This post was updated on Nov 14, 2019.
A Power BI administrator is a role for managing various aspects of the Power BI Service. The Power BI administrator is a specific role which can be assigned in Office 365. Anyone with Office 365 or Azure global admin privileges is also a Power BI administrator by default.
The Power BI administrator role is a very high privilege role, as discussed below.
Based on the tests I've been doing, I've observed that users with membership to the Power BI administrator role have two sets of permissions apply:
Activities which are scoped across the entire organization
Activities for which normal user permissions apply (with a loophole - see below)
Within the above 2 categories, there are the following types of activities:
Manage tenant settings (always scoped to the organization)
Compile inventory and metadata (can be scoped to the organization)
Manage workspace users (can be scoped to the organization)
Export content from a workspace (relies on user permissions)
Next let’s briefly review each of the above types of activities.
Manage Power BI Tenant Settings
The ability to manage tenant settings in the Power BI Admin Portal has been in place for some time now. It includes managing settings such as:
Tenant settings (for the most part this includes enabling/disabling certain features to influence the user experience and/or govern the system)
Capacity
Embed codes
Organizational custom visuals
…plus lots more
The Power BI administrator role cannot be delegated to individual subsets of the organization — it applies to the entire tenant.
The role also cannot be granted in a read-only way. This can make it challenging in a very large organization. For example, let's say you're a large worldwide organization with five main divisions. One of the key Power BI people from division A requests access to the Power BI Admin Portal because they want to be able to view what the settings are. An example I've seen of this is someone thinking that the 'push apps to end users' doesn't work, when really the issue is that it's disabled by default in the tenant settings.
Compile Power BI Inventory and Metadata
With the introduction of the Power BI Management Module, we can more easily run scripts to perform certain activities such as accessing metadata. There are several cmdlets available, for instance: Get-PowerBIDashboard, Get-PowerBIReport, and Get-PowerBIWorkspace.
Here’s an example of a script which looks across the entire tenant (i.e., the organization scope) to find all instances of a report named Product Sales Analysis:
The key point above is that the Power BI administrator can retrieve all metadata like this, including My Workspace for other users.
This is actually great because it means a Power BI administrator can put together an inventory of the content in the tenant. If you compare this to usage data from the Office 365 unified audit log, you can do some interesting analysis and oversight of the Power BI tenant.
Manage Workspace Users
There are PowerShell cmdlets such as Add-PowerBIWorkspaceUser and Remove-PowerBIWorkspaceUser to manage the new type of workspaces (i.e., the V2 ‘new workspace experience’).
Here is an example of my Power BI administrator account providing member permissions to a colleague:
The interesting part of the above example is that my Power BI administrator account does *not* have any direct permissions to the workspace. However, the organization scope allows it to be done.
You know what else is interesting? That same Power BI administrator could assign permission to themselves in order to access the app workspace content. This is very important to realize because it essentially makes all data throughout the organization available to the administrator should they deem it necessary (or if they wish to do something nefarious).
Export Power BI Content from Workspaces
There is a PowerShell cmdlet called Export-PowerBIReport which, as the name implies, exports a PBIX from the Power BI Service. This includes the report and the underlying data. Here is an example of exporting one file:
Unlike the previous two examples, Export-PowerBIReport is an activity which requires the Power BI administrator to have rights to the app workspace in order to access the content. An unauthorized (401) message is returned when a Power BI administrator tries to export a PBIX that resides within an app workspace which the administrator doesn’t have access to - this includes My Workspace for all other users.
Reminder: a Power BI administrator can grant themselves permission to this content though. That’s the loophole.
Summary
Hopefully this post saves you some time in determining how permissions apply to the different types of activities that a Power BI administrator can do. In summary:
A Power BI administrator can see all metadata throughout the tenant, regardless of their workspace permissions. This includes My Workspace metadata. Some activities do require direct app workspace permissions. However, a Power BI administrator can give themselves permission to any app workspace -- so that should be tracked with logging.
The scripts shown above are super simplified, not ready for actual production use, but I kept them simple since the focus of this post is on permissions.
Also, keep in mind that you do *not* have to be a designated Power BI administrator to use the Power BI PowerShell cmdlets — any user can run them related to their own content. However, you *do* need to be a Power BI administrator in order to set the scope to organization (for those cmdlets which support it).
To find additional information:
Official blog post #1: https://powerbi.microsoft.com/en-us/blog/announcing-apis-and-powershell-cmdlets-for-power-bi-administrators/
Official blog post #2: https://powerbi.microsoft.com/en-us/blog/working-with-powershell-in-power-bi/
Power BI cmdlets reference: https://docs.microsoft.com/en-us/powershell/power-bi/overview
Power BI REST APIs: https://docs.microsoft.com/en-us/rest/api/power-bi/
You Might Also Like
Terminology Check - What is a Power BI App?
Lesson Learned - Keep PowerShell Modules Consistent and Up To Date