The 4-layer Power BI Enterprise Security architecture
Power BI security for the most sensitive enterprise data is not a single feature toggle — it is a 4-layer integrated architecture. EPC Group designs against all four layers from day one.
EPC Group · Power BI Services · 2026
Power BI Enterprise Security for Sensitive Data
Enterprise Power BI security architecture — Row-Level Security + Object-Level Security at scale, Microsoft Purview sensitivity labels, conditional access, audit logging, Microsoft Sentinel SOC integration, regulated-industry compliance, tenant isolation for classified + ITAR + IL5/IL6 + healthcare PHI + financial-services sensitive data.
Published June 25, 2026 · Updated continuously
Last updated June 25, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
EPC Group designs Power BI enterprise security architectures for the most sensitive enterprise data — healthcare PHI, financial services trading + risk data, federal classified + CUI + ITAR-controlled technical data, trade-secret IP. The architecture spans 4 integrated layers: Row-Level Security (RLS) + Object-Level Security (OLS) at enterprise scale (1M+ users, 100B+ rows, 50+ business unit boundaries); Microsoft Purview Information Protection sensitivity labels + DLP propagated end-to-end through OneLake → Fabric semantic models → Power BI reports → exported files; Microsoft Entra Conditional Access + Privileged Identity Management for device-compliance + MFA + session controls + just-in-time admin elevation; Microsoft Sentinel SOC integration with custom KQL detection rules + SOAR runbooks for anomaly response. Compliance-native for HIPAA + HITRUST + NYDFS Part 500 + FedRAMP + DoD IL5/IL6 + CMMC 2.0 + Illinois BIPA + GDPR. High-touch, senior-architect-led delivery without junior consultants learning on the engagement.
EPC Group designs Power BI security for sensitive data with 4 integrated layers: RLS + OLS at enterprise scale, Microsoft Purview sensitivity labels + DLP, Conditional Access + Entra PIM, Microsoft Sentinel SOC integration. Compliance-native HIPAA + NYDFS + FedRAMP + IL5/IL6 + CMMC + BIPA + GDPR. Senior-architect-led delivery. 3-week Assessment + 12-16 week Implementation + ongoing Cloud Orchestrator retainer.
Key Facts
- Row-Level Security (RLS) + Object-Level Security (OLS) at 1M+ users + 100B+ row fact tables + 50+ business unit boundaries
- Microsoft Purview Information Protection sensitivity labels propagated OneLake → Fabric → Power BI semantic model → report → exported PDF/Excel/PowerPoint files
- Microsoft Entra Conditional Access + Privileged Identity Management + Microsoft Intune device compliance + session controls
- Microsoft Sentinel SOC integration + custom KQL detection rules + SOAR runbooks for automated anomaly response
- Compliance-native for HIPAA + HITRUST + NYDFS Part 500 + SEC Rule 17a-4 + SOX + FedRAMP + DoD IL5/IL6 + CMMC 2.0 + Illinois BIPA + GDPR + Washington MHMDA + California CCPA + CPRA + CMIA
- Tenant isolation patterns for classified + ITAR + IL5/IL6 + trade-secret data — dedicated GCC High / DoD tenant + dedicated Premium capacity + Azure Government + PAW + air-gapped backup
- Documented engagement experience: FRBNY TARP eDiscovery + Vivek Kundra federal IT advisory + National Archives + U.S. intelligence community + multi-hospital health systems + derivatives + futures + HFT operators
- High-touch senior-architect-led delivery — 3-week Assessment + 12-16 week Implementation + ongoing Cloud Orchestrator Practice retainer with monthly security health checks + quarterly Sentinel rule tuning + 24/7 IR
Row-Level Security (RLS) + Object-Level Security (OLS) at scale
EPC Group designs RLS + OLS at enterprise scale (1M+ users, 100B+ row fact tables, 50+ business unit boundaries) using DAX-based dynamic RLS + role-mapping tables + Microsoft Entra ID security group integration. OLS hides specific tables/columns from user-by-user perspectives without breaking semantic model design. Composite-model RLS patterns for Direct Lake + Import + DirectQuery hybrid architectures. Documented enterprise outcomes: 100% data-classification boundary enforcement across 1B+ row semantic models without performance regression.
Microsoft stack
DAX dynamic RLS + role-mapping tables + Entra ID security groups + OLS via Tabular Editor + composite-model patterns
Microsoft Purview sensitivity labels + DLP
EPC Group implements Microsoft Purview Information Protection sensitivity labels propagated end-to-end: OneLake → Fabric semantic model → Power BI dataset → Power BI report → exported PDF/Excel/PowerPoint files. Labels carry encryption + access restriction + watermark + content marking throughout the Power BI export lifecycle. DLP policies prevent labeled-Confidential data from being exported via unauthorized channels (personal email, Dropbox, USB). Documented enterprise outcomes: >85% sensitivity-label coverage on in-scope analytical data within first 6 months.
Microsoft stack
Microsoft Purview Information Protection + Sensitivity Labels + DLP policies + Microsoft Defender for Cloud Apps + Endpoint DLP
Conditional access + Entra PIM + privileged identity
EPC Group designs conditional access policies aligned to Power BI usage: device-compliance enforcement (only managed Intune devices can access Power BI Premium workspaces with sensitive labels), location restrictions (block access from sanctioned-country IPs), session controls (limit download/print for high-sensitivity reports), MFA-on-every-session for tier-1 financial + healthcare workspaces. Microsoft Entra Privileged Identity Management (PIM) for Power BI Admin + Capacity Admin + Workspace Admin roles requires just-in-time elevation + manager approval + time-bound + activity logging.
Microsoft stack
Microsoft Entra Conditional Access + Entra PIM + Defender for Cloud Apps session controls + Microsoft Intune device compliance
Audit logging + Microsoft Sentinel SOC integration
EPC Group integrates Power BI audit logs into Microsoft Sentinel via the Power BI Activity Log connector + Office 365 unified audit log. Custom Sentinel analytics rules detect anomalies: unusual export volume by user, off-hours admin elevation, large dataset downloads, RLS bypass attempts, sensitive-label dataset access from unmanaged devices. Integration with Microsoft Defender XDR for cross-domain correlation (Power BI export → email leak → endpoint compromise chain). Sentinel SOAR runbooks auto-respond to detected anomalies (force re-authentication, suspend account, isolate device, notify SOC analyst).
Microsoft stack
Microsoft Sentinel + Power BI Activity Log connector + Defender XDR + custom KQL detection rules + SOAR runbooks
Related EPC Group services
- Power BI consulting — 1,500+ enterprise implementations
- Power BI Accelerators — Health Check + CoE + Performance + Migration
- Enterprise Azure Analytics Platform — 8-layer architecture
- Microsoft 365 + Azure Backup & DR
- AI Governance — Microsoft Purview + Defender XDR + Sentinel
- Governed AI on Microsoft Framework
- Federal Government Microsoft Consulting
- EPC Group facts — source-linked credentials
Frequently asked questions
How does EPC Group handle Row-Level Security at enterprise scale (1M+ users, 100B+ rows)?
Dynamic RLS using DAX USERNAME() or USERPRINCIPALNAME() functions joined to role-mapping tables sourced from Microsoft Entra ID security groups. Role-mapping tables are refreshed daily from HR + identity sources. For multi-dimensional security (user × region × business unit × product line), composite role-mapping tables with sparse joins to fact tables. For 100B+ row fact tables, RLS predicate pushdown to source (Azure Synapse Dedicated SQL Pool, Fabric Warehouse, Azure SQL) ensures security filtering happens at source not in Power BI engine — avoiding the performance penalty of in-engine row filtering on massive tables. Documented enterprise outcomes: sub-second query performance on 100B+ row fact tables with 1M+ concurrent users and 50+ business-unit RLS boundaries.
What is the difference between Row-Level Security (RLS) and Object-Level Security (OLS) in Power BI?
RLS filters ROWS in fact tables based on user role — user A sees only their region's sales, user B sees only their department's expenses. OLS hides entire TABLES or COLUMNS from specific users — user A cannot see the Compensation table at all, user B cannot see the Profit_Margin column. RLS is configured via DAX expressions in Power BI Desktop + service. OLS requires Tabular Editor (external tool) — Microsoft does not yet provide native OLS UI in Power BI Desktop. EPC Group designs both in tandem: OLS hides sensitive tables/columns from users who should not even know they exist, RLS filters remaining data based on user role.
How does Microsoft Purview sensitivity labeling work with Power BI?
When a Microsoft Purview Information Protection sensitivity label (e.g., "Confidential - Financial") is applied to a Power BI semantic model or report, the label propagates downstream: (1) Power BI Desktop shows the label in title bar; (2) Power BI Service displays the label badge on reports + dashboards; (3) Exports to Excel + PowerPoint + PDF + PNG inherit the label with encryption + access restrictions; (4) Files opened on managed devices honor the label's permissions (e.g., "do not forward", "do not print", "expire after 30 days"); (5) Microsoft Defender for Cloud Apps + Microsoft Sentinel can detect attempts to bypass label restrictions. EPC Group typically deploys label hierarchy: Public / Internal / Confidential / Highly Confidential / Restricted, with sub-labels for specific regulatory regimes (HIPAA-PHI, PCI-DSS-Cardholder, ITAR-Controlled, CMMC-CUI).
How does EPC Group secure Power BI for HIPAA-protected health information (PHI)?
Compliance-native architecture: (1) HIPAA BAA-aligned Power BI Premium capacity in Azure Government or Microsoft 365 GCC tenant depending on covered entity vs business associate scope; (2) Microsoft Purview sensitivity label "Confidential - HIPAA PHI" applied to all semantic models containing PHI; (3) DLP policies block PHI export via unauthorized channels; (4) Conditional access requires managed Intune devices + MFA for PHI workspace access; (5) Audit logging integrated to Microsoft Sentinel for 7-year HIPAA-required retention; (6) RLS enforces minimum-necessary access principle by patient/encounter/provider; (7) De-identified analytics workspace separated from PHI workspace for research use cases. Documented engagement experience: multi-hospital health systems including ambient documentation governance + clinical decision support model risk management programs.
How does EPC Group secure Power BI for NYDFS Part 500 + financial services?
NYDFS 23 NYCRR Part 500 (and 2023/2024 amendments) require covered financial institutions to implement specific cybersecurity controls including MFA + encryption + vulnerability management + third-party risk + board-level reporting + 72-hour incident notification. EPC Group ships Power BI deployments aligned to the EPC NYDFS Part 500 reference architecture for NY-licensed banks + insurers + investment advisers: (1) Microsoft Defender XDR + Microsoft Sentinel for SIEM/SOAR meeting NYDFS Part 500.6 logging; (2) Entra PIM with manager approval for all Power BI Admin elevations meeting Part 500.7 access controls; (3) Microsoft Purview Records Management meeting Part 500.13 records retention + SEC Rule 17a-4 WORM; (4) Annual CISO certification support documentation; (5) Third-party AI service provider risk assessment for Copilot for Power BI integration.
What is EPC Group's pattern for Power BI tenant isolation when handling extremely sensitive data?
For classified, ITAR-controlled, federal IL5/IL6, or trade-secret-level data, EPC Group designs tenant isolation patterns: (1) Dedicated Microsoft 365 GCC High or DoD tenant separate from commercial M365 tenant; (2) Dedicated Power BI Premium capacity isolated from other workloads with no cross-capacity sharing; (3) Dedicated Azure Government region for compute + storage; (4) Dedicated Microsoft Entra ID tenant with no B2B trust to commercial tenant; (5) Privileged Access Workstation (PAW) requirements for all admin operations; (6) Air-gapped backup architecture separate from operational backup; (7) Documented cross-domain transfer (CDT) procedures for any data movement between classified and unclassified tiers. Documented engagement experience: U.S. intelligence community + Federal Reserve Bank of New York TARP eDiscovery + Vivek Kundra federal IT advisory + National Archives + DoD aerospace suppliers.
How does EPC Group integrate Power BI security with Microsoft Sentinel SOC?
Power BI Activity Log + Office 365 unified audit log streamed to Microsoft Sentinel via Azure Log Analytics. Custom KQL detection rules surface security-relevant patterns: (1) Anomalous export volume per user (statistical baseline + spike detection); (2) Off-hours admin elevation attempts; (3) Large dataset downloads to unmanaged devices; (4) RLS bypass attempts (user attempting to access workspace they lack role for); (5) Sensitive-label dataset accessed from non-compliant device; (6) Service principal authentication anomalies. Detected anomalies trigger Sentinel SOAR runbooks: force re-authentication, suspend account, isolate device via Microsoft Defender for Endpoint, notify SOC analyst with full investigation context. EPC Group provides the deployed Sentinel content + the documented investigation runbooks.
What is EPC Group's delivery model for Power BI Enterprise Security engagements?
High-touch, senior-architect-led delivery without junior consultants learning on the engagement. Typical engagement: 3-week Power BI Security Assessment (fixed-fee mid-five-figure), then 12-16 week Implementation + Tenant Hardening (fixed-fee low-six-figure based on tenant scope + regulatory environment), then ongoing Microsoft Cloud Orchestrator Practice retainer covering monthly security health checks + quarterly Sentinel rule tuning + 24/7 incident response. Named EPC senior architect responsible end-to-end. Compliance-native — HIPAA + NYDFS + FedRAMP + CMMC 2.0 baked into Phase 1, not retrofit after audit findings.
Ready to secure your Power BI for sensitive data?
Reach EPC Group for a 30-minute Power BI Security discovery call. We'll review your tenant + workspace posture, identify the highest-risk gaps, and outline the fixed-fee 3-week Assessment scope.