Cyber Security

Can users bypass sensitivity labels while exporting reports?

RI Asked by Richard Thompson · 29-01-2024
0 upvotes 25,266 views 0 comments
The question

I'm worried about "data leakage" once information leaves our Power BI tenant. If I have a report labeled as "Highly Confidential" (which has encryption and watermarks enabled in Purview), what's stopping a user from just exporting it to a CSV or a PDF and stripping that label away?

Is there a way for a user to "save as" or export the data into a format that doesn't support the label? Also, if they export to Excel, can they just open the file and change the label to "Public"? I need to know if these labels are actually a "hard" lock or just a "soft" suggestion that can be easily circumvented by a clever user.

3 answers

0
BR
Answered on 12-02-2024

A common misconception is that the person who exports the file becomes the "owner" and can change the label.

ST 16-02-2024

That’s not how it works in the Purview integration. When a file is exported from Power BI, the user who performed the export is not regarded as the document's owner; Power BI remains the "authority." If a label has protection settings, the user can edit the content of the Excel file, but they cannot change or remove the label unless they have specific "Export" and "Full Control" rights defined in the Purview label policy. This prevents the "Export-and-Downgrade" trick.

0
KI
Answered on 14-02-2024

The "hard lock" depends entirely on the file format. When a user exports to Excel (.xlsx), PowerPoint (.pptx), or PDF, Power BI enforces a mandatory "handshake" with Microsoft Purview. The exported file inherits the label and its encryption settings automatically.

 

However, the "Achilles' heel" of sensitivity labels is the CSV format. Because CSV is a plain-text format, it cannot store metadata like sensitivity labels or encryption.

Pro Tip: To prevent users from bypassing labels via CSV, most admins in 2026 disable the "Export to .csv" option in the Tenant Settings for any workspace containing sensitive data. If you don't disable this, a user could effectively "strip" the label by exporting the raw data to a flat text file.

0
LI
Answered on 20-02-2024

We have to be realistic: sensitivity labels protect the file, but they don't protect the screen.

RI 28-02-2024

Exactly, Steven. While labels are robust for file-based exfiltration, they cannot stop a user from taking a screenshot or manually copying and pasting values into an unlabeled document. To mitigate this in 2026, we combine Purview labels with Microsoft Defender for Cloud Apps. You can set a policy that detects when a user is viewing "Highly Confidential" data and blocks the "Copy" command or alerts the admin if a massive amount of data is being exported in a short window.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session