Power BI has a feature called Publish to Web. It lets you take a Power BI report and make it publicly viewable on the internet — no license required, no authentication, no login. Just a URL that anyone with the link can see.
It's designed for a specific use case: sharing dashboards with external partners who do not need a Power BI license. Sharing operational metrics with customers. Publishing data for public consumption.
It is also one of the highest-risk governance gaps we find in tenant audits.
Here is what actually happens when someone publishes to web
A user clicks "Publish to Web" on a report. Power BI generates a unique URL. That URL can be shared with anyone. When someone visits that URL, they see the report — filters, slicers, all interactive features work — without any Power BI license or authentication.
The report data stays in your tenant. The report itself is rendered on the public internet. And Microsoft does not prevent this.
Nothing is wrong with this feature as a technical implementation. The problem is organizational. Most users do not realize they have this capability. Most admins do not know how many reports have been published to the web. And most organizations have no governance policy restricting who can use it or what can be shared.
The governance nightmare
We worked with a financial services company last year that had 47 reports published to the web. Not 4. Not 7. Forty-seven.
When we asked the admin about it, the response was always the same: "I had no idea that was possible."
Nobody had documented which reports were published. Nobody knew what data those reports contained. And anyone in the world with the URL — or who found it through a search engine — could see operational financial data, customer lists, and internal metrics.
This is not a theoretical risk. It is a compliance violation waiting to happen.
What to do about it
First: Find out what is published. Go to the Power BI Admin portal. In the Tenant Settings section, look for "Publish to web". You should see a list of all reports that have been published to the web and who published them. If you do not see a list, the setting might be disabled entirely — which is actually the most secure option for most organizations.
Second: Evaluate each report. For each published report, ask: should this be public? Does it contain data that should only be visible to authenticated users? Is there a business justification for public access? If the answer is no, revoke the publish link immediately.
Third: Set a tenant-wide policy. Decide: does your organization even need Publish to Web? If yes, who is allowed to use it? What data can be published? What approval process must happen first? Document this and enforce it. If you don't need it, disable it entirely. Most organizations should disable it.
Fourth: Monitor going forward. Make it part of your governance cadence. Check quarterly for new publish-to-web reports. Set expectations with your user base: publishing to web requires approval.
The bigger picture
Publish to Web is a great example of a feature that exists for legitimate reasons but becomes a risk when nobody knows how to use it or what it does. It sits in the same category as guest account permissions, external sharing settings, and uncontrolled workspace creation.
The problem is not the feature. The problem is visibility.
You cannot govern what you cannot see. And most organizations have never taken a structured look at what Publish to Web reports exist in their tenant.
Where to start
If you have more than a few dozen Power BI users, you almost certainly have Publish to Web reports you don't know about. The Tenant Scan process includes a full security audit — and that includes finding every published report, identifying the data it contains, and assessing the governance risk.
From there, you get a prioritized action plan to remediate the highest-risk exposures first.