Question

How do sensitivity labels in Power BI interact with data sources in the cloud versus on-premises?
I want to understand how sensitivity labels behave depending on the type of data source. Do labels applied to Power BI reports or datasets behave differently when the data originates from cloud services (e.g., Azure SQL) compared to on-premises databases? Are there specific integration or propagation concerns?

Answer 1

Sensitivity labels in Power BI are applied at the Power BI artifact level (report, dataset, dashboard) and need to be manually assigned by users or administrators. They do not automatically inherit or propagate from cloud or on-premises data sources.

Sensitive metadata is not yet automatically transferred from cloud data sources (such as Azure SQL Database or Azure Synapse) to Power BI. Labels applied to the data in the source (for example, through SQL classification or Microsoft Purview) do not transfer to Power BI when the data is imported or connected. To enforce security measures like encryption, watermarks, and access controls, you need to reapply sensitivity labels in Power BI.

The same is true for on-premises data sources: Power BI does not retain the source's sensitivity labels. Furthermore, the Power BI layer is still in charge of labeling because there are no integrated metadata pipelines from legacy or on-premises environments.

Since Power BI sensitivity labels are file-level classifications rather than data-level ones in both situations, protection is applied to the Power BI artifact as a whole rather than to specific fields or records. The best way to keep compliance is to:

• In Power BI, manually apply labels.
• To create uniform labeling guidelines, use Microsoft Purview.
• Teach users to categorize content according to the underlying sensitivity.