Microsoft 365 User Account Security Power BI Report


The Microsoft 365 User Account Security Power BI report allows IT Administrators an easy to way to identify changes on their Microsoft 365 tenant that may indicate possible compromised activity.

How it works

The Power BI report pulls data from the Microsoft 365 User Account Data and Activity Dataset and shows a snapshot of differences between 2 selected dates. Information being shown includes

  • Compromised third party accounts
  • Login locations
  • Bulk emails sent
  • Granted and received mailbox permissions
  • Granted full access permissions
  • Added and delete devices
  • Changes to account authentication policies
  • Account inactivity


To use this Power BI Report, you will need to

Connecting the dataset to the Power BI report

  1. Sign into Voleer and navigate to Workspaces, select the workspace that contains the Microsoft 365 User Account and Activity dataset, then Datasets, the select the name of the dataset
  2. Click on Get Connection String
  3. Click on the Copy button
  4. Open up a text editor and paste the clipboard contents. The strings to note are Data Source, Initial Catalog, User ID, and Password
  5. Download and Open the User Account Security Power BI file
  6. Along the navigation bar, click on Transform data > Data source settings
  7. Click on Change Source…
  8. In the Server box, type in the Data Source value from step 4 (i.e. the text after the ‘=’ character and before the ‘;’ character)
  9. In the Database box, type in the Initial Catalog value. Click on OK
  10. Click on Edit Permissions…, then Edit
  11. Click on Database, then enter in the User ID and password for the boxes User name and password. Click Save.
  12. Close all open dialogs by click on Ok then Close
  13. Click on Apply Changes
  14. Wait for Power BI to process all data from your dataset

User Account Security Report - Quick start

The User Account Security Report shows the changes to the tenant between selected dates.

Changing the dates will update the contents of the report. The dashboard is constructed in such a way that allows the reader to identify quickly if action is required on the tenant. For example, a number in box Accounts Compromised would prompt immediate action to identify which account needs to be blocked.

Or a spike in failed logins would also be subject to further investigation

Further confirmation of activity can then be completed by reviewing the detailed information within the associated pages


1 Like