Episode Details

If you think audit logs are just boring tables of activity, think again. There’s a reason your licensing costs keep creeping up and reports pop up that no one remembers creating. Today, I’m exposing the suspicious signals hidden inside your Power BI environment – and how a single dashboard can show you patterns you didn’t even know existed.Stick around and I’ll break down exactly which metrics truly matter when it comes to governance, and why missing them is costing your organization more than you think.Audit Logs: Your Organization’s Canary in the Coal MineIf you’ve ever looked at your Power BI audit logs and immediately zoned out, you’re not alone. Most admins still see these logs as a bland list of user clicks—a formality you check off once and then ignore unless there’s a direct compliance request. But, the truth is, these logs keep a low profile precisely because the most alarming indicators don’t jump off the page. The details are quiet, almost invisible, and that’s exactly why they go unnoticed until someone asks, “Why did our licensing bill explode last quarter?” or “Why did that sensitive dashboard end up with an external consultant?”The sheer amount of data in Power BI audit logs offers the illusion of security. If you scroll for long enough, you’ll hit a wall of “View Report” and “Share Dashboard” events mixed with an occasional login or dataset refresh. You start to assume it’s all routine noise—unless you have a reason to dig deeper. But buried in the ordinary, you’ll often find outliers that don’t fit the pattern. Maybe you spot one Premium workspace that’s only used after hours, or notice a sequence of “Add Member” actions in a workspace that was supposed to be locked down. By that point, most admins are used to seeing so many entries, they miss the connections that link separate events into a bigger problem.Microsoft’s own incident reviews keep surfacing the same types of oversights. Dormant reports—content that’s been abandoned for months—show up during security audits and investigations. These so-called “ghost” datasets aren’t just clutter. They can keep consuming compute resources and licensing, especially if they remain tied to abandoned workspaces or old sharing groups. Attackers know how to exploit this; a dormant report with open permissions makes for a perfect place to stash sensitive info or launch a slow drip of data to an outside account. It’s easy to look at a set of 2 AM access logs and chalk them up to early risers, but do you really know if everyone logging in from a Kuala Lumpur IP at midnight is supposed to be there?Most organizations stick to reviewing their logs a few times a year—maybe after an audit or when a user complains that they got locked out. That’s not nearly enough. The risk isn’t in one big breach or a flashy headline. It’s in the drip, the slow leaks, the unnoticed piles of wasted resources and permissions that keep expanding because nobody’s watching the full picture unfold. If you’ve ever had to explain an unexpected spike in licensing costs, take a look at your audit logs for Premium workspaces that haven’t been active in months but still generate bills every cycle. It’s the sort of mistake that’s hard to catch if you only focus on the surface.But it’s not just about catching waste. Shadow IT is alive and well inside Power BI environments. Someone creates a workspace for a “pilot project,” shares it with six people outside their department, then forgets it exists. Next month, the call comes: “Why did these users get access to sensitive dashboards?” Most times, the audit log did record the sharing event—it just looked like any other entry at the time. Without the right context, it’s impossible to spot that these were unusual users, or that the share happened at an odd hour from a new device. It takes a different approach to piece those clues together, especially since malicious actors exploit the fact that no one’s connecting the dots between logins, access patterns, and change