Skip to main content

    Power BI

    New

    The ability to assign a static IP range to a corporate account

    Vote (35) Share
    Brynn Borton's profile image

    Brynn Borton on 15 Dec 2015 23:47:33

    At the moment it seems the only way to connect to Azure SQL Database or Azure SQL Data Warehouse is to open up the firewall to all Azure services. This means anyone with a power BI account could access my DB if they knew the user name and password. This is not so bad with Azure SQL Database as you could set up two factor authentication with AAD but with Data Warehouse only basic SQL Authentication sits in the way. If I could assign a static IP range to the corporate account in PowerBI then I could just open up this range on the SQL firewall.

    Comments (5)
    Brynn Borton's profile image Profile Picture

    ce05e07e 3472-48d1-9b0d-a1da2a5bf8c4 on 06 Jul 2020 00:17:02

    RE: The ability to assign a static IP range to a corporate account

    It would be great to have a solution that does not involve opening up a Data Source to Azure as a whole. Some options could be:
    * Static list of IPs from which Power BI would be accessing data sources
    * A button in the Azure resource with "Allow Power BI Datasets from your subscriptions to access data".

    Brynn Borton's profile image Profile Picture

    a3309361 99be-ea11-a812-000d3a8ddfb2 on 06 Jul 2020 00:00:55

    RE: The ability to assign a static IP range to a corporate account

    This is the only security hole I see with the Power BI, which should be addressed sooner to make this platform's experience better.

    Brynn Borton's profile image Profile Picture

    a3309361 99be-ea11-a812-000d3a8ddfb2 on 05 Jul 2020 23:36:37

    RE: The ability to assign a static IP range to a corporate account

    Microsoft please update us with your thoughts

    Brynn Borton's profile image Profile Picture

    a3309361 99be-ea11-a812-000d3a8ddfb2 on 05 Jul 2020 23:13:06

    RE: The ability to assign a static IP range to a corporate account

    This is not only a PowerBI Problem. Its the same thing with e.g. Data Factory. We also need to be able to specificly open up Azure SQL Firewalls to Azure Services without giving access to ALL services

    Brynn Borton's profile image Profile Picture

    bdc315e2 b5ad-420a-af43-cc0fc75c4f1f on 05 Jul 2020 23:02:13

    RE: The ability to assign a static IP range to a corporate account

    Per Azure SQL documentation at https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview:
    "The firewall pane has an ON/OFF button that is labeled Allow access to Azure services. The ON setting allows communications from all Azure IP addresses and all Azure subnets. These Azure IPs or subnets might not be owned by you. This ON setting is probably more open than you want your SQL Database to be."

    I'd suggest that Azure SQL have a firewall switch "Allow Access from Power BI", so at least you don't need to open up the database to all of Azure. Also by limiting the firewall to Power BI you know the access will be read-only, so at least you don't have the risk of data modification.