πΌ Management Samenvatting
Block Power BI resource key authentication - legacy API authentication method (modern: Azure AD OAuth tokens).
Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
8u (tech: 3u)
Van toepassing op:
β Power BI
Resource keys = legacy + insecure: Resource key: Static API key (long-lived credential), Security issues: No expiration (permanent unless manually rotated), No MFA (bypass Conditional Access), Key theft: Anyone with key = full API access, No audit: Difficult to track key usage. Modern auth (Azure AD): OAuth tokens (short-lived), MFA enforced, Conditional Access (device compliance, location), Audit trail (who accessed what).
PowerShell Modules Vereist
Primary API: Power BI Admin API
Connection:
Required Modules: MicrosoftPowerBIMgmt
Connection:
Connect-PowerBIServiceAccountRequired Modules: MicrosoftPowerBIMgmt
Implementatie
Block resource keys: Tenant setting: Disable resource key authentication, Effect: API calls MUST use Azure AD tokens (OAuth 2.0), Migration: Existing apps using resource keys β update to Azure AD auth, Power BI Embedded: Use Service Principal (Azure AD) instead of resource keys.
Vereisten
- Power BI Pro/Premium
- Power BI Admin role
- API consumers: Migrate to Azure AD auth
Implementatie
Power BI Admin Portal β Tenant settings β Developer settings β Embed content in apps: Disable 'Service principals can use Power BI APIs with resource keys'. Migrate apps: Use Azure AD Service Principal authentication.
Compliance
BIO 09.02 (Strong auth), ISO 27001 A.9.4.2, Zero Trust.
Monitoring
Gebruik PowerShell-script powerbi-resourcekey-blocked.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script powerbi-resourcekey-blocked.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- BIO: 09.02.02 -
- ISO 27001:2022: A.9.4.2 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
PowerBI Resource Key Blocked
.DESCRIPTION
Blocks PowerBI resource keys to prevent unauthorized embedding
.NOTES
NL Baseline v2.0
Security concern: Resource keys allow embedding without user authentication
#>
#Requires -Version 5.1
#Requires -Modules MicrosoftPowerBIMgmt
[CmdletBinding()]
param([switch]$Monitoring)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "PowerBI Resource Key Blocked" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Write-Host " β οΈ Manual verification required" -ForegroundColor Yellow
Write-Host "`n Configuration in PowerBI Admin Portal:" -ForegroundColor Cyan
Write-Host " Tenant settings > Developer settings" -ForegroundColor Gray
Write-Host "`n Required Settings:" -ForegroundColor Cyan
Write-Host " β Embed content in apps: Disabled" -ForegroundColor Gray
Write-Host " β Apply to: Entire organization" -ForegroundColor Gray
Write-Host "`n Security Concerns:" -ForegroundColor Red
Write-Host " β’ Resource keys allow embedding without authentication" -ForegroundColor Red
Write-Host " β’ Bypasses user consent and permissions" -ForegroundColor Red
Write-Host " β’ Potential for unauthorized access" -ForegroundColor Red
Write-Host " β’ Data exposure risk" -ForegroundColor Red
Write-Host "`n Security Benefits of Blocking:" -ForegroundColor Cyan
Write-Host " β’ Prevents unauthorized embedding" -ForegroundColor Gray
Write-Host " β’ Enforces authentication requirements" -ForegroundColor Gray
Write-Host " β’ Maintains access controls" -ForegroundColor Gray
Write-Host "`n β οΈ Security Risk: Resource keys bypass authentication!" -ForegroundColor Red
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) { Invoke-Monitoring }
else { Write-Host "Use: -Monitoring" -ForegroundColor Yellow }
}
catch { throw }
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
function Invoke-Remediation {
<#
.SYNOPSIS
Herstelt de configuratie naar de gewenste staat
.DESCRIPTION
Dit is een monitoring-only control, remediation delegeert naar monitoring
#>
[CmdletBinding()]
param()
Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow
Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan
Invoke-Monitoring
}
Risico zonder implementatie
Risico zonder implementatie
Medium: Medium: Resource keys = long-lived credentials (no MFA, difficult rotation).
Management Samenvatting
Block Power BI resource key auth. Enforce Azure AD OAuth. Migrate existing apps. Implementatie: 3-8 uur.
- Implementatietijd: 8 uur
- FTE required: 0.03 FTE