Tuesday, May 5, 2020

Make Power BI workspace governance easy



Power BI is one of enterprise BI's trusted reporting platforms. It offers powerful analytics and reporting features for organizations while requiring a minimal learning curve.

Intended Audience:

Enterprise customers of Power BI with both high adoption and usage rates need ways to simplify workspace governance. This blog provides an easy-to-use automated solution.

Business Scenario:

Most of our Fortune 500 customers use Power BI for analytics. The increased use of O365 groups makes workspace management difficult. With every Teams group creating their own Power BI workspace, manually managing these becomes tedious.

Workspaces establish collaborative environments where colleagues can create collections of dashboards and paginated reports. These collections can be bundled together into an app and distributed across the whole organization, or to specific people and groups.

To identify empty workspaces, report administrators had to navigate to the Power BI portal and manually check if a workspace was empty.

Technical Implementation:

We developed a web app that uses Power BI REST API calls to fetch workspace metadata, including information about the reports and dashboards present in them. After fulfilling prerequisites and raising access, the app presents a list of workspaces accessible to users in the tenant, based on user role. It uses Power BI Rest APIs to fetch information about whether workspaces have content (reports, datasets, dashboards) in them, displaying the data on a web page. Users can utilize a delete button attached to each workspace to delete the workspace from this centralized page.

Figure 1: Centralized page displaying workspace content information

The Power BI Rest APIs are internally configured to handle the conversion of groups from classic to V2 workspaces during deletion. As this change is immutable, we enabled a warning message to prompt users before deleting empty workspaces.

Access Instructions:

User Access

To access the application, users must sign in using their O365 accounts. To view the workspace details, the user only needs viewer access. However, in order to delete workspaces, the user also needs admin access.


App Permissions

To run the application, the user must grant consent on Workspace.ReadWrite.All and Report.ReadWrite.All permissions. These are required by the AAD app to generate the access token, which is used by the remaining API calls to successfully retrieve data. This enables the application to obtain the list of accessible workspaces. To authorize the application to call APIs that delete workspaces, users/admins need to provide Admin Consent. The list of configured permissions should include all permissions needed by the application, as shown below.

Figure 2: List of required permissions

Business Outcomes:

An automated approach:

  Reduces the effort in identifying and deleting empty workspaces 
  Enables role-based admin privileges to prevent misuse and unauthorized usage
  Enables workspace tracking in the organization 

Using the web-based tool, administrators can now clear out unused workspaces at the click of a button. By providing tenant-based role permissions, we ensure security and prevent unauthorized usage. Thus, implementation of the solution has helped reduce needless efforts, increasing overall productivity within the organization.

How to get the Solution:

Click here to gain access to the Codebase link

Support:

Feel free to fork the solution and contribute to it. If you come across any issues, please raise them in the issues section.