Is there a way to turn off the new data export feature for a particular data set? There is some sensitive data we have on PowerBI and we want people to have access to reports from this data but we don't want them to be able to download the data.
There's no way to disable this in the service presently. You may have more flexibility when embedding visuals in another application using the PBI API.
I do have a question, though. Do you intend to block users from printing, screen-shotting, or viewing the reports with a pen and paper in hand?
I am not being glib, but very serious. What attack vector are you mitigating by stopping export to Excel? What users do you have who you trust to have access to this sensitive data on demand, on any internet enabled device, but not with the ability to export the very thing on the screen (that they can print or screen cap) into Excel.
I understand that security is important, and the fact that exploits still exist doesn't mean you should ignore those you can control, but it seems a bit superfluous to focus on export to Excel functionality in a tool as readily accessible as Power BI. If they can't be trusted with Excel, I don't see why you'd trust them with Power BI in general.
For anyone interested, I managed to disable the export of underlying data by replacing agregates in my table with measures that do the same thing.
E.g. I have an "Amount" field in the Values bucket. I wanted the average of "Amount", so instead of selecting Average from the drop-down list, I created a measure that returned the average and put that in the Values bucket.
The question becomes one of traceability, as well as one of corporate discovery. Given the potential sensitivity of data being manipulated via the download capability to a device not controlled by a corporate process (ie BYOD) what controls exist to disable the ability to download from the mobile application?
The question is two fold. First, it's a question of data leakage. How we map controls to an application are important attestation points. Second, it's a question of corporate discovery of a personal device (in the BYOD) world.
The question is: for the mobile application, what options are available to differentiate a device using the mobile application that is authorized as a part of corporate device management, vs a non managed personal device to be able to effect download exclussion of the latter?