Navigating Power BI Access for Consultants: A Guide for Business Leaders

Power BI has become a popular BI tool and many companies have built around Microsoft’s stack to support their business goals. If aligned properly, Power BI can give leaders a comprehensive understanding of their business performance and foster a more proactive approach to decision making.

Businesses may hire Power BI consultants or even freelancers to leverage their expertise in implementing data analytics solutions, whether for projects or ongoing support to ensure effective use of Power BI’s capabilities. With the increasing reliance on external consultants, seamless and secure access to company data is paramount, allowing consultants the resources needed to navigate datasets and environments efficiently while maintaining data security measures.

Options for Providing Access

This article mainly focuses on two options of providing Power BI consultants access to company data and Power BI or Fabric workspaces. The two options are making the consultant an External B2B Guest and creating them an internal account. We’ll touch on other options that we do not recommend and talk about additional measures that can be taken to secure company data when working with external partners.

External B2B Guest: This is a great option for businesses who are working with a consultant or freelancer for a quick project and want to maintain a degree of separation between the consultant’s activities and the internal workings of the organization. This method can be for organizations who do not want to manage an internal account and can leverage existing authentication methods, making it easy to grant or revoke access as needed. External B2B guests allows company employees to collaborate with consultants from a different tenant. Choosing External B2B Guest access can provide a balance between collaboration and security. For more information, check out our free guide to Adding External B2B Power BI Guests Users.

Internal Account: This option works well for businesses who may want a longer term partnership with a consultant or freelancer, usually providing a smoother experience for consultants, leading to increased efficiency. IT can also fine tune security and have more granular control over access and permissions.

Additional Options:

• Virtual Machines (VM): Providing a VM in your environment for your consultant to do all of their development work is a great way to prevent data from being saved onto your consultant’s machine. This can be done with either the B2B guest or internal account method. The downside is setting up the VM and making sure the developer has access to everything they need through the VM, and if there is not an internal process already established, there can be a lot of time spent going back and forth.

• Share files via safe links: We highly recommend to never share data or .pbix files over email. There are many ways to share sensitive files, like sharing a secure link to the file stored in the cloud (e.g., OneDrive, Google Drive, etc.). It is advisable to use file sharing options that require a password that expire after a set amount of time.

• Multifactor Authentication (MFA): Whether your organization is using the B2B guest method or issuing an internal account, it’s always a good idea to protect apps and data using MFA. For more information, check out Microsoft’s tutorial on MFA for B2B guests.

Other Methods: There are other casual methods of sharing access to data sources and workspaces with consultants, but these methods are not usually recommended due to the lack of security protections.

• Emailing sensitive files back and forth is one of the least secure ways of sharing data in general. At the very least, these files should be shared using safe links that require permissions, so the files are not actually attached to the email. Also, depending on admin settings, files can be shared in Microsoft Teams if both parties are using Teams. There are many other secure ways to share sensitive files with consultants.

• Sharing passwords to accounts or database logins through email is another big no-no. If the consultant cannot obtain an internal account and generate their own passwords, sometimes clients find that sharing existing passwords is their best or easiest option given the circumstances. If that is the case, we always suggest using secure methods of sharing passwords through secret URL’s or password managers. Secret URL’s like Password Pusher are nice because they can be set to expire immediately or after a specified number of views or days.

Key Considerations for Business Leaders

As businesses grow, they tend to care more about their data and may have processes and procedures in place to deal with sharing data and working with external users. One of the biggest goals is to prevent data from being saved outside of the company network, e.g., the consultant’s machine. We have broken out some of the key considerations when trying to decide which method is best for your business.

Data Security

Which is the best option that will keep our company data secure and isolated from being leaked?

1. Isolation: With External B2B guest access, consultants typically access company data from their own tenant. This setup helps maintain data isolation, as consultants operate within their own environment rather than directly within the organization's internal network. If appropriate measures are taken by the consultant, this can be seen as a benefit because the separation minimizes exposure to internal systems and networks of the organization, reducing potential attacks.

2. Conditional Access Policies: Both methods allow businesses to enforce conditional access policies to regulate the access rights and privileges of external guests. These policies can include multi-factor authentication, device compliance checks, and location-based restrictions to bolster data security.

3. Limited Scope and Granular Access Controls: Both methods can restrict consultants' access to only the necessary data and resources, reducing the risk of unauthorized access to sensitive information. However, careful configuration is essential to ensure that access controls are appropriately configured and enforced. Organizations can implement granular access controls tailored to specific roles and responsibilities. This includes defining permissions at the dataset, workspace, or report level to restrict access to sensitive data.

4. Integration with Internal Policies: Internal accounts seamlessly integrate with the organization's existing security policies and protocols. This ensures that consultants adhere to the same security standards and compliance requirements as internal employees, fostering a consistent security posture. This can be more difficult to apply with External B2B guest access.

5. Auditing and Monitoring: Internal account creation enables businesses to implement auditing and monitoring mechanisms to track consultant activities and detect suspicious behavior. This proactive approach enhances visibility into data access patterns and helps identify potential security threats.

Permissions to Data Sources

It’s important to assess the complexity of data sources and determine the level of effort required to grant access to consultants. Some data sources are more compatible than other with external access methods, authentication requirements, and data governance policies. For example, which method provides the most seamless and secure manner of accessing the required data sources, e.g., SQL database, SharePoint files, via ODBC driver connections, etc.?

Generally, internal accounts make it easier for IT or admins to manage permissions to on-prem data sources. External B2B guests may require IT to configure authentication methods, firewall rules, or data gateway access. For example, to access a SQL database from a consultant’s Power BI Desktop, firewall configurations may be required and may need updating from time to time (think dynamic IP addresses).

Collaboration Requirements

Data source permissions should be aligned with collaboration requirements to facilitate efficient data sharing and collaboration between internal teams and consultants. Communication channels should be clearly defined with data sharing protocols and version control mechanisms to ensure consultants have access to the latest data while maintaining consistency and accuracy. In most cases, External B2B guests can have access to the same communication channels as internal members, but existing admin policies could make it more difficult or require additional tweaks.

Testing & Publishing in Power BI

What level of testing or QA is required for your data initiative or Power BI project and how easy will it be for your consultant to deploy and test the solutions they create?

In general, using the Power BI service and publishing is much easier with an internal account. For the consultant, as an External B2B guest, there are more steps involved to open the client’s Power BI environment and workspace, publish Power BI reports from the Desktop app, and switch between data source credentials within Power BI Desktop.

In the Power BI service, External B2B guests can use the Deployment Pipeline for to push solutions through the stages of development, testing, and production, as long as access is granted. There are some nuances of using the Power BI service for External B2B guests, for example, they will not see the shared external workspace or shared items from the Power BI service in their own tenant. Consultants will need to bookmark the workspace in their browser or save the link somewhere, which adds additional steps to the workflow.

Consultants can access Power BI Dataflows from the Power BI Desktop app, however, they may need to switch credentials in the Power BI Desktop app when they need to access Dataflows from a different tenant, like their own or another client’s.

Additionally, publishing reports from the Power BI Desktop app can be done from an External B2B guest account, but there are many more steps involved (see Guy In A Cube’s YouTube tutorial on this).

All of the above is seamless with an internal account.

Additional Considerations (Optional)

There may be additional elements to consider, such as workflows in communication between internal teams and external consultants, or workflows in using project management software to track the status of various tasks. For communication flows, External B2B guests can usually be added to Microsoft Teams chat or even groups (discuss with IT to make sure admin policies will allow it). It goes without saying, this is usually just as easy or easier with internal accounts.

Sharing project management boards can be a little tricky sometimes. On non-Microsoft platforms, like Trello, it may be simple to add an external guest. When we’re talking about Microsoft products, clients use different project management solutions that Microsoft provides them with. If it’s going to be a major roadblock to success if the consultant cannot use one of these project management solutions, make sure to test it out beforehand. Microsoft has Planner, SharPoint Task Lists with project tracking templates, etc. Some of these apps can be integrated with Teams as well, which can make it easier for your team and the consultant to work together in one place. Again, our suggestion is to test this out and have a chat with IT or the Microsoft Admin of your company to understand what External B2B guest users can access.

Comparison: External B2B Guest vs Internal Account

Conclusion

This may seem like a lot of information, because it is. Providing Power BI consultants with access to company data is a critical aspect of driving successful data-driven initiatives. Key factors must be considered, such as data security, permissions to data sources, testing, and QA processes when determining the most suitable access method for consultants. Balancing the need for seamless collaboration with robust data security measures is essential to mitigate risks and ensure compliance with regulatory requirements.

While both External B2B guest access and creating internal accounts offer viable options, our preferred method, especially for longer-term engagements, is having an internal account. It provides consultants with native capabilities and seamless workflows within the organization’s internal network. This approach enhances data security and can streamline the testing and QA process.

By prioritizing data security, fostering collaboration, and leveraging internal account creation, businesses can empower Power BI consultants to unlock the full potential of their data assets, make informed decisions, and achieve strategic objectives in today’s rapidly evolving digital landscape.

If you need more tips or advice on how to provide a smoother experience for your team and Power BI consultants, don’t hesitate to contact us and schedule a consultation.