Power-BI: Publishing to web needs a secure design

Lately, I’ve seen a number of people commenting that they think the Publish to Web options in Power BI aren’t secure. They are secure. You just need to use them appropriately.

The issue

When you publish to web with Power BI, all data in the semantic model that the user is allowed to see is visible, not just the data shown in the visual that’s on your report. There’s nothing to stop the user using DAX to get to it.

In the Publish to web from Power BI Learn Page , Microsoft makes this pretty clear:

When you use Publish to web, anyone on the Internet can view your published report or visual. Viewing requires no authentication. It includes viewing detail-level data that your reports aggregate. Before publishing a report, make sure it’s okay for you to share the data and visualizations publicly. Don’t publish confidential or proprietary information. If in doubt, check your organization’s policies before publishing.

The only thing I differ with them on, is the suggested solutions.

For me, the problem is with how you’ve isolated the semantic model in the first place.

The real solution

Whenever we use this option, we create a separate semantic model that only contains the data that is allowed to be seen. Then, no matter what the user does, there’s no way for them to get to other data.

We’re big fans of isolation, rather than trying to limit visibility.

What about perspectives?

I’ve also seen people assume that if the publish to web option is based on a perspective of a semantic model, that it will be ok.

I can’t stress enough that perspectives in Power BI, Analysis Services, etc. are not security features. They just simplify the model for the user. That user can still use DAX to query other parts of the model.

2025-11-09