Information
Creating a shareable link allows a user to create a link to a report or dashboard, then add that link to an email or another messaging application.
There are 3 options that can be selected when creating a shareable link:
People in your organization
People with existing access
Specific people
This setting solely deals with restrictions to People in the organization. External users by default are not included in any of these categories, and therefore cannot use any of these links regardless of the state of this setting.
The recommended state is Enabled for a subset of the organization or Disabled.
Rationale:
While external users are unable to utilize shareable links, disabling or restricting this feature ensures that a user cannot generate a link accessible by individuals within the same organization who lack the necessary clearance to the shared data. For example, a member of Human Resources intends to share sensitive information with a particular employee or another colleague within their department. The owner would be prompted to specify either People with existing access or Specific people when generating the link requiring the person clicking the link to pass a first layer access control list. This measure along with proper file and folder permissions can help prevent unintended access and potential information leakage.
Impact:
If the setting is Enabled then only specific people in the organization would be allowed to create general links viewable by the entire organization.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Restrict shareable links:
Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal
Select Tenant settings.
Scroll to Export and Sharing settings.
Set Allow shareable links to grant access to everyone in your organization to one of these states:
State 1: Disabled
State 2: Enabled with Specific security groups selected and defined.
Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled.
Default Value:
Enabled for Entire Organization