We’ve finally rolled out sensitivity labels in Power BI, but now the compliance team is asking for proof of adoption. I need to find out:
-
Which datasets and reports are currently labeled "Confidential"?
-
Who is changing labels from "Highly Confidential" to "Public" (downgrading)?
-
Is there a way to see a dashboard of our overall protection coverage?
I’ve checked the standard "Usage Metrics," but they don't seem to show the label metadata. Do I need to use the Microsoft Purview portal for this, or is there a built-in Power BI admin report? Also, can I automate an alert if a specific label is removed from a high-priority dataset?
3 answers
For forensic auditing—like finding out exactly who changed a label at 2:00 PM yesterday—you need the Microsoft Purview Audit Logs.
If you are a Power BI Admin, you don't need to leave the platform for a high-level overview. Go to the Admin Portal > Protection Metrics.
This built-in report is a dedicated Power BI dashboard that shows you the percentage of your artifacts (reports, datasets, dashboards) that have labels applied. It breaks down the data by label name and even allows you to see which workspaces have the highest concentration of sensitive data. It’s the perfect "executive summary" for a compliance meeting.
If you want to build your own custom monitoring dashboard (maybe in Power BI itself!), use the Power BI Activity Log API.
Exactly, Steven. The API allows you to pull the last 30 days of activity. In 2026, many of us use a PowerShell script to fetch these logs daily and store them in Azure Data Lake. This allows for long-term "Posture Drift" analysis. You can correlate the ArtifactID with your inventory to see if your most-visited reports are appropriately protected. If you see a high-traffic report labeled "Public," it’s an immediate red flag for your governance team.
In the Purview Compliance portal, you can search for specific Power BI activities. Look for these keys: SensitivityLabelApplied: When a label is first added. SensitivityLabelChanged: This is the one you want for "downgrades." It includes the OldSensitivityLabelId and NewLabelId. SensitivityLabelRemoved: When protection is stripped entirely. You can even set up Alert Policies in Purview. For instance, if anyone removes a "Highly Confidential" label, it can trigger an automated email to the security team immediately.