Nova Silva Power BI Certified visuals: Ensuring Security and Privacy

In this article we will explore how using Power BI Certified visuals help organizations to protect data integrity and ensure the security and privacy of sensitive information.

What are Power BI Certified visuals?

Certified Power BI visuals are visuals in AppSource that meet certain specified code requirements that the Microsoft Power BI team has tested and approved. The tests are designed to check that the visual doesn’t access external services or resources, and that it follows secure coding patterns and guidelines. All certified visuals must pass all the certification requirements.

Certified Power BI visuals offer more features than noncertified visuals. For example, you can export them to PowerPoint, or display the visual in received emails when a user subscribes to report pages.

Why are Nova Silva visuals Power BI Certified?

All our Power BI visuals (including the Shielded HTML Viewer) are certified by Microsoft. At Nova Silva we develop visuals based on the Microsoft Certification requirements, so our visuals are tested to verify that they don’t access external services or resources, and that they follow secure coding patterns and guidelines. An important requirement to pass the Microsoft certification tests is that the visuals cannot connect with any external server or service. In other words: our visuals do not share any of your data with anyone, not even with us. This is the main reason why we certify all our visuals: we want to make sure you are the only party that can access your data.

When you use our visuals, you do not make use of any Nova Silva infrastructure or platform. Our visuals do not share data with any external service or resource, we have no access to any of your data, nor do we play a role in any production services. We publish our visuals (and any updates) to Microsoft. Microsoft will check our code to determine if it complies with their quality and security standards. After passing these certification tests, Microsoft will publish the visual to the Microsoft AppSource. This is where you will download and use it from. The next image gives an overview of how we work with Microsoft on our Power BI visuals.

The code of our visuals (at run time) are on a Microsoft managed environment. The only way we can change this code is through the Microsoft Certification process. Our visuals interact with Power BI through a Visuals API. This API provides the visual with the right data and context. The visual only renders the result on the screen within Power BI.

Microsoft Certification Process

This is the process to certify our visuals:

• Comply with Microsoft’s Certification requirements.
• Submit the Power BI visual for certification: visual is published via the Partner Center.
• Certification Test: every time a new version of a certified visual is submitted to the marketplace, the visual’s version update goes under the same certification checks. The version update certification is automatic. If the update is rejected because of a violation, an email is sent to the developer explaining what needs to be fixed.
• Publication timeline: the process of deploying to AppSource may take some time. The Power BI visual will be available to download from AppSource when this process is complete.

Each time we develop or update a visual we perform our own internal testing to make sure we comply with all Microsoft certification requirements. Then we publish the source code to Microsoft, and they perform their Certification Test. After passing all tests Microsoft will publish the visual to the Microsoft AppSource. This is the environment where our customers can access the visual and use it within their Power BI Environment.

Each time we publish a (new) version of our visual it first needs to pass the Microsoft Certification tests. This includes a thorough review of our source code by Microsoft engineers. A certified visual cannot lose its certification with a new update. Instead, the update is rejected. If the update is rejected because of a violation, an email is sent to Nova Silva explaining what needs to be fixed.

What are the requirements to get Power BI Certified?

To get our Power BI visuals certified, they must meet the requirements listed in this section.

General requirements

• The visual isn’t an R-visual.
• The visual complies with the guidelines for Power BI visuals.
• The visual passes all these required tests.
• The compiled package exactly matches the submitted package.

Code repository requirements

• Code for only one Power BI visual. It can’t contain code for multiple Power BI visuals, or unrelated code.
• A branch named certification (lowercase required). The source code in this branch has to match the submitted package. This code can only be updated during the next submission process, if you’re resubmitting your Power BI visual.

File requirements – Use the latest version of the API to write the Power BI visual.

The repository must include the following files:

• .gitignore – Add node_modules, .tmp and, dist to this file. The code can’t include the node_modules, .tmp, or dist folders.
• capabilities.json
• pbiviz.json
• package.json. The visual must have the following package installed:
  • “typescript”
  • “eslint”
  • “eslint-plugin-powerbi-visuals”
  • The file must contain a command for running linter – "eslint": "npx eslint . --ext .js,.jsx,.ts,.tsx"
• package-lock.json
• tsconfig.json

Command requirements – The following commands don’t return any errors.

• npm install
• pbiviz package
• npm audit – Must not return any warnings with high or moderate level.
• ESlint with the required configuration. This command must not return any lint errors.

Compiling requirements – Use the latest version of powerbi-visuals-tools to write the Power BI visual.

Source code requirements – Follow the Power BI visuals additional certification policy list.

Follow the code requirements listed here to make sure that the code is in line with the Power BI certification policies:

• Use only public reviewable OSS components.
• Support the Rendering Events API.
• Ensure DOM is manipulated safely.

To learn more about the certification process, go to Microsoft.

What is not allowed?

• Accessing external services or resources. For example, no HTTP/S or WebSocket requests can go out of Power BI to any services. Therefore, WebAccess privileges should be empty, or omitted, in the capabilities settings.
• Using XMLHttpRequest, or fetch.
• Using innerHTML, or D3.html (user data or user input).
• JavaScript errors or exceptions in the browser console, for any input data.
• Arbitrary or dynamic code such as eval(), unsafe use of settimeout(), requestAnimationFrame(), setinterval(user input function), and user input or user data.
• Minified JavaScript files or projects.

1200 Power BI visuals additional certification

The policies listed in this section apply only to Power BI visuals offers.

1200.1 Certification requirements
Refer to the PBI visuals guidelines to get a better understanding of these technical and security policies.

1200.1.1 Code repository
The visual source code must conform to the visual code repository requirements.

1200.1.2 Code quality
The source code should be readable, maintainable, expose no functionality errors, and correspond to the provided visual’s package.

1200.1.3 Code security
The source code should comply with all security and privacy policies. Source code must be safe and not pass or transmit customer data externally.

1200.1.4 Code functionality
Running visual development related commands on top of the visual source code should not return any errors. Visual consumption should not expose any errors or failures and must ensure the functionality of any previous version is preserved.

1200.1.5 Update without advanced certification
Power BI Visual additional certification does not apply automatically to updated visuals. All updates to certified Power BI Visuals must also be certified as part of the submission process.

1200.2 Duplicate offers
Visuals that rely on access to external services or resources are not eligible to be certified Power BI visuals.

What tests are done during the certification process?

The certification process tests include, but aren’t limited to:

• Code reviews
• Static code analysis
• Data leakage
• Data fuzzing
• Penetration testing
• Access XSS testing
• Malicious data injection
• Input validation
• Functional testing

How to identify Power BI Certified visuals in AppSource?

Certified visuals will be clearly identified by:

• Filtering with Sort by: Power BI Certified to display only certified Power BI visuals in the AppSource.
• With a small badge (yellow or blue checkmark) on the visual’s card, both in AppSource or when importing from within Power BI interface.

• When the Power BI visual card is clicked in AppSource, a PBI Certified yellow badge and the message under Visual capabilities will indicate that This visual is certified by Power BI.

Non-certified visuals: some Power BI visuals aren’t certified because they don’t comply with one or more of the certification requirements. For example, a map Power BI visual connecting to an external service, or a Power BI visual using commercial libraries can’t be certified.

When that is the case the visual has no badge and will show this information:

Allow access to Power BI certified visuals only

To minimize risks, it is recommended to configure your tenant settings in the Power BI Service to allow only certified visuals.

As a Power BI/ Fabric administrator for your organization, you can control the type of Power BI visuals that users can access across the organization and limit the actions users can perform. To manage Power BI visuals, you must be a Power BI/ Fabric administrator.

When this setting is enabled, only certified Power BI visuals render in your organization’s reports and dashboards. Power BI visuals from AppSource or files that aren’t certified return an error message. This setting is disabled by default and doesn’t apply to visuals in your organizational store.

1. From the Admin portal, go to Tenant settings.
2. Select Add and use certified visuals only (block uncertified).
3. Select Enabled.
4. Select Apply.

UI changes to tenant settings apply only to the Power BI service. To manage the certified visuals tenant setting in Power BI Desktop, use AD Group Policy.

Key	Value name	Value
Software\Policies\Microsoft\Power BI Desktop\	EnableUncertifiedVisuals	0 – Disable 1 – Enable (Default)

Did you know?

Microsoft certified our first Power BI visual, the Shielded HTML Viewer, back in 2020! It was a long process and took several code reviews by Microsoft before we got our first visual certified.
Sometimes, users report the Shielded HTML Viewer does not work with LinkedIn or YouTube, our visuals do not render anything from any external server or service as this is one of the main requirements to be certified. This can only be achieved with a non-certified visual.
Currently all Nova Silva visuals are Power BI Certified, this guarantees our visuals are safe and secure and ensures they meet the highest data security standards.
We are committed to maintain those standards, all our visuals are either certified or in the process of getting certified.
Power BI certified visuals offer more features than non-certified visuals, like:
– Export to PowerPoint
– Export to PDF
– or display the visual in received emails when a user subscribes to report pages.