this process, which doesn't have to be hard. Walking out, you'll have some practical tips to take home with you. About Speaker: Benni De Jagere is a Senior Data Insights Consultant, with a sole focus on the Microsoft Data Platform Stack. Loving (almost) every day of it, he’s fascinated by the value of data, sometimes flabbergasted by the lack of awareness, and intrigued by the endless possibilities whilst discovering new ways of looking at data. On a daily basis, he turns (large amounts) of coffee into insights for customers, and references witty British comedy way too often. Overly enthusiastic about anything data-related, he’s trying hard to keep up with all things new and shiny. When not working, blogging or reading, you’ll likely find him gallivanting about and about pulling stunts that are not meant for public display. Rumour has it that he’s also involved with a ragtag band of data enthusiasts, enjoying themselves whilst organising cool community things. Conference Website: https://www.2020twenty.net/power-platform-virtual-conference/ C# Corner - Community of Software and Data Developers https://www.c-sharpcorner.com #conference #powerplatform #powerbi #csharpcorner
View Video Transcript
0:00
Thank you Simon, thank you for having me. Let's get started with keeping up with your
0:07
Power BI tenant administration. It is a topic that has a lot of things to cover about. It
0:12
is a topic that I can't tell everything about in these 45 minutes that I have with you
0:18
Myself, my name is Benny de Jagr as I briefly mentioned before and as Simon mentioned as well
0:23
during the introduction. Sometimes when I do have some spare time, I am one of the co-leaders
0:28
for Datamines.be, which is a data NAI user group in Belgium, and we do all sorts of stuff
0:35
If you want to find me on any of the social channels, you can find me on Twitter, on LinkedIn
0:39
Sessionize, etc. As Simon also mentioned, I am a data platform MVP, which means I focus a bit on
0:46
things like Power BI, but also more of the enterprise data stuff as well on the other
0:52
side of the spectrum. That's it. Let's dive in. Tenant admins, the ones that I usually encounter
0:59
they're mostly appointed by some sort of accident. So they are something that I like to call an
1:04
accidental tenant admin, meaning that they didn't get out of bed in the morning and said
1:09
today, I am going to be a Power BI tenant administrator. It is also the fact that usually
1:15
a dedicated Power BI admin is something that is not always that common. They usually have
1:22
some other hats to wear, like being a database administrator or a global administrator for Office 365
1:29
And it is something that you pretty much rarely see unless you're working with the bigger
1:34
corporations that have a very, very high workload on Power BI itself. Most of the tenant admins that
1:40
I run into, they're actually appointed by association. So as I mentioned, accidental
1:45
tenant admins, and it is when they're saying like, well, you're the one doing the SQL things
1:49
or you're the one doing Tableau or reporting services. So you're the Power BI admin as of now
1:56
which means that Power BI in the early beginnings of the product
2:01
right now it's about five years old, which means that in the early beginnings of the product
2:05
a lot of the things we tried to do were based on trial and edit. There wasn't a lot of documentation on all of the things that we were trying to do
2:13
And well, the product had to mature itself as well. But over the course of these five years
2:17
We've seen, we've noticed that the maturity in both community resources, Microsoft's resources, and the enterprises and clients that we see, that the maturity has risen exponentially as well, which is a really good thing
2:30
We're getting better at it. The third thing is that Power BI is a moving target, meaning things keep popping up pretty much weekly on a weekly basis
2:43
You've got updates coming to desktop, to the service, to the APIs, to Power BI report builder
2:48
There's updates coming out every single week. So it is impossible to keep up to date with all of
2:54
these different things. And I often get people telling me to say that, well, Power BI is just
2:59
a data visualization tool. What's the big fuzz about it? Then the one thing that I do actually
3:04
show them is this little diagram. And it is intended mainly at being overwhelming in this
3:11
PowerPoint right now. But it is something that is created by Melissa Coates, who is an MVP from the
3:16
United States. And she has this thing called the Power BI end to end diagram, which means she lays
3:22
out every single component that is that is that is related to the Power BI ecosystem. The thing is
3:29
this was designed on January 4, and it is already outdated. So Melissa is working on a new version
3:35
it's going to come up anytime soon. But that means there's going to be even more things added to this
3:40
diagram. So that means that Power BI is a very, very extensive tool. Thus, moving target is grossly
3:48
understating it. But what does a tenant admin actually do? And the thing is that I often
3:54
when I talk to end users, they just say, well, admins, they just say no to everything. They just
4:01
ignore all requests and they say no. Well, it is not necessarily the case because in my opinion
4:07
A tenant admin should strive forward to empower and enable a data culture in the organization
4:13
They need to enable users to meet, they need to enable users so that they can actually use that
4:18
data and build awesome things with it. Because if it's those end users building awesome things with
4:23
it, the organization as a whole will move forward for the better. So it is not simply the process
4:28
of restricting and disabling features, but it is making sure that if they restrict something or if
4:33
If they disable something, it has to mean that policies and processes and people need
4:38
to be in place to handle incoming requests and to make sure that everyone can do their
4:43
thing, that they can keep working on those awesome data projects, because that is the key
4:48
Meaning, a tenant admin should strive to empower and enable data culture in the organization
4:54
but they cannot do it alone. It is a team effort, and that is the least you can say about this
4:59
It has to be an organizational thing to move forward. But what does a tenant admin actually do
5:06
Well, in my opinion, they do nothing short of pure magic. So magic, that is the thing that I think tenant admins do, because they have a lot of hats
5:16
to wear, they have a lot of things to do, and they have a lot of things to keep in mind
5:21
So some of the things that tenant admins should be doing is, well, they have to look for data
5:26
management, for data governance, for security and compliance, they have to make sure that data is in place, they make sure that data is there, that they can be there, and that people
5:36
that need to access that data can actually access the data. They need to do change management. What
5:41
if a new feature rolls out? What if Microsoft decides to change the user interface for Power BI
5:46
again for the second time in the year? These are all features that need to be introduced and that
5:51
need to be handled properly for changes in the organization. Desktop as well is one of the most
5:58
important features of change management. Our new version rolls out every month and every month has
6:03
so many of these good new features that end users pretty much want to start using them as soon as
6:08
possible. They have to integrate with different products as well. They make to make sure that if
6:13
there's, for instance, something like Tableau that needs to use Power BI datasets through the XMLE
6:18
endpoint, they have to set up these integrations with other products. If, for instance, they need
6:22
to be looking at a data catalog solution like Colibra or Atacama or Azure Purview. They have
6:29
to set up these integrations as well, or at least talk to different people on how to do it. But also
6:35
tenant admins usually are also a glorified help desk for Power BI questions. People come with
6:42
questions to tenant admins for a lot of different things. And maybe that's also one of the reasons
6:47
why people think that they just say no to everything because they get overwhelmed with so
6:52
many questions so i think that most importantly tenant admins do magic period so if someone comes
7:02
up to me and says well benny i have an issue with let's say something with data flows for instance
7:08
my first reflex is to go look at what actually what actually is the service help meaning are
7:15
are there any issues with Power BI or any Azure components so that I can exclude this and then go further
7:21
down the chain to look at different things that I may need to be looking into So to make sure that I can actually see if there are issues with service health I have three main things that I can look at First one being the Power BI service the Power BI support page because the Power BI support page is the main go aspect to see if there is any issues on the Power BI service itself
7:46
because they log if there is degradations or plain old outages and what the root causes are
7:55
and what we may need to be doing to have workarounds, et cetera
7:59
So this helps me a lot to look at these things and to get a good overview
8:04
The thing is as well is that it's not just Power BI. Usually it's a whole ecosystem of different things
8:11
that are located in our products, in our data, in our architecture
8:15
So we have to look at Azure status diagrams as well. Meaning there are different things that can be running
8:21
There are different regions we could have these services running in. So we have to make sure that we can get an overview of these as well
8:27
So Azure status is what helps me to do this. But most importantly, for me personally
8:33
is the Microsoft 365 admin center, because this is tailored to my specific tenant
8:39
And tailored to my specific tenant, tenant, I can have the overview of all the different things that I have inside of my tenant
8:47
what the issues were. It shows me a history log as well of things that have been there
8:51
things that are still currently ongoing to make sure that I can get that overview. That's what
8:56
makes it really important for me to get that overview as well. But let me briefly show a few
9:03
of these things as well. So if all is well, there's my browser. I have this Power BI support page
9:10
So it is just simply powerbi.microsoft.com slash support. And it gives you the overview that I just discussed with you as well
9:19
It is nothing too fancy about this. It is just browse to the site and make sure you get there as well
9:25
Really easy because it does give you that overview that we really want to be using as well
9:30
Other than that, I have the Microsoft 365 admin center. So if I just log in to admin.microsoft.com, make sure that I'm logged into my credentials
9:39
I get over to the homepage and then I want to make sure that I can get to my health page because
9:45
that's the one that I actually want to be seen. So health and then service health, which means that
9:51
I can actually look at all the different components that I have inside of my tenant that are currently
9:55
ongoing and all the different statuses that they have. So for instance, right now I potentially have
10:01
one thing, one potential minor issue with SharePoint Online that I may need to be looking
10:07
at as well because potentially my users are storing data on SharePoint online and potentially
10:12
it could be something that can impact my Power BI users. So two simple things to just exclude some
10:19
issues when you need to go looking into things. But there are of course multiple things that we
10:26
do need to keep in mind when we're looking at this Power BI tenant administration. So for me
10:31
the activity log is the key, is the center to pretty much all I do when it comes down to
10:39
when it comes down to tenant administration and when I need to make decisions on certain artifacts
10:44
and certain settings, etc. The activity log is the basis for everything that I need to make these
10:50
decisions on. The activity log was introduced in December 2019 as an alternative to the Office 365
10:58
audit log. The main reason why this was called into life is that the Office 365 audit log required
11:06
to have at least viewer privileges or something higher on the Exchange Online Security and
11:14
Compliance Center, which potentially gave some big issues in organizations where it wasn't always
11:20
useful. It wasn't always possible to get these privileges assigned, which meant that you couldn't
11:25
actually exclude and couldn't actually gather these data to to get the view of your activity
11:31
in the view of your candidate you need to have. So the activity log retains the data
11:37
for about 30 days. And it only requires us to have the Power BI admin privileges. Meaning
11:44
that we don't have any relations necessary to other roles inside of power to other roles
11:49
inside of Office 365. But if we happen to have the global admin privileges in Office 365
11:55
then we can get this as well. And as I keep telling, it is the key to many questions that
12:00
we have because it gives us an overview of pretty much everything that has been happening inside of
12:06
our Power BI tenant. So to show you briefly what you need to be doing this, because I'm a strong
12:13
believer in extracting this information and storing it somewhere a bit more permanent
12:18
a bit more persistent. Because of the fact that this activity log only has 30 days of history
12:24
you want to get it as early as possible to make sure that you build up as much history as you
12:28
possibly can. So there are many options to doing this. The option I'm using right now is an option
12:34
with PowerShell and storing CSVs on a local drive, and then pumping over these CSVs to a database
12:42
solution. So as I mentioned, right now, for me, it is PowerShell that I'm using
12:48
And it boils down to the fact that we need to have the PowerShell, the Power BI management
12:53
command that's installed in there to make sure that we have these. And then we can get cracking
12:58
we can get started with this. So usually what I do is I use a service principle through an app
13:03
registration to register. The thing is that I'm just keeping it simple for this one, because I
13:09
have already logged in to my Power BI service account, but it is as simple as just executing
13:14
this little command, then I'm making sure that I enter the right credentials. Because as soon as I
13:19
have done this, I can get the information that I need on everything that is in here
13:23
So for instance, right now I need to expect the Power BI activity log. So it actually boils down
13:29
to something as simple as this. It is get Power BI activity event. And that is it. The only thing is
13:36
it does require two parameters at least meaning it requires you to give a start date and an end
13:43
date because it only can give you a limited set of records to return and it does require you to
13:49
give this date in a specific date format so year year year month month date date and then the hours
13:55
a minute and the seconds as well in the times of format so as soon as i have that i can start
14:01
getting this information out of there so it is as simple as just executing this one line of code
14:06
as soon as I have these things. The thing is I want to take it a bit further. And what I want to do is actually also do some select queries on this
14:13
on the records that I've just exported to make sure that I can always have a proper selection
14:19
Because when I'm doing SQL queries, for instance, on a SQL server, I'm also not going to do a select star
14:25
So for that exact reason, this is why I'm doing this right now. So for instance, if I were to execute this
14:32
and to give you some basic information as well, what I'm doing here, what I have here is actually just a max value and a min value. So for this
14:41
amount of dates, actually start looping over these dates to start doing this. Right now
14:46
just keeping it on a simple one date to not have to wait overly long on these results to start
14:51
popping out This means that right now it going to contact that activity log and it going to start exporting all this information for me So it giving me a lot of information and I deliberately chosen to not actually go ahead and
15:08
start exporting this to a CSV file because I want you to see what is actually happening here as well
15:15
So right now it is just a simple view report, but potentially there could be a lot of different
15:20
things in here with people updating apps or people potentially doing with tenant switches
15:25
with tenant settings. It is a lot of different information in here that is key to everything
15:30
that we do. And as I mentioned, as soon as we export this information, we have it gathered
15:35
somewhere. That is where we can do, that is where we can start doing our actual ysis on top of
15:41
things. But there is actually something more that I want you to extract as well. And it is something
15:47
that I like to call an artifact inventory. An artifact is what I call a Power BI dataset
15:53
a report, a dashboard, a data source, everything that is usable as an object inside of Power BI
16:00
We can also get out the data for that. We can get the information for this as well
16:05
which means that if we start extracting this, we can actually build ourselves a proper star
16:09
schema model for this. So most of these artifacts can be extracted through the same APIs
16:14
through PowerShell as well. And it allows us to track these details about these heavily used
16:19
artifacts. So if we have reports that get used an insane amount of time, as opposed to the others
16:25
we can actually go ahead and track them a bit more closely. Or if we have some private financial
16:31
information in reports, that is also something that we can track more intensely to make sure
16:36
that there is nothing bad happening to that data. I'm of the opinion that the admin APIs are
16:43
specifically our friend because they allow us to get the data out of there in the most
16:47
in the most efficient way possible and also that we need to be authenticating through service
16:52
principle because in the future this will be the main way to start doing automation on type of on
16:58
top of these different types of scripts so again i'm referencing melissa coats because she made a
17:04
lovely diagram of this and she states this as a typical power bi auditing solution the thing is
17:10
that in the wild, this is a very, very elaborate Power BI auditing solution. Because what I usually
17:19
see is that people have effectively started to export these activity logs, okay? Then most of the
17:27
time, they actually did get the workspace inventory and the artifacts out of there as well. But then
17:32
it gets, the further down we go to the right-hand side of the overview, the less I actually see it
17:38
come into play, which is a shame because this truly allows us to have a very, very elaborate
17:43
and a very, very interesting solution, a very interesting auditing solution as an answer
17:49
to most of the questions we have. And as well, it is a case of just starting to track and starting to store these different
17:57
things in there to make sure that we can actually answer to some certain auditing questions that
18:03
we may have, but also potentially serve up this data to workspace owners, people that own a
18:09
workspace with several reports in there, with several data sets in there, and serve up this
18:14
data based on row-level security to make sure that they can actually use this data for themselves
18:19
So potentially, this could be really interesting as well. So for the interest of time, I'm going
18:24
to skip the demo, but I am going to make sure that my scripts get up to a GitHub repo sometime
18:29
soon and that I actually do some supporting blog posts for this as well. But I do want to make sure
18:34
that I finish in time to allow the next speaker to get prepared as well. So next to the artifacts
18:43
next to the activity log, it boils down to the tenant settings, the way we configure our tenant
18:48
the way we allow people to use our tenant efficiently. So most of these tenant settings
18:54
we can use to control behavior, meaning we can allow or disallow something
19:01
The thing is, right now, it is really hard to document the way
19:06
well, it is really hard to track changes on these tenant settings. So I do highly advise everyone
19:12
every tenant, every organization to actually document their settings, why they have something to setting XYZ
19:20
with people 1, 2, 3 that can do this, or why they haven't done this with specific reasons for this
19:27
with their decision, with their drivers for the decision. Because right now, the only way that you can actually get notified
19:35
if someone has changed their tenant setting is either through the activity log
19:40
and that just shows you that a tenant switch has been changed
19:44
It doesn't show you which one. It only says this has been switched
19:49
And the other option is through the Cloud App Security Center. But this also comes with additional licensing
19:56
It takes the, I think, the E3 or the E5 security licenses as well
20:00
which are potentially a blocker for budget in an organization, etc. But this does give you an elaborate overview of this user this time has changed this setting
20:12
the former setting was this, and the next setting that is currently set is this
20:16
So it is a really interesting thing as well. Most of these settings can be scoped
20:20
meaning it is a matter of enabling and disabling, but you can also do includes or excludes
20:28
So if we disable a setting, for instance, publish to web, disable it for the entire organization
20:35
except for a list of these people that can actually do this
20:40
Most of these tenant settings, if not all of these tenant settings, require a security group to actually scope these settings
20:47
meaning we can use active directory, so the on-premises version of security groups
20:53
or we can look at the online Azure Office 365 mail-enabled security groups
20:58
These work actually the best because they have the widest area of where they can be used
21:05
So I've included a very useful link by Gilbert Guvrouillet, who is a New Zealand MVP
21:12
and he actually made this useful little matrix of what type of security group we can use where in Power BI
21:17
And overall, across the board, mail-enabled security groups work on most of the places that we want them to be working
21:24
So that is why I recommend to start using mail-enabled security groups
21:29
What I do want you to do is, in your organization, go through every one of these different settings of the tenant settings and decide our organization, we will allow them, we will disable them
21:39
But special attention needs to be paid to the way the workspace settings are set, the way that things can be exported and shared, and what we can do with Power BI visuals
21:50
So let me dive straight into what I actually mean with this
21:55
So I have, let me just show you where I'm going with this
22:00
I have a Power BI tenant. So no, I don't want to give feedback right now
22:04
I have a Power BI tenant, and this has admin privileges. This means that I can go over to settings and then the admin portal and make sure that
22:12
I can find the admin portal where I need to be. So I have my tenant settings and that is actually where I want to be
22:19
So my tenant settings is what I need to be doing right now
22:24
So as I mentioned the workspace settings are a crucial one to start monitoring And why is this Well by default everyone can create a new workspace in the organization which means that everyone
22:35
can create a workspace and everyone can be admin of that workspace. So why is this a big deal
22:43
Well, potentially, if you leave this unchecked, you can get, well, an uncontrolled growth of
22:48
workspaces that no longer get used after three weeks in your organization. But also, since
22:54
premium per user was announced, this actually also means that people can start assigning their
22:59
content, their workspaces to premium per user without you necessarily knowing it. And right now
23:04
it's free and it's all fun. It's all dandy. But as of April 2nd, premium per user will become also
23:11
a paid feature, which means that potentially we could get some surprises. And that as well is
23:18
block classic workspace creation, because at the beginning of time, Power BI created Office 365
23:23
groups in the backend, which meant that every single time an Office 365 group or Teams was
23:28
created, we also had Power BI workspaces, which was something that we wanted for some of these
23:34
cases, but not for everyone. So the account that I actually do my work on has about 125 workspaces
23:43
where I actually use three of them because the rest is just Teams channels and Office 365 groups
23:48
in SharePoint pages. The same thing is with export and sharing settings. A lot of these are enabled
23:54
by default, and a lot of these will allow your users to export your data. And you as an admin
24:00
or you as an organization, need to decide how people can export your data. Meaning, do you allow
24:07
people to export the raw data to Excel or to CSV files? Do you allow them to print reports? Can they
24:13
export it to PowerPoints or PDFs to words, what can they do with this? Usually people leave this
24:21
largely enabled for everyone, but I also have seen organizations that do not allow this. That say
24:27
Power BI is the main way for them to consume the content, and if they want to, they can use
24:33
yze in Excel. It is something that I've seen out there in the wild as well. But another one
24:39
Another important one that I want to mention to you, and we're sinning against this ourselves
24:46
is Power BI custom visuals. So my advice to most of my clients, to pretty much all of my clients that I have
24:54
is to only allow certified visuals. Certified visuals meaning they have this little blue checkbox next to them in the app source
25:02
It means, let's say, marketplace by Microsoft. This means that they have underwent
25:08
they've gone through a rigorous code auditing process, which meant that people from Microsoft have reviewed the code
25:16
and are completely sure that it doesn't contain any malicious code. Does that mean that a visual that is located on the app source
25:25
and doesn't have a blue checkmark contains malicious code? No, the odds of that are fairly small
25:30
The main risk is when you have a user that found some random GitHub page somewhere on the internet, and they found a visual or someone got a PDI VIS file somewhere on a thumb drive
25:43
That's what concerns me more. So usually I only allow these certified visuals
25:49
And what I do then, what I tell my clients to do then, is go through organizational visuals and start building out a whitelist of non-certified visuals
25:57
it meaning a whitelist where you as a tenant admin have reviewed well or as a team of tenant
26:03
admins have reviewed the visual and make sure that it doesn't do anything funky that you don't that
26:08
you don't actually trust for this what do i mean by review well what i usually do is i take a i
26:15
take a development environment i take a development data set something that doesn't have any any value
26:20
at all and i start up a fiddler trace so a web trace that actively tracks all the incoming and
26:27
and outgoing calls that are being done via web. Because it means that a custom visual
26:32
can usually do web calls through Power BI as well. So I check the calls that are being made
26:38
I check whatever is being executed, and I check as far as I can see
26:42
if there is anything funky happening on there. That's what I mean by reviewing
26:47
because you're rarely going to get code from a Power BI custom visual
26:52
So as soon as you've done that, as soon as you've deemed it worthy for this to be allowed in your organization
26:57
Well, what you can do is add it from the app source or add it from the file
27:01
My thing is if it is in the app source, you want to make sure that you use it from the app source
27:06
because it will also automatically do some do the versioning on this as well. If a new version is released
27:11
they'll grab the new version as well. If you do it from a file
27:14
then you're the one in charge for making sure the file is updated. But the thing is not everyone enables this
27:24
by default. And let me get back to the slides. The thing is that not everyone, not everyone
27:32
allows this by default, meaning that you potentially have a lot of custom visuals in your organization
27:38
that you're not aware of. Because at this point, there is no way to automate an inventory
27:43
of what custom visuals are used in your organization. It's not possible. The only way that you can
27:49
do it potentially is by getting every single PBIX file in your organization, scraping that
27:55
and making sure that you get the information out of there. But if you have a fairly large
27:59
organization, that's going to take a long while. So the only way that you can actually do it is
28:05
start inventorizing it, making sure that you reach out to people and say, hey, could you please let
28:10
me know if you're using any custom visuals? And then at some point, make the switch. And as soon
28:15
as you make the switch, you'll know which custom visuals are used in the organization
28:19
but I actually did the demo already. So I went over this because I want to tackle data access with you as well
28:27
Who can access my data? Who has access to the data that I have inside of my reports, my data sets
28:33
my data flows, et cetera. Well, it is based on a few things
28:38
First and foremost, who has access to your workspace? Who has access to your workspace app, to the app that you have
28:46
who has potentially gotten access to a report by manual reports sharing
28:50
or who has gotten access through what your data set to manually on your data set
28:56
who has access on this, for instance. So workspace access is the most important one
29:02
because they also influence a few other things. But the fact that people can access your data is also influenced by row-level security
29:13
and object level security, which hit preview since February 2021. The thing is what I wanted to mention about workspace access
29:20
is that a workspace admin, a member or a contributor has no RLS and no object level security applied to them
29:28
and they implicitly have build permissions. So let's just say that you have set up this elaborate scheme
29:36
for row level security or object level security. It will not apply to them
29:40
simply because they can make the changes to the report itself. Well, if they can change it themselves
29:49
they can probably just change it and make sure that they are not included in that role
29:55
The same thing with build permissions, is a build permission allows people to build a new dataset
29:59
report on top of it on top of a data set or use yze in excel if they have these build
30:05
permissions they can do with the data whatever they want so i do encourage you to monitor your
30:11
key assets closely as i mentioned hr data finance data whatever make sure that it's closely monitored
30:18
the thing is as well is that an admin a power bi admin or a global global office 365 admin
30:26
can get access to any new workspace and can therefore also give access to anyone else
30:34
meaning um you don't give a you don't give out power bi admin roles willy-nilly inside of the
30:40
organization you need to be sure of the people that you're giving these permissions to but that's
30:45
pretty much the same thing with every types of admin privileges that you have so know and trust
30:49
the people that you have for these different permissions. And then the gateway is a crucial
30:56
part in your organization as well. Meaning the gateway to freshen up your mind is the
31:01
application that stands between the cloud services and your on premises network. So if
31:07
you have any SQL servers or ysis services cubes or some Oracle servers, and that data
31:13
needs to be used inside of PowerDaps, Power BI, Power Automate, Logic Apps, I think that's
31:20
it, it will probably go through this data. So the gateway functions as a bridge between
31:24
these two and services whatever requests that we might have. The thing is that we also have
31:30
to make sure that users that need to publish new data sets need to be allowed on this gateway
31:36
The thing is as well is that by default, any user can install personal and on-premises
31:42
data gateways in the organization. Potentially opening up corporate data because they might
31:48
they may be doing it inside of the organization on data sets that you wouldn't necessarily want
31:54
to be sharing to Power BI or not even share to other people as well. So I do encourage you to
32:00
debate the policy for personal gateways, especially because in my opinion, personal gateways do not
32:06
have a role in an organization except for when we're using our data sources or Python data sources
32:12
Why is this? Because a personal gateway is usually installed on a local machine, and as soon as the machine gets shut down, the gateway will also not function. And the on-premises data gateway is intended to be installed on virtual machines or servers, etc., that will always stay up and running and can even be configured in a high availability mode or load balancing mode as well
32:35
so you can actually go ahead and go check out which data sub which data gateways you have in
32:41
your organization the thing is as well is before i do get to that part is that um it's not necessarily
32:48
only the way we restrict it because usually you have some form of it that governs the way software
32:54
can be installed on your local networks as well on your local machines so it's the combination of
32:59
these two that will restrict or allow the installation of these data
33:04
But if I wanted to go to my data gateway overview it is as simple as going to admin and I going to the data preview which will give me by default an overview of all the different gateways that we have installed
33:20
The thing is that for a very long time within the organization that I'm showing right here
33:25
which is our own organization, we thought that we had two gateways running
33:28
And then we did this initial check a few years ago, and we actually saw that there were a lot more of these gateways that were being installed
33:38
The thing what we found out as well is that Power Apps in a Day, the day course, was very popular
33:44
And that we had a lot of people that installed data gateways to do their Power Apps in a Day
33:49
So there are a lot of gateways in here that actually weren't known to the system administration people
33:56
They didn't know these things existed. So that is why I say that by default, everyone can install a gateway and it may not necessarily
34:03
be a very good thing. The thing is, if you want to restrict this from within your organization, you can say
34:09
manage gateway installers, restrict this, and then just say that this explicit list
34:15
of people can actually install gateways. And I do recommend you to go do this because otherwise, well, you'll end up with a list
34:22
that's potentially even larger than this and that may get out of hand
34:27
Why am I saying this is, well, gateways, they open up your data
34:32
That's one thing. But gateways actually use a lot of resources. So when you're refreshing data sets, the gateways play a very crucial role
34:42
And the gateways will use more resources than you will actually know. Because, for instance, if we're doing something called query folding
34:48
and I'm not diving in too deep in this, it means that the gateway will handle a large part of the workload
34:55
if query folding isn't functioning properly. So if you have this small little gateway device of four gigabytes of RAM in one CPU, this will probably cause your data set refreshes to be very, very slow
35:07
And that is why exactly that you want your gateways to be in a managed environment, in an environment that people can actually know and trust to be performant, to handle these types of operations very well
35:19
But I did already show you the gateway, the Power Platform admin center
35:25
And that is one of the main reasons, one of the main places where you can go do this
35:30
But you can also get this information through PowerShell commands. But I figured let's just do a user interface as well, because it doesn't all have to be PowerShell
35:39
So I do actually want to thread back on the topic of premium per user
35:44
And let there be no debate about this at all. I am a very big fan of premium per user. Premium per user means that you have a user-based license
35:57
$10 as an add-on to Power BI Pro, or $20 as a standalone license, and you get all the rich
36:04
features that Power BI Premium has to offer, which is insane. The thing is that during the preview
36:10
after it was announced on September 2020 after Ignite it was free for everyone to use And that when people went nuts for the premium per user preview because they started building things that they couldn previously do They started building data flows
36:25
with the enhanced compute engine. They started doing AI features, all these cool things
36:31
which is good because we want people to start using this as well. The thing is that by default
36:36
people can actually self-assign them an in-product trial experience or a Power BI Pro trial
36:42
and they could by default create their own workspaces. So potentially you have a large amount of premium per user workspaces in the organization with people building production grade workflows on this
36:54
So right now this is cool. But after April 2nd, this means that all trials that expire after April 2nd will require a paid license
37:04
So how sure are you that you don't have 150 users in the organization that will require a premium per user license
37:11
because they have built a lot of these things on top of this. And it's mainly for that reason that I wanted to dive into this myself as well
37:19
because I did actually have a client that had these specific questions
37:24
So the only way that you can get an overview of people that can use premium per user
37:28
and people that have done this is by getting out workspace information
37:33
capacity information, license information, and the activity log, and start correlating these things to each other
37:38
Because that's the only way, that's the only actual way that you can get this data out of there and make sure that you can do something with it, something meaningful with this as well
37:48
But monitoring is a, well, monitoring is, well, it is a topic that you can spend a day on, if not at least
37:59
And there is a session by Dutch MVP, Mark Lelievold. He's built out, along with his colleagues
38:07
a end-to-end monitoring solution, meaning that it is a large setup with Azure Log ytics
38:14
with Blob Storage, et cetera, where they built out this really cool, really complex monitoring solution, which is cool
38:20
but it doesn't have to be so complex because you can actually do something with a few simple clicks as well
38:25
For instance, if you've expected that the activity log as I've mentioned about 25 times already
38:32
you could actually do something as simple as set up a dashboard tile with a data alert on top of this
38:37
and then set up a simple count for these actions and say, I want to look at tenant settings
38:42
publish to web, trials, exporting data, deleting stuff, creating or editing data gateways
38:47
these things. And just have this as a very simple data alert on there
38:53
Is it your super duper monitoring solution? No, but this you can do in five minutes
38:59
And at least you have something to move forward on. That said, I am running close out of time
39:07
And I want you to have some takeaways as well. The main thing is a Power BI admin should try to stay updated
39:14
And that's a really big challenge. I know how hard it is
39:18
So the main way you can stay updated is by following along with the Power BI roadmap
39:24
by making sure you follow the Power BI blogs the Power Platform release waves and then there is the community which offer an insane amount of initiatives and an insane amount of information that gets released the only thing
39:37
that you need to keep in mind is check the release date because in this day and age something
39:44
information changes and ages very quickly so something that's been written six months ago
39:50
may not necessarily be as relevant today because some a new product was released a new feature was
39:54
there or something was something was changed who knows it is a very a very good thing to keep in
40:00
mind as well so if i if you're walking away from this and you're stepping into the office on monday
40:08
look into automating the extraction process for the power bi activity one scope some tenant
40:13
settings for some of the key areas that are discussed or some of the other areas that are in
40:18
that are inside of your inside of your organization go for some some very simple alerting for these
40:24
external failures or internal usage. And then make sure that you have some basic form of
40:30
monitoring as well, that you actually know what is happening inside of your organization
40:35
But as well is, as I mentioned before in the beginning, it is not about restricting and
40:41
disabling things. It is about enabling people to build awesome data stuff. So we really should be
40:48
fostering that data culture in the organization. But if there is anything that I want you to keep in mind from this session
40:55
is you can't know it all. Sometimes you simply have to Bing or Google
41:03
There's no shame in Googling things because not a single person can know every single thing
41:09
We all have to find out some things as well. So Google is perfectly fine
41:13
Or Bing or us, Jeeves, whatever you use. So to close off, one small reminder that it is not about products
41:21
Self-service BI is not about products. Power BI alone is not going to enable self-service BI
41:27
Tableau alone is not going to do it. It is about the organization and the way that they have people
41:32
methodologies, and processes in place and how they are well in sync with each other
41:37
Because if the people and the processes and the methodologies are there, they probably are going to be able to do self-service BI
41:44
with any tool that's out there. The thing is that Power BI just helps us do this the best that we can actually do it
41:50
So in this deck, there are a bunch of references and resources that I used
41:55
And the deck is already, I've already given it to Simon. So you'll be receiving the resources shortly after conference
42:01
There's a lot of things that you can look at. That said, this was all that I have to share
42:08
And I do hope that you found it interesting. If there's any questions, I'll gladly take them as well
42:12
if you don't have any questions right now, but they pop up to you next week
42:16
These are my social handles. So you can find me on the social networks as well
42:20
And I do hope to meet you in person someday soon because, well, let's just put it
42:25
I am dying to get out of my house as well, to be able to go out in public again
#Data Management