In Half two of this sequence, we walked by find out how to configure your Microsoft Material surroundings to securely share Energy BI experiences with exterior customers throughout Microsoft 365 tenants. We lined licensing necessities, admin portal settings, find out how to invite visitor customers, and find out how to share experiences instantly with them.

Now, within the third and remaining a part of this weblog sequence, we give attention to two necessary areas which might be usually ignored:

• What occurs when Microsoft Purview sensitivity labels are utilized to a report
• The best way to refine admin portal settings to higher management visitor customers’ entry to Material

This sequence was initially created to help a YouTube video I revealed in April 2025. The subject turned out to be too broad to elucidate properly in a single weblog, so I made a decision to separate it into three elements.

Right here is the whole sequence:

• Half 1: Understanding the Drawback and Core Ideas
  This submit explains why exterior sharing may be difficult, the important thing necessities to get it working, necessary terminology, consumer roles, and the way the entire course of matches collectively.
• Half 2: Arms-On Information to Setup and Sharing
  A step-by-step walkthrough of find out how to share experiences throughout tenants, protecting licensing, admin portal settings, inviting visitor customers, and the way report entry appears from the visitor’s facet.
• Half 3: Sensitivity Labels, Encryption, and Safe Sharing (this weblog)

On this final half, we are going to have a look at what occurs when Microsoft Purview sensitivity labels are utilized, together with entry management, and also will focus on key admin settings it’s possible you’ll want to regulate for safer collaboration.

When you prefer to hearken to the content material on the go, right here is the AI generated podcast explaining every part about this weblog 👇.

In case you are somebody who prefers video over studying, you’ll be able to watch the total walkthrough right here 👇.

Let’s now get into the ultimate piece of this information.

Sensitivity Labels in Microsoft Material

Microsoft Purview sensitivity labels are a part of a broader Purview Data Safety framework. These labels usually are not unique to Microsoft Material or Energy BI. They’re designed to be constantly utilized throughout numerous Microsoft companies, together with however not restricted to Outlook, Phrase, Excel, SharePoint, and Azure SQL DB. This ensures that knowledge is assessed and guarded uniformly, no matter the place it’s created, saved, or shared. Within the context of Energy BI, whenever you apply a sensitivity label to a report, it provides classification metadata and, if configured, applies safety similar to encryption and entry restrictions. These protections journey with the content material. For instance, if a report is exported to PDF or PowerPoint, and the label has encryption enabled, that exported file can even be encrypted. So solely the customers who’re authorised to view the content material will have the ability to open it, even outdoors of the Energy BI service. This implies your knowledge stays safe not solely inside your tenant but additionally when it strikes throughout customers, gadgets, and even organisations.

What Occurs When You Share Encrypted Studies?

Let’s stroll by an instance.

You share a Energy BI report with a visitor consumer. This report has a label utilized that encrypts its content material. Here’s what the visitor consumer can and can’t do:

• They’ll open the report on-line if they’ve been invited and given learn entry.
• Once they export the report back to any Workplace codecs similar to PowerPoint, Excel and Phrase or PDF, the file is protected with encryption.
• Once they attempt to open the file (say a PDF), they are going to be requested to register once more, clearly utilizing their very own organisational account (electronic mail) to have the ability to see the contents.
• If the exported file is shared or saved someplace others can entry, they won’t be able to open it until they’re authorised.

This implies your content material stays safe, even after it leaves the Energy BI service.

In my video demo, Nestor (the visitor consumer) efficiently exports a report labelled Extremely Confidential to PDF, however even then, he has to authenticate once more to open it. If Nestor forwards the PDF to a colleague, the colleague can not entry the contents of the file until explicitly granted entry. The next picture exhibits what occurs when the unauthorised colleague opens the PDF file:

To date, we have now mentioned how Sensitivity Labels in Purview Data Safety work with report sharing in Energy BI. Now let’s superb tune our configuration in Material Admin Portal.

Refining the Admin Portal Settings: Management Visitor Entry to Material

A key setting that many admins miss is Visitor customers can entry Microsoft Material, situated within the Material Admin Portal beneath Tenant Settings.

Once you allow this setting for the complete organisation, it permits all visitor customers in your Entra ID to entry Material content material, if they’re given permissions on workspaces or objects. However this may not be what you need.

For higher governance and management, you’ll be able to prohibit this setting to solely apply to a selected safety group. Meaning, solely visitor customers who’re members of that group shall be allowed to entry Material options in your tenant. All different company will stay blocked, even when they exist in your Entra listing.

Right here is the way it works:

1. Create a safety group both from M365 Admin Centre or Entra ID (for instance, Exterior Material Entry)
2. Add your chosen visitor customers to this group manually

3. Go to the Material Admin Portal, open Tenant Settings
4. Discover the setting Visitor customers can entry Microsoft Material
5. Allow it just for the safety group you created

That is very helpful in eventualities like:

• Consulting corporations who wish to share a report with a selected buyer
• Authorities companies working with exterior auditors or accomplice departments
• Massive enterprises that share info solely with identified and trusted third-party customers

This setting allows you to allow safe entry with out opening the door to all visitor customers. It offers you the steadiness of usability and management that many enterprises are on the lookout for.

Abstract

We’ve now reached the ultimate a part of this weblog sequence. On this submit, we lined:

• What sensitivity labels do and the way encryption impacts visitor entry
• The visitor consumer expertise when interacting with labelled experiences
• The best way to refine admin portal settings to restrict Material entry for visitor customers to solely a trusted group

It is rather necessary to not deal with exterior sharing as simply one other Energy BI function. When finished mistaken, it may possibly open up safety dangers. However when configured rigorously, it turns into a robust device to collaborate with exterior customers in a safe and managed approach.

Thanks for following this sequence. I hope it helped you higher perceive the massive image and likewise the technical particulars of sharing Energy BI content material throughout organisations.

Comply with me on LinkedIn, YouTube, Bluesky and X (previously Twitter).