Sharing Energy BI Experiences with Exterior Customers – Half 3: Sensitivity Labels, Encryption, and Safe Sharing

In Half two of this sequence, we walked by learn how to configure your Microsoft Material surroundings to securely share Energy BI stories with exterior customers throughout Microsoft 365 tenants. We coated licensing necessities, admin portal settings, learn how to invite visitor customers, and learn how to share stories instantly with them.

Now, within the third and last a part of this weblog sequence, we concentrate on two vital areas which can be usually neglected:

• What occurs when Microsoft Purview sensitivity labels are utilized to a report
• How one can refine admin portal settings to higher management visitor customers’ entry to Material

This sequence was initially created to assist a YouTube video I revealed in April 2025. The subject turned out to be too broad to elucidate effectively in a single weblog, so I made a decision to separate it into three elements.

Right here is the whole sequence:

• Half 1: Understanding the Downside and Core Ideas
  This submit explains why exterior sharing will be tough, the important thing necessities to get it working, vital terminology, person roles, and the way the entire course of matches collectively.
• Half 2: Arms-On Information to Setup and Sharing
  A step-by-step walkthrough of learn how to share stories throughout tenants, overlaying licensing, admin portal settings, inviting visitor customers, and the way report entry seems to be from the visitor’s aspect.
• Half 3: Sensitivity Labels, Encryption, and Safe Sharing (this weblog)

On this final half, we’ll have a look at what occurs when Microsoft Purview sensitivity labels are utilized, together with entry management, and also will talk about key admin settings chances are you’ll want to regulate for safer collaboration.

In case you wish to hearken to the content material on the go, right here is the AI generated podcast explaining every little thing about this weblog 👇.

In case you are somebody who prefers video over studying, you’ll be able to watch the complete walkthrough right here 👇.

Let’s now get into the ultimate piece of this information.

Sensitivity Labels in Microsoft Material

Microsoft Purview sensitivity labels are a part of a broader Purview Info Safety framework. These labels should not unique to Microsoft Material or Energy BI. They’re designed to be constantly utilized throughout numerous Microsoft companies, together with however not restricted to Outlook, Phrase, Excel, SharePoint, and Azure SQL DB. This ensures that information is classed and guarded uniformly, no matter the place it’s created, saved, or shared. Within the context of Energy BI, once you apply a sensitivity label to a report, it provides classification metadata and, if configured, applies safety equivalent to encryption and entry restrictions. These protections journey with the content material. For instance, if a report is exported to PDF or PowerPoint, and the label has encryption enabled, that exported file may even be encrypted. So solely the customers who’re authorised to view the content material will be capable of open it, even outdoors of the Energy BI service. This implies your information stays safe not solely inside your tenant but in addition when it strikes throughout customers, gadgets, and even organisations.

What Occurs When You Share Encrypted Experiences?

Let’s stroll by an instance.

You share a Energy BI report with a visitor person. This report has a label utilized that encrypts its content material. Here’s what the visitor person can and can’t do:

• They’ll open the report on-line if they’ve been invited and given learn entry.
• Once they export the report back to any Workplace codecs equivalent to PowerPoint, Excel and Phrase or PDF, the file is protected with encryption.
• Once they attempt to open the file (say a PDF), they are going to be requested to register once more, clearly utilizing their very own organisational account (e-mail) to have the ability to see the contents.
• If the exported file is shared or saved someplace others can entry, they won’t be able to open it until they’re authorised.

This implies your content material stays safe, even after it leaves the Energy BI service.

In my video demo, Nestor (the visitor person) efficiently exports a report labelled Extremely Confidential to PDF, however even then, he has to authenticate once more to open it. If Nestor forwards the PDF to a colleague, the colleague can’t entry the contents of the file until explicitly granted entry. The next picture reveals what occurs when the unauthorised colleague opens the PDF file:

To this point, now we have mentioned how Sensitivity Labels in Purview Info Safety work with report sharing in Energy BI. Now let’s high quality tune our configuration in Material Admin Portal.

Refining the Admin Portal Settings: Management Visitor Entry to Material

A key setting that many admins miss is Visitor customers can entry Microsoft Material, situated within the Material Admin Portal underneath Tenant Settings.

If you allow this setting for the complete organisation, it permits all visitor customers in your Entra ID to entry Material content material, if they’re given permissions on workspaces or gadgets. However this may not be what you need.

For higher governance and management, you’ll be able to prohibit this setting to solely apply to a particular safety group. Meaning, solely visitor customers who’re members of that group shall be allowed to entry Material options in your tenant. All different company will stay blocked, even when they exist in your Entra listing.

Right here is the way it works:

1. Create a safety group both from M365 Admin Centre or Entra ID (for instance, Exterior Material Entry)
2. Add your chosen visitor customers to this group manually

3. Go to the Material Admin Portal, open Tenant Settings
4. Discover the setting Visitor customers can entry Microsoft Material
5. Allow it just for the safety group you created

That is very helpful in eventualities like:

• Consulting companies who wish to share a report with a particular buyer
• Authorities companies working with exterior auditors or accomplice departments
• Giant enterprises that share info solely with recognized and trusted third-party customers

This setting permits you to allow safe entry with out opening the door to all visitor customers. It provides you the steadiness of usability and management that many enterprises are in search of.

Abstract

We’ve now reached the ultimate a part of this weblog sequence. On this submit, we coated:

• What sensitivity labels do and the way encryption impacts visitor entry
• The visitor person expertise when interacting with labelled stories
• How one can refine admin portal settings to restrict Material entry for visitor customers to solely a trusted group

It is rather vital to not deal with exterior sharing as simply one other Energy BI function. When completed improper, it may possibly open up safety dangers. However when configured rigorously, it turns into a robust device to collaborate with exterior customers in a safe and managed means.

Thanks for following this sequence. I hope it helped you higher perceive the large image and likewise the technical particulars of sharing Energy BI content material throughout organisations.

Comply with me on LinkedIn, YouTube, Bluesky and X (previously Twitter).

Associated