Contact Us
Partner Portal
Help Desk

Why Your Power BI Tenant Settings Deserve More Attention

Power BI Tenant Settings

As Microsoft continuously enriches Power BI with powerful tenant settings to enhance governance and flexibility, these new capabilities can introduce significant risks if left unmonitored—requiring proactive, versioned oversight to ensure secure and compliant analytics at scale.

Like volatile substances in a chemical plant can be an essential component of the end product, tenant settings—when carefully controlled—can provide the end users options to create powerful outcomes. They enable secure, customized analytics delivery across teams.

But when mishandled, these same settings can harm your organization: causing compliance issues, unintended data sharing, or negative impact on the Power BI service. Just as hazard chemical processes in plants need controls, logs, and safety protocols, so too do your Power BI tenants. There are several reasons why Organizations should not ignore managing the administrative area of Power BI

Power BI Tenant Settings Are Expanding—This Is a Strength

Microsoft continues to expand the possibilities of Power BI, resulting in increased options. This results in a more granular way to set up the Power BI services Tenant and fine-tune the platform to organizational needs. For example, the introduction of domains and OrgApps logically led to options for managing these objects with settings in the tenant, allowing for the detailed configuration of sharing, security, and integration features.

As Power BI evolves and the number of tenant settings continues to grow, so too does the risk of misconfiguration. Many of these settings directly affect compliance, security, and platform stability—yet there’s no built-in versioning to track who changed what, when, or why. Without this visibility, organizations are left exposed to unintended data leaks, audit failures, and fragmented governance.

Uncontrolled Setting Changes Create Hidden Risk

Despite the growing complexity of Power BI environments, tenant-level governance still lacks essential oversight mechanisms. Most critically, there’s no granular audit trail for administrative changes. If someone disables restrictions on external sharing, for example, there’s no built-in way to trace who made the change, when it occurred, or why it happened. The change itself is not related to the ticket where the business decision to allow external sharing was made, and the change was authorized. This makes accountability difficult and forensic investigation nearly impossible in the event of an incident.

Current Limitations in Tenant Oversight prevent implementing solutions

Additionally, there are no native alerts or rollback capabilities. If a high-risk setting is misconfigured—intentionally or accidentally—the issue often goes unnoticed until after sensitive data is exposed, reports are not functioning correctly, or compliance issues emerge. In these cases, remediation is slow and manual, especially when the change history is unclear.

The Cybersecurity and Infrastructure Security Agency of the United States Department of Homeland Security, outlines two key risks of using R and Python in Power BI. First, they mention Security and Privacy Risks because scripts may include harmful code that can leak data or enable malicious actions, with no reliable way to control their behavior. Secondly, they identify External Code Risks: Python and R visuals could expose sensitive data or be exploited by attackers via script vulnerabilities.

The agency advices to disable Python and R interactions unless the script’s source is trusted or a detailed code review confirms it is secure.

Besides executing custom scripts using Python and R visuals that introduce security vulnerabilities, there are other settings that amplifies risks for instance Publish to web can unintentionally expose internal reports to anyone on the internet. Guest access enables external collaborators to access shared workspaces and datasets, raising both data privacy and oversight concerns. 

Without comprehensive control and visibility, these capabilities—which are meant to enhance collaboration and flexibility—can quickly become liabilities.

Organizations face four Key Issues caused by the Lack of Power BI Tenant Oversight 

Since there is no native way of capturing the changes every organization is faced with four manjor issues:

1. Compliance Blind Spots Without a clear record of who changed what and when, it becomes almost impossible to prove compliance with internal policies or external regulations like GDPR, HIPAA, or SOX. A simple misconfiguration—such as enabling publish-to-web or relaxing guest sharing restrictions—could expose sensitive data without detection, leaving your organization vulnerable to audits, fines, or reputational harm.

2. Incident Forensics Failure When something goes wrong—whether it’s a data breach, unauthorized access, or a broken reporting pipeline—admins need to trace the root cause. But with no historical log of tenant setting changes, there’s no way to see what configuration might have triggered the issue, who made the change, or how to roll it back. Investigations become guesswork, and remediation is delayed.

3. Scaling Chaos As Microsoft continues to enhance Power BI, each new object comes with new, unannounced tenant settings. The control surface has already expanded dramatically. Without a structured approach to managing these settings, governance quickly becomes chaotic. It’s easy to overlook critical toggles, forget who’s responsible for what, or unintentionally introduce risk during feature rollouts.

4. Governance Drift

This rings me to the last point, in larger or decentralized organizations, different teams may have different practices or assumptions about tenant configuration. Without centralized version control, this leads to fragmentation—where settings are inconsistent, undocumented, or out of sync with organizational policy. Over time, your governance posture weakens, and your BI platform becomes increasingly difficult to secure and scale.

Evergreen Principles of Management offer solutions

To find a solution for the new risks that Analytics Managers are facing with the administration of Power BI, we don’t have to go far. There are so  Evergreen Principles of Management that have stood the test of time and still can be used to tackle this issue. For managing these risks, the internal control theory sharpened by COSO is very helpful.

To secure Power BI tenant governance, organizations need a COSO-aligned control model that includes automated monitoring, procedural oversight, and independent audit reporting.

Automated Computer Controls

Every change to tenant settings should be automatically captured and must be linked to a relevant ticket or change request where the authorization is provided. This forms the technical baseline for visibility, accountability, and rollback.

Procedural Controls & Segregation of Duties

The change process of tenant settings must require clear separation between the implementer, the tenant administrator, and the approver. The tenant administrator should have no ability to alter the log files. This protects against insider threats and ensures the integrity of platform governance.

Independent Audit & Compliance Reporting

Automated reports should be delivered to compliance officers with full context:

  • What changed
  • Who made the change
  • Who approved it
  • The related ticket
  • When it happened
  • Detailed configuration delta

This supports external audits and internal controls testing.

How to implement controls for Power BI tenants?

Although Power BI audits tenant settings, it does not deliver the full scope of the needed capabilities. For example it doesn’t store them in an independent data source and offers the capability to link them to the relevant ticket or change request where the approval is provided. 

This is where Soterre comes in. Soterre is a governance and version control solution designed specifically for BI platforms like Power BI. It applies proven DevOps principles—such as versioning, change traceability, and release management—to help organizations manage analytics environments with the same discipline used in software engineering.

In the context of Power BI tenant governance, Soterre allows you to:

  • Automatically version every tenant setting change, capturing who made the change, what was changed, and when it occurred.
  • Link tenant changes to work tickets, providing full traceability and ensuring that all modifications are authorized and properly reviewed.
  • Generate audit-ready reports for compliance teams, showing a clear history of governance activity—including approvals, timestamps, and change rationales.

By doing so, Soterre supports internal control practices aligned with frameworks like COSO. It enables your organization to demonstrate that governance procedures are being followed, that risks are actively managed, and that changes are transparent and reversible—essential for passing audits, preventing misconfiguration, and scaling Power BI with confidence.

Learn more about Soterre for Power BI here.

Ready to streamline and automate your BI & analytics platforms?
Get A Demo
White Motio Logo Image
Solutions
Products
About Us
Resources
Contact
  • Tel:1 (972) 447-9595
  • Toll Free:1 (833) 855-3073
Follow Us
Youtube Linkedin
SOC_CPA_Blue-1
© 2025 Motio. All rights reserved
Scroll to Top
As the BI space evolves, organizations must take into account the bottom line of amassing analytics assets.
The more assets you have, the greater the cost to your business. There are the hard costs of keeping redundant assets, i.e., cloud or server capacity. Accumulating multiple versions of the same visualization not only takes up space, but BI vendors are moving to capacity pricing. Companies now pay more if you have more dashboards, apps, and reports. Earlier, we spoke about dependencies. Keeping redundant assets increases the number of dependencies and therefore the complexity. This comes with a price tag.
The implications of asset failures differ, and the business’s repercussions can be minimal or drastic.
Different industries have distinct regulatory requirements to meet. The impact may be minimal if a report for an end-of-year close has a mislabeled column that the sales or marketing department uses, On the other hand, if a healthcare or financial report does not meet the needs of a HIPPA or SOX compliance report, the company and its C-level suite may face severe penalties and reputational damage. Another example is a report that is shared externally. During an update of the report specs, the low-level security was incorrectly applied, which caused people to have access to personal information.
The complexity of assets influences their likelihood of encountering issues.
The last thing a business wants is for a report or app to fail at a crucial moment. If you know the report is complex and has a lot of dependencies, then the probability of failure caused by IT changes is high. That means a change request should be taken into account. Dependency graphs become important. If it is a straightforward sales report that tells notes by salesperson by account, any changes made do not have the same impact on the report, even if it fails. BI operations should treat these reports differently during change.
Not all reports and dashboards fail the same; some reports may lag, definitions might change, or data accuracy and relevance could wane. Understanding these variations aids in better risk anticipation.

Marketing uses several reports for its campaigns – standard analytic assets often delivered through marketing tools. Finance has very complex reports converted from Excel to BI tools while incorporating different consolidation rules. The marketing reports have a different failure mode than the financial reports. They, therefore, need to be managed differently.

It’s time for the company’s monthly business review. The marketing department proceeds to report on leads acquired per salesperson. Unfortunately, half the team has left the organization, and the data fails to load accurately. While this is an inconvenience for the marketing group, it isn’t detrimental to the business. However, a failure in financial reporting for a human resource consulting firm with 1000s contractors that contains critical and complex calculations about sickness, fees, hours, etc, has major implications and needs to be managed differently.

Acknowledging that assets transition through distinct phases allows for effective management decisions at each stage. As new visualizations are released, the information leads to broad use and adoption.
Think back to the start of the pandemic. COVID dashboards were quickly put together and released to the business, showing pertinent information: how the virus spreads, demographics affected the business and risks, etc. At the time, it was relevant and served its purpose. As we moved past the pandemic, COVID-specific information became obsolete, and reporting is integrated into regular HR reporting.
Reports and dashboards are crafted to deliver valuable insights for stakeholders. Over time, though, the worth of assets changes.
When a company opens its first store in a certain area, there are many elements it needs to understand – other stores in the area, traffic patterns, pricing of products, what products to sell, etc. Once the store is operational for some time, specifics are not as important, and it can adopt the standard reporting. The tailor-made analytic assets become irrelevant and no longer add value to the store manager.