A single unchecked tenant setting can quietly undermine months of governance work—even if your workspaces and datasets look locked down. By the end of this article, you’ll know which Power BI tenant settings have the biggest real-world impact, what unintended outcomes they enable, and how to strike a balance that doesn’t smother self-service while still keeping the keys to the kingdom in IT’s hands.
The Hidden Side of Tenant Settings: More Than an On/Off Switch
Most Power BI tenant settings are binary toggles, but the real governance problem is not whether a setting is on or off—it’s whether the setting silently allows users to route around your intended controls. The default intuition is that if you restrict workspace creation, or turn off sharing to external users, you’ve closed the loophole. In practice, several tenant settings interact in ways that let enthusiastic users find a path around intended restrictions.
- Publishing to Web: Disabling “Publish to Web” does block public report sharing, but the “Share via link” setting can still expose data outside the tenant if left open. These two settings are often misunderstood as mutually exclusive; they are not.
- Export and Download Controls: Even with “Export data” disabled, users with Build permission can still connect via Analyze in Excel unless you also configure “Allow live connections.” A common failure is missing that Build grants more than just dataset viewing—it enables export via other supported front-ends.
- Dataflow and Dataset Reuse: Disabling certified datasets does not prevent users from connecting to arbitrary datasets via the XMLA endpoint, if that’s enabled. The intersection of “Allow XMLA endpoint” and dataset sharing is a frequent blind spot.
Don’t treat tenant settings as independent switches. Every time you enable a path for advanced users, trace through all the supported clients and sharing mechanisms to see if you’ve accidentally re-enabled something you meant to block. When in doubt, test as a non-admin user with the maximum permissions allowed by your policy—not just as an admin in a sandbox.
Self-Service Isn’t Binary: The Myth of the “Safe Middle Ground”
The temptation is to look for a Goldilocks configuration—a set of tenant settings that gives power users enough rope to be productive but prevents any real damage. In reality, most organizations end up with a split-brain setup: some workspaces are tightly governed, others wide open, and the tenant settings act as the thinnest of fences between them. The real contestable claim: There is no tenant configuration that both enables true self-service analytics and guarantees central compliance. You must pick a side per scenario.
Here’s why the “safe middle ground” doesn’t exist:
- Auditing Gaps: Even with audit logging enabled, most tenant-level logs do not capture granular data exports or third-party tool usage via XMLA endpoints. You can’t govern what you can’t see.
- External Sharing Loopholes: Disabling guest user invitations does not block sharing with existing guests or B2B users from connected Azure AD tenants. The only airtight approach is to restrict external sharing at both the Azure AD and Power BI layers—and this usually torpedoes true cross-org self-service.
- Certified vs. Promoted Content: Promoted datasets are visible to all users, but do not require approval. IT often assumes “promoted” is a governance gate, but it’s just a label—anyone with write access can promote.
What I recommend: treat tenant settings as blunt instruments for containing risk, not eliminating it. For genuine self-service, create explicit “sandbox” workspaces with relaxed settings, and tightly lock down everything else. Don’t rely on tenant toggles to thread the needle—they’re too coarse for nuanced governance.
Worked Example: Dataset Export Leaks via Overlapping Permissions
Take a model with a centralized dataset in a production workspace. Assume:
- Tenant setting “Export data” is OFF (disabled).
- Tenant setting “Analyze in Excel” is ON.
- Workspace users have Build permission on the dataset, but not Admin.
Expectation: users can’t export data. Reality: users can still open the dataset in Excel, and from there, export or copy the raw data—bypassing the Power BI UI restrictions entirely. The tenant setting disables export from visuals, but not via supported client tools that use the XMLA endpoint or Analyze in Excel feature. Here’s the path:
- User opens the report in Power BI Service, finds export disabled in the visual’s menu.
- User clicks “Analyze in Excel”—enabled by tenant settings and Build permission.
- Excel connects to the dataset, user pivots or copies data out, or saves as a local file.
Even if you add DAX-level security (RLS), the raw data the user can see in Excel is whatever their role allows—but you have no control over export once it’s in Excel. The only way to truly block this path is to:
- Disable Analyze in Excel in tenant settings, and
- Restrict Build permission to only those who should export, and
- (Optionally) Block XMLA endpoint read access at the workspace level.
This is a classic case where the naive setting (“no export”) fails to deliver the actual data control stakeholders expect. You need to map every user path, not just the most visible one.
Governance Patterns That Actually Work: Segmentation and Auditing
Attempting to achieve perfect control with a single set of tenant settings is a governance mirage. What does work—if you want both self-service and compliance—is explicit segmentation and layered auditing:
- Workspace Types: Create distinct workspace templates: one for IT-owned, governed content (locked down; no external sharing, no Build for non-admins, no external tools), and one for user sandboxes (less restrictive, with clear disclaimers and periodic review).
- Audit-Driven Policy: Rather than blanket disabling features, enable audit logging and actively review sharing, export, and dataset access patterns. For example, monitor who is using XMLA endpoint or Analyze in Excel—don’t just rely on the toggle.
- Scheduled Escalations: Use PowerShell or the Admin API to periodically enumerate all tenant settings and workspace permissions, diff against your baseline, and alert when drift is detected. Relying on the UI to reflect true posture is a mistake—settings drift, and permissions get granted piecemeal.
What does NOT work is one-size-fits-all toggling. Either you cripple self-service and frustrate your business units, or you leave holes that advanced users will (often innocently) exploit. Segmentation acknowledges the reality that not all data is equally sensitive, and not all users are equally risk-tolerant.
Tenant Settings That Bite: The Ones Most Likely to Undermine Governance
Based on mechanism, not anecdote, these are the tenant settings most likely to quietly defeat your governance intent:
- Share Content with External Users: Often left open for collaboration, but enables report and dataset sharing to any guest user in Azure AD—even if their data access is not reviewed.
- Publish to Web: The one-click path to making reports public. Even with audit logging, data exposure is instant and irreversible. This should be off for any production tenant.
- Export Data and Analyze in Excel: As above, these interact in ways that make “no export” policies largely ineffective unless both are tightly controlled.
- Use XMLA Endpoint: Allows external tools to connect to and extract data from datasets. If you don’t need Tabular Editor or third-party integration, keep this off for business-facing workspaces.
- Allow Workspace Creation: Leaving this open means governance is a mirage—users can always create a new workspace with looser settings and circumvent controls applied elsewhere.
My position: If you can’t audit or monitor a setting’s downstream effect, default to the more restrictive posture, and enable exceptions where you can see and review them.
Checklist for Tenant Setting Review
Before signing off on your Power BI governance posture, work through this (non-exhaustive) checklist:
- Map every enabled sharing and export path—not just via the Power BI UI, but also via Excel, XMLA, and APIs.
- Review workspace creation rights; restrict to a named group if you want control.
- Audit all external users with access to content. If you can’t enumerate them, your external sharing policy is incomplete.
- Periodically export tenant settings via PowerShell/Admin API and compare to your baseline.
- Test as a user with only the maximum allowed permissions—never as an admin or owner.
This is not a one-time effort. New settings are added monthly, and defaults can change silently. Build a review cadence into your operating model.
If you want real control, treat tenant settings as your last line of defense, not your first. Segment content by risk, audit for drift, and assume every allowed path will be used—usually by someone just trying to get their job done.