Power BI Tenant Admin Recovery — Orphaned Workspaces, Broken Capacities & Sprawl Cleanup
You inherited a Power BI tenant with 3-10 years of drift — rotating admins, no governance discipline, undocumented gateway sprawl, and 2,000+ untitled reports. This is EPC Group's tenant admin recovery playbook. Refined across 1,500+ Power BI deployments, including the largest single Power BI tenants in North America.
Phase 1 — Audit (Weeks 1-3)
Full inventory via the Power BI Admin API. EPC Group's pipeline pulls /admin/groups (workspaces, users, datasets, reports, dataflows, dashboards) and /admin/gateways (gateways, clusters, data sources). Output: a Fabric semantic model + Power BI report showing every asset in the tenant, its owner, its last-used date, its capacity, its sensitivity label state, and its refresh health.
This inventory alone is deliverable-worthy — most inheriting admins have never seen it.
Phase 2 — Rationalize (Weeks 4-6)
For every asset in the inventory, one of five decisions:
- Keep — actively used, correctly owned, correctly labeled.
- Re-owner — actively used, current owner has left the company or the wrong team; transfer to a live steward.
- Merge — duplicate reports or datasets serving the same purpose across workspaces; consolidate.
- Archive — not used in 12+ months but has audit or compliance value; move to a read-only archive workspace.
- Delete — orphaned, unused, no owner, no purpose.
Phase 3 — Execute (Weeks 7-22)
Concurrent workstreams:
- Workspace merges, ownership transfers, and archives.
- Capacity rebalancing — reassign workspaces from oversubscribed capacities, retire orphaned ones, right-size the Fabric F-SKU budget.
- Gateway cluster deployment — consolidate 15 ad-hoc gateways into 2-3 production clusters with proper HA.
- Sensitivity label rollout — the 4-6 label taxonomy, auto-labeling policies, DLP for Power BI enforcement.
Phase 4 — Govern (parallel 90-day hand-off)
Five documented policies plus the enforcement automation for each:
- Workspace lifecycle policy — creation, ownership, retirement.
- Dataset certification policy — what Certified and Promoted mean, and how to earn each.
- Capacity budget policy — allocation across business units, overrun handling.
- Gateway policy — cluster requirements, minimum node count, patch windows.
- Sensitivity label policy — taxonomy, auto-labeling, DLP enforcement.
Frequently Asked Questions
What does "tenant admin recovery" mean for Power BI?
It means walking into a Power BI tenant that's been running for 3-10 years with rotating admins, no governance discipline, and no documented single source of truth — and re-establishing (1) an inventory of every workspace, dataset, dataflow, and gateway; (2) a rationalization plan (what stays, what merges, what gets archived, what gets deleted); (3) a governance framework going forward (workspace lifecycle, dataset certification, capacity budget, sensitivity labels).
What are the top five things a broken Power BI tenant has?
(1) Orphaned workspaces owned by a user who left the company years ago and can no longer be logged into. (2) Broken capacity assignments — workspaces pointing at retired premium capacities or a Fabric F-SKU that got downsized. (3) Undocumented gateway sprawl — 15 different on-premises gateways created ad-hoc, half of them broken, none of them clustered. (4) Sensitivity label chaos — labels never applied, or applied inconsistently, or applied and never enforced. (5) 2,000+ untitled reports and datasets nobody remembers publishing.
How does EPC Group start a tenant admin recovery?
With the Power BI Admin API. EPC Group's discovery pipeline pulls the full tenant inventory via the /admin/groups endpoint (workspaces, users, datasets, reports, dataflows, dashboards) and the /admin/gateways endpoint (gateways, clusters, data sources). Output: a Fabric semantic model + Power BI report showing every asset in the tenant, its owner, its last-used date, its capacity, its sensitivity label state, and its refresh health. This inventory itself is deliverable-worthy — most inheriting admins have never seen it.
How long does tenant admin recovery take?
The audit + rationalization plan phase is 3-6 weeks for most tenants. Execution (workspace merges, capacity rebalancing, gateway cluster deployment, sensitivity label rollout) is 6-16 weeks depending on scope and change control. Governance framework hand-off is a 90-day parallel workstream. Total elapsed: 3-6 months for a full tenant admin recovery on a mid-size (500-2,000 seat) tenant.
What's the governance framework EPC Group hands off?
Five documented policies plus the enforcement automation for each: (1) Workspace lifecycle policy — when workspaces are created, who owns them, when they retire. (2) Dataset certification policy — what "Certified" and "Promoted" mean at your org, and how a dataset earns each. (3) Capacity budget policy — how the F-SKU / P-SKU capacity budget is allocated across business units, how overrun is handled. (4) Gateway policy — cluster requirements, minimum node count, patch windows. (5) Sensitivity label policy — the taxonomy, the auto-labeling policies, the DLP for Power BI enforcement. Enforcement is a mix of Fabric admin portal settings, Purview policies, and PowerShell scheduled tasks against the Power BI Admin API.
Talk to a senior architect
If you have just inherited a Power BI tenant and don't know what you own, the fastest path is a senior architect with an Admin API discovery pipeline.
Email contact@epcgroup.net or call 888-381-9725.
North America's oldest continuous Microsoft Gold Partner (2000 until Microsoft retired the program in 2022) — today holding all six Microsoft Solutions Partner Designations.
