Question

Are sensitivity labels in Power BI applied at the dataset, report, or visual level?
I need clarity on the level of granularity at which sensitivity labels can be applied within Power BI. The explanation should specify whether labels are assigned to datasets, reports, dashboards, or individual visuals, and how this affects data classification and protection.

Answer 1

In Power BI, sensitivity labels are applied to datasets, reports, dashboards, and dataflows at the file or artifact level rather than to individual visuals or data points within a report. This implies that a sensitivity label applied to a report controls the entire report file, including all of its pages and images.

Different artifacts can have different labels. A dataset might be classified as Highly Confidential, for instance. Still, a report created using it might have a less restrictive label—though this could result in a policy warning if it goes against your organization's inheritance rules.
In order to ensure downstream protection (for example, in Excel or PDF), labels are visible in both the Power BI Desktop and the Power BI Service. They are carried over when content is exported.

Row-level security (RLS) or conditional formatting must be used for granular protection within a report, such as hiding particular charts or tables according to user role since labels do not apply to individual visuals. Sensitivity labels work best for external protection and general data classification, but in-report access control necessitates different design approaches.