Skip to main content

Workspace outbound access protection for Power BI reports (Preview)

Workspace outbound access protection (OAP) is a workspace-level control in Microsoft Fabric that lets you constrain where the data inside a workspace can flow. With this preview, OAP support now extends to Power BI reports. The good news for report authors and admins: there's nothing new to configure on the report itself. Protection comes from a single, well-defined rule that the workspace enforces automatically as soon as you turn OAP on.

Why it matters

Power BI reports don't carry their own data connections. They're bound directly to a semantic model. That binding isn’t always obvious when you’re reasoning about data boundaries — a report sitting in a sensitive workspace might bind to a semantic model in another workspace. Such a report mostly retrieves data from its semantic model (an inbound flow), but filter values, such as those specified using query string parameters in the report URL, would flow outbound across the data boundary.

 

Before OAP, a workspace admin had no way to guarantee that reports in a regulated or sensitive workspace only consume data governed by that workspace's rules. For regulated industries, multi-tenant solutions, and any team that needs the data boundary to match the workspace boundary exactly, that gap matters. OAP for Power BI reports closes that gap.


How it works

OAP enforces one rule for Power BI reports: a report in a protected workspace can only bind to a semantic model in the same workspace. Cross-workspace bindings are blocked. There's no OAP allow list for reports and no exception mechanism — the constraint is the protection.

Downstream protection flows through the semantic model. The model itself remains subject to semantic model OAP enforcement, so any cloud database, on-premises source through a gateway, Fabric lakehouse, or warehouse that the report’s semantic model touches is evaluated against the workspace's data connection rules. The report conceptually inherits that data boundary through its binding to the semantic model.

 

It's worth being precise about scope. Most Power BI report features render or execute in the user's browser, not in the Fabric service, so they fall outside the OAP scope. For example, custom visuals might connect to external services to fetch JavaScript or data. Similarly, map visuals, R and Python visuals, the RDL visual, web URL actions in buttons, data-bound URLs, User Data Functions invoked from the report, and report exports are also client-side. If you need to restrict any of these, use the matching Power BI tenant or workspace-level settings or block the connections on the client machines or in your local network environment.

 

Subscriptions and Export as PDF are special cases because the report is rendered in the service during processing. OAP isn't the right tool for controlling these features. If you must block absolutely every possible connection to an external endpoint, disable Export reports as PowerPoint presentations or PDF documents and Email Subscriptions in your Power BI tenant settings. There’s no way to disable email subscriptions for individual workspaces only.

Publish and author in a protected workspace

Publishing interactive Power BI reports to an OAP-enabled workspace works without extra configuration. Power BI Desktop publish; Desktop live editing, Git integration, and Fabric Deployment Pipelines all behave normally as long as the report binds to a semantic model in the same workspace. If a report references a model in a different workspace, publishing succeeds but the report can't render data, because OAP blocks all cross-workspace queries.

Screenshot of a Microsoft Power BI workspace settings panel focused on outbound networking options. It shows toggles for blocking outbound public access and allowing Git integration, options to add cloud connection rules, and policies for cloud and gateway connections with blocked statuses indicated.

Figure: Publishing a report in an OAP-enabled workspace.

Getting started

There's no report-specific configuration—to use Power BI reports in a protected workspace:

  • Confirm the workspace is assigned to a Fabric capacity (F SKU) and the tenant setting Configure workspace-level outbound network rules is enabled.
  • Follow the steps in Enable workspace outbound access protection to turn OAP on for the workspace. Configuration changes can take about 15 minutes to propagate.

kayu_1-1780604516693.png

Figure: Workspace settings for outbound access protection.

  • Configure data connection rules for the semantic models the reports use, as described in Workspace outbound access protection for semantic models.
  • Publish your reports to the protected workspace, making sure each report binds to a semantic model in the same workspace. If you are publishing from Power BI Desktop, the report and semantic model are placed in the same workspace.
Labels:

Comments

Post a Comment

Hi User,
Thanks for visiting My Blog and please provide your valuable feedback and subscribe for more updates. Please don't post any spam content or comments.
Thank You

Popular posts from this blog

Exception deserializing the package "The process cannot access the file because it is being used by another process."

TITLE: Microsoft Visual Studio ------------------------------ Failed to start project ------------------------------ ADDITIONAL INFORMATION: Exception deserializing the package "The process cannot access the file 'E:\SSASCube\HistoricalDataLoad\HistoricalDataLoad\bin\Development\HistoricalDataLoad.ispac' because it is being used by another process.". (Microsoft.DataTransformationServices.VsIntegration) ------------------------------ The process cannot access the file 'E:\SSASCube\HistoricalDataLoad\HistoricalDataLoad\bin\Development\HistoricalDataLoad.ispac' because it is being used by another process. (mscorlib) ------------------------------ BUTTONS: OK ------------------------------ While running SSIS package i got the error “The process cannot access the file ‘*.ispac’ because it is being used by another process”. I tried to close SSDT and run it again but, I still got the same error while compiling. Then, after searching over internet, I got...
58 comments
Read more

SSRS INTERVIEW QUESTIONS

Q: What is SSRS? Ø   SSRS or SQL Server Reporting Service is a server-based report generation software systems from Microsoft and is part of Microsoft BI. Ø   It is used for preparing and delivering interactive and variety of reports. Ø   It is administered through an web based interface. Ø   Reporting services utilizes a web service interface for supporting and developing of customized reporting applications. Ø   SSRS lets you create very rich reports (Tabular/Graphical/Interactive) from various datasources with rich data visualization (Charts, Maps, sparklines) Ø   SSRS allows are reports to be exported in various formats (Excel, PDF, word etc) Q: Explain SSRS Architecture? Reporting services architecture comprises of integrated components. It is a multi-tiered, included with application, server and data layers. This architecture is scalable and modular. A single installation can be used across multiple computers. It includes the fo...
3 comments
Read more

Failed to execute the package or element. Build errors were encountered

Error: TITLE: Microsoft Visual Studio ------------------------------ Failed to execute the package or element.   Build errors were encountered. For more information, see the Output window. ------------------------------ BUTTONS: OK ------------------------------   Solution: We tried to close SSDT and run it again but, we still got the same error while running SSIS package. Then, we need to follow bellow solution: Step 1: Go to Task Manager–> Details Tab. Step 2: Locate the process “ DtsDebugHost.exe “. Kill this process. There might be multiple instances of this process. Kill all of them. Step 3: Rerun SSIS package
31 comments
Read more