Help prevent sharing Power BI reports with credit card numbers

This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview data loss prevention (DLP) policy that helps protect against unintentional sharing of Power BI reports that contain credit card numbers. Work through this scenario in your test environment to familiarize yourself with the policy creation UI.

How you deploy a policy is as important as policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.

Block Power BI reports with credit card numbers

Prerequisites and assumptions

This scenario uses the Highly Confidential - Internal sensitivity label, so it requires that you create and publish sensitivity labels. To learn more, see:

• Learn about sensitivity labels
• Get started with sensitivity labels
• Create and configure sensitivity labels and their policies

This procedure uses alerts, see: Get started with the data loss prevention alerts

Policy intent statement and mapping

We need to block external users from reports containing credit card numbers, unless the data is labeled with the 'Highly Confidential - Internal' sensitivity lable, in which case a protection policy restricts access to select security groups. We want to notify the compliance admin to know whenever a semantic model is blocked and the data owner to be aware the restriction took place. We also want internal users to be aware that the data is highly confidential and that they shouldn't share it outside the organization.

Steps to create policy

1. Sign in to the Microsoft Purview portal.
2. Open the Data loss prevention solution and go to Policies.
3. Select Create policy.
4. Select Custom from the Categories list.
5. Select Custom policy from the Regulations list.
6. Select Next.
7. Enter a name and description for the policy. You can use the policy intent statement here.

   Important

   Policies can't be renamed

8. Select Next.
9. Accept the Full directory default under Admin units.
10. Select Next.
11. Choose where to apply the policy. Select only the Fabric and Power BI workspaces location.
12. Select Next.
13. On the Define policy settings page, make sure the Create or customize advanced DLP rules option is selected.
14. Select Next.
15. Select + Create rule. Name the rule and provide a description.
16. Under Conditions, select Add condition > Content contains > Add > Sensitive info types.
17. Select the info types that apply to credit card numbers.
18. Select Add.
19. Next, under the Content contains section, select Add group.
20. Leave the Boolean operator set to AND, then set the toggle to NOT.
21. In the line below the toggle, select Add condition > Content contains > Add > Sensitivity labels.
22. Select the sensitivity label Highly Confidential - Internal.
23. Select Add.
24. Under Actions, select Add an action > Restrict access or encrypt the content in Microsoft 365 locations > Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files, and Power BI items > Block only people outside your organization.
25. Under User notifications, set the toggle to On.
26. Select Notify users in Office 365 service with a policy tip or email notifications > Customize the policy tip System.
27. Provide a policy tip that explains that the data in the report is highly confidential is not to be shared outside the organization.
28. Under Incident reports, set Use this severity level in admin alerts and reports to High.
29. Make sure the Send an alert to admins when a rule match occurs toggle is set to On.
30. Make sure the Send alert every time an activity matches the rule radio button is selected.
31. Select Save.
32. Review the rule, then select Next.
33. Make sure the Run the policy in simulation mode radio button and the Show policy tips while in simulation mode checkbox are selected.
34. Select Next.
35. Review the policy, then select Submit.
36. Select Done.