Sensitivity labels in Power BI do not directly control access to data within Power BI reports, dashboards, or datasets. Instead, they classify and protect data through encryption, visual markings, and usage rights—especially when data is exported or shared outside Power BI. To restrict access to sensitive data within the Power BI environment itself, you must use role-level security (RLS), workspace permissions, and Microsoft 365 security group policies alongside sensitivity labels.
Sensitivity labels, however, complement Microsoft Purview Information Protection and other security features in Microsoft 365. For instance, the data is protected across applications such as Excel, Outlook, and Teams when a sensitivity label with protection settings (such as encryption or "Do Not Forward" rights) is applied.
This guarantees that unauthorized users cannot access or alter the data, even if the report is exported or shared.
Pair sensitivity labels with Power BI features like object-level security (OLS), restricted workspace roles, and RLS to limit access to sensitive content within Power BI effectively. Although sensitivity labels improve your governance model by indicating the sensitivity of the data and providing uniform protection across Microsoft services, they cannot replace permission controls in Power BI.
