Back to List

How to Protect PHI Data by Limiting External Access to Power BI

Paul Fuller Paul Fuller  |  
Nov 06, 2018
 
It was a second-latte-kind-of-day for health claims processor, Jane. Unknowingly, as she was waiting for the barista to work his magic, Nosy Pete looked over at her laptop screen five feet away and saw that his second cousin’s brother-in-law’s nephew’s ex-girlfriend’s health record was displayed on a Power BI dashboard. Suddenly, he had some juicy news for the gossip train.
 
Of course, personal health information (PHI) getting into the wrong hands has much greater danger than simply gossip fuel. This is a very real issue. In this bring-your-own-device world, PHI and all kinds of other sensitive data can easily get into the wrong hands.
 

“How can we restrict Power BI data to only our network?”

Recently, a health provider approached us on how to handle this situation. Their issue was, "How can we restrict the data in our Power BI service environment to only our trusted network?" The caveat being they didn’t want to block everyone from using Power BI externally. A group of associates in this client’s executive level would still to need access to this data on external networks. The customer asked us to identify a way to restrict Power BI service usage to their trusted network except for the group of executive level associates.
 
This is a common request in today’s data-driven world. Fortunately, we have developed a solution (that I outline below) to meet this issue through Microsoft’s Conditional Access, found in Azure Active Directory Premium.

(Though this solution talks about healthcare, it can be applied to other scenarios where you need to control access to sensitive data.)
 

Conditional Access

Conditional Access (CA) in Azure Active Directory Premium (AADP) allows the creation of very configurable policies that allow you to reduce the risk of data getting into the wrong hands. These policies define what conditions (assignments) you want to watch for and what to do about it (access controls).
 
power bi conditional access
(image from Microsoft)
 

CA policies address:

  • Who: Identifies which users or groups can access resources (required)
  • Where: Geo-fencing or IP address range restrictions (required)
  • What: Device-based—only approved devices, or application-based conditional access
  • When: Time or risk-based restrictions
 
Conditional Access (CA) is available in AADP premium subscriptions, both P1 and P2. Only AADP P1 is required for defining conditional access policies. P2 adds just-in-time-identity management (aka – Privileged Identity Management [PIM]) and access reviews. (You would only need to purchase P2 subscriptions for the Administrators who need PIM or access reviews performed.)
 

Proof-of-Concept Test

To test CA for this customer, I set up a trial subscription of AADP P2 (P1 was not available for a trial) in my own Azure tenant. I created a few test users and an “Execs” group containing one of the users. After creating the users, I defined a Trusted Location with the IP address range I currently receive from Comcast and called it “Paul’s Home”.
 
power bi named locations

Then I created a CA policy called, “Restrict Power BI from External Locations”.
 
power bi conditional access policies
 

Conditional Access Assignments

Specifying Users or Groups

The first required assignment in a CA policy is to specify users or groups. I specified that all users would be included in the policy (selected “All users” on the “Include” tab in the “Users and groups” blade). Then I indicated that the Execs group is the exception to this rule (selected “Users and groups” on the “Exclude” tab of the “Users and groups” blade and added the “Execs” group). You should also consider whether there is a group of Administrators that should also be excluded from this policy. But the question should be asked, “Should Administrators even need to access Power BI outside of a trusted network?”
 
power bi include exclude users and groups
 

Specifying Cloud Applications

The second required assignment in a CA policy is to specify which cloud applications are impacted.
 
For this situation, the client wants to prevent Power BI from being used externally. Additionally, I added Azure Analysis Services as another practical use case in this scenario.
 
You could select “All cloud apps” or just the ones you want to lock down. You will see all apps connected with your Azure tenant. So, since we’re locking down Power BI in this example, I selected the “Power BI Service” app.
 
Using the Exclude tab, you could have selected specific apps to exclude from this policy and have “All cloud apps” on the include – essentially a white list of what’s allowed to be executed externally.
 
From that point, the next policy Assignment to figure out is the Conditions for the assignment. In other words, “What would trigger this policy to be enforced?”
 
power bi include cloud apps
 

5 Condition Categories

There are five categories of conditions which are all optional for setting up a CA policy. If you don’t specify any specific conditions, your policy will always affect the users and cloud apps you specified in the previous Assignments. The five categories are Sign-in Risk, Device Platforms, Client Apps, Device State, and Location.
 
1. Sign-in Risk is only available with the P2 subscription. Sign-in risk is pretty impressive as it utilizes Microsoft’s expansive Intelligent Security Graph to determine the risk-level of sign-in’s. More information on this topic can be found here.
 
2. Device Platforms allow you to narrow down to Android, iOS, Windows Phone (what’s that?), Windows, or MacOS. Or you can select, “All platforms (including unsupported)” which would be advisable since Linux isn’t one of the specific supported platforms.
 
3. Client Apps is a misleading term as it leads you to think of Power BI, Dropbox, or Office 365 apps on a person’s mobile device. However, “Client apps” refers more to the kind of application that is the source of the communication (i.e. – a browser, mobile app, or a desktop client). Be careful of relying on the “Browser” condition as this can be spoofed.
 
4. The Device State allows you to restrict all devices except those marked as compliant or devices that have joined your Azure Active Directory.
 
5. The Location Condition is the only thing I needed specifically for this customer’s concern. I was able to specify that All locations would be included in this policy but allowed the exception for All trusted locations. I would also have been able to select specific-named locations defined in my AD, if needed.
 
power bi conditions and locations
 

Access Controls

Once you’ve defined the Assignments for the policy, then you move on to define the Access Controls. The Access Controls say what to do if the conditions defined are met. You can either block, grant access completely, or you can define specific session controls. Session controls depend on the level of control a cloud application provides. For example, you could use session control to say, “When user X logs in remotely, only allow them to have read-access to data.”
 
For my purposes, I simply wanted to block individuals from using Power BI from external networks. So, under the Grant access control, I selected “Block access”. Here is where you could say, “Grant access, but only if they provide Multi-factor Authentication.”
 
power bi grant access controls

The final step in creating the CA policy was to turn it on; simply selecting “On” under “Enable policy” did the job.
 
power bi restrict locations
 

A Welcomed Unwelcome Message

Finally, the last step was to test out my CA configuration.
 
First, I logged into Power BI with a credential that was not a member of the executives group and with an executive’s credential. Both of those credentials successfully logged in.
 
I then disconnected my laptop’s internet connection from Comcast and turned on my phone’s hotspot; a Verizon IP address range was assigned.
 
Next, I opened an incognito window in my Google Chrome browser. I tried logging in with “Jimmy Smith” who was a part of the executive’s group. The “Jimmy Smith” credential was still able to log in to Power BI. I logged Jimmy out and tried to log in as “Paulie Fuller” who was not part of the executives group.
 
I received the following message displayed below, “You cannot access this right now”, along with details about how to deal with the block. Normally this message would be quite unwelcome. However, it was quite a welcome sight for me as it proved out exactly what our health provider customer wanted to see: "You logged in just fine, but you can’t do that where you are right now."
 
Through this test case, I was able to sucessfully prove out how you can restrict access to the Power BI service, or any of the Microsoft Cloud apps, to a trusted network. If you have any questions on how we can do this for you, let us know. We'd be happy to help.
 
power bi welcome unwelcome message
AnalyticsPower BIAzure Healthcare

 

Love our Blogs?

Sign up to get notified of new Skyline posts.

 


Related Content


Blog Article
Is Santa Claus Secretly a Data Scientist?
Jared KuehnJared Kuehn  |  
Dec 04, 2018
Here we are again, amid the holiday season. Christmas items have been on sale for months. The biting, cold winter weather is rolling in. If you aren’t in the holiday spirit by now, it’s about time to get started before it’s too late.   To get into the spirit, I like to...
Blog Article
A Look at Power BI as a Business Intelligence System: Power Query M
Mark KaehnyMark Kaehny  |  
Nov 27, 2018
While Power BI is sometimes thought of as a front-end visualization tool, with it Microsoft created a “kitchen sink” Business Intelligence system that includes all the standard parts of a traditional solution. Here is a high-level view of Power BI and a look at the “ETL&rdquo...
Blog Article
When Low Quality Data Strikes, Can Fuzzy Logic Save the Day?
Jared KuehnJared Kuehn  |  
Oct 30, 2018
What is fuzzy logic? First off, there are some important things I think you should know: I was once a member of a group called the Marx Brothers.I can solve a Rubik’s cube in less than 1,000 seconds.I like BLT sandwiches.   Now, onto the reason you’re reading this post...
Blog Article
Steps to an Automated Power BI Audit Log Solution
Marcus RadueMarcus Radue  |  
Oct 16, 2018
Recently, our data team noticed a troubling pattern with clients who were looking to deploy Power BI throughout their organizations: they were experiencing limited visibility to all Power BI activities, associates, and licensing. Clients would ask us, “How am I able to efficiently manage...
Blog Article
Data Granularity Challenges with the Google Analytics Connector for Power BI
Adam WidiAdam Widi  |  
Oct 09, 2018
Background Before diving into the Google Analytics connector for Power BI and its challenges, I first want to provide a bit of background on dataset granularity. For those familiar with building a BI solution, you'll agree that loading detailed data into a data model provides the most...