Personal Workspaces in Times of Fabric

This area is quite often forgotten in Power BI and, thus, in the new Microsoft Fabric. At the same time, these are spaces that, for a long time, eluded the access of admins and acted more like a black box or storage area. But many things have changed over time, and at the same time, there are options and information that should be voiced more. This is a shame because that makes these spaces seem mysterious, multitudinous, and dangerous.

Are the concerns justified? To be able to answer this, personal workspaces need to be analyzed and understood from different angles.

Personal Workspaces and Their Purpose

To begin with, I borrowed an excerpt from the official Microsoft Learn documentation: “My workspace is the personal workspace for any Power BI customer to work with your content. Only you have access to your My Workspace. You can share dashboards and reports from your My Workspace. If you want to collaborate on dashboards and reports or create an app, you want to work in a workspace.” Service Basic Concepts

This description shows that the content you put in “My workspace” is only yours, and no one else can directly access it. This is precisely why, in my experience, many larger companies or companies with high regulatory requirements fear them. They usually comment with something similar: “Users can publish anything there. We can’t control it; not all our data is allowed in the Cloud, even in Microsoft Cloud. So how can we turn off the usability of Personal Workspaces?” ~ You can’t! Unfortunately, this is a sad but understandable reality of concerns I often encounter. They usually add another postscript to it, saying that people publish something there, and then they can still share it with someone with the appropriate license. They are right again. It works. Content can be shared with someone else from the personal workspace. In this case, the primary limitation is that the given user does not get to the workspace directly but “only” gets to specific content.

This sounds like a significant disadvantage of the whole concept of personal workspaces. But before discussing what has already changed, we must say something about their positive effects.

My workspace is a space for Personal BI. Because Power BI is very often taken as a Self-service BI tool and has been directed to it for a very long time. It is necessary to have some space where I can store my analysis and research and possibly consume them without the necessity of an approving process for publishing content to some shared workspace via a third-party application or waiting for a new workspace to be created so that the content I create for myself doesn’t overlap with someone else’s content and we accidentally overwrite each other. It may seem that it is not enough, but the reality is that this contribution is enormous and significant. At the same time, it can serve you to test design, online behavior, calculations, speed, …, but with NON-SENSITIVE data! So, If the company is trying to achieve Personal BI, then it sounds great.

Types of Personal Workspaces

For Admins, however, it is necessary to understand that there are two types of these spaces: “PersonalGroup, and Personal.” You can find this split if you start pulling the REST API (for example, using Groups GetGroupsAsAdmin). For your understanding, I am attaching the resolution that I deduced based on the returned values from the API:

  • PersonalGroup = Classic “My workspace,” which is created for each user as well as the Application (Service Principal) that enters the Power BI / Microsoft Fabric environment
  • Personal = A space created by an external application using some “black magic” aka system-generated. A typical example of this type of workspace is the workspace that is created for each SharePoint sheet in which you create a Power BI report via Sharepoint - Power BI integration (from a Sharepoint sheet)

They look different but behave very similarly. There is an owner under which the given workspace lies, and as long as the given owner exists in some way, this space also exists. If I delete a user who had a PersonalGroup, this space should move to the Deleted state, and over time its name will change to the original user’s GUID, and over time it will be deleted entirely. With Personal, the test took quite a long time for me to confirm some behavior, but after a specific time, when you delete, for example, that Sharepoint sheet, this workspace will also be deleted. These two behaviors reassure all Power BI / Fabric Admins that the content they produce will be recovered if the user leaves.

On the other hand, is there any way to get to it? After all, is that workspace “only” for that user? (will be answered later)

Note: Looking at the overview of workspaces in the Admin portal, both types are combined under one type. Which can be very confusing when comparing UI and API responses.

There is, however, one very often neglected difference and, at the same time, an important point. PersonalGroup is the primary repository of specific messages generated for a given user. Such reports include, for example, Teams Activity Analytics, you can find more details about this report in the documentation ~Analyze Teams usage in Power BI for Teams~. This should also be considered because a new report from the Microsoft workshop will sometimes appear, which will also be saved here for users.

Self-Service BI and Personal Workspaces

However, Self-Service BI in a company will take time to function correctly; thinking about many processes, requirements, data plans, data ownership, and the unification of truths is necessary. After all, no one wants two controllers to meet at their table, and both of them have different results of the investigated issue because one calculated it with one method, the other with another, and drew data from Excel, which they have kept on their computer for a quarter of a century. Maybe you think it’s funny, but unfortunately, it’s a sad reality that happens very often.

At the same time, it must be understood that the path to Self-Service has certain stages according to the maturity of your company in different areas. This is covered in the official documentation under Power BI adoption roadmap maturity levels - Power BI.

Remember how I said I often hear requests to turn off personal workspaces? So I will add that it is most often for three main reasons:

The main reasons The main reasons

The lack of trust in users stems from the earlier stage of the company’s maturity. Users must learn the technology and how to behave if it’s just starting with Power BI / Microsoft Fabric. Do you think that after four years, everyone in a company with, for example, 200 people already knows what they can afford? It depends! On what? On the quality of the adoption process, the education that has been provided to all users, and the checking of compliance with the internal regulations related to it. Sometimes it can happen. I will publish to a different workspace than I originally wanted. It shouldn’t happen, but it can. So it is good to have a process in the company to correct such a mistake. I’m not talking about “just” deleting content. I am also talking about identifying the cause. Distraction is one thing, but very similar workspace names without much distinction are another.

If we invest enough effort in high-quality user training and the layout of workspaces (including their labels and names), we can significantly reduce the risk of the problem occurring. This is one example that also applies to the publication, there are more options for improving the work process with this tool, and at the same time, it is always a little different from company to company according to requirements. It always boils down to three points… thorough analysis, process design, and user training!

Be a guide to your users Be a guide to your users

If I dwell on data security for a moment, I have also encountered several times that there was a requirement to use one’s key for data encryption. A whole chapter of the documentation about this topic is Bring your own encryption keys for Power BI - Power BI. If you read this part of the documentation carefully, you will find that encryption with our key applies to data stored appropriately. However, Personal Workspaces natively lie on classic shared capacities like PRO-type workspaces. So will they also be subject to encryption of some other capacity? If they stay in this native form, then NO! BUT… if we would change these personal workspaces’ underlying capacity to the capacity encrypted with our key, then YES!!! (How to do that is hidden in the next chapter)

Possibilities and Settings of Personal Workspaces

Personal workspace settings are slightly different from standard workspace settings. This type of space does not support most of the options, except changing the associated capacity, an overview of used storage, embed codes, and then support for Spark compute and Library management settings.

You’re currently dealing with the capabilities of Microsoft Fabric, so you’ve definitely gotten smarter, mainly because of the last two mentioned. After all, “my workspace” does not support the production of Fabric components. Or does it? YES, it supports! But there is one catch. Actually, two,… maybe even three.

To create Fabric components here, this workspace, like any other, needs to be supported with Fabric capacity. I welcome this possibility as part of the Fabric Trial so that I don’t have to “clutter up” some shared space with my tests, but what if this trial doesn’t exist? A significant advantage of standard workspaces is, for example, the new Git support or the possibility to pin the given workspace to Deployment pipelines and transfer some of the content elsewhere. However, both options need to be included in personal workspaces. Add to that the concerns and issues mentioned at the top of the article, and you have a fantastic package that will cause no admin to give you capacity for your personal workspace. ~ Please put this thought out of your head, and let’s think about the possible use of this potential without the concerns mentioned earlier.

We know we have been promised two classic financing options for Microsoft Fabric → Pay-As-You-Go and Reserved. We already have Pay-As-You-Go today. Even if we do not receive the reserved model in the future, this consideration remains valid: Within the company, we use F64 or a variant that already includes Power BI Premium and primarily the ability to read the content of Power BI components for Free users. As part of this capacity, we run various updates, queries for data in OneLake, etc… We probably don’t want the developer to develop for us at production capacity and thus drain from it the resources necessary for the smooth operation of other artifacts. We will therefore create some additional capacity with a high probability that the capacity will be weaker than the original one. Our existing developers are doing a great job on the new capacity, and Deployment Pipelines are deploying everything to the workspace in production capacity.

But where should we send a new/junior developer to learn how to use Fabric artifacts and complete onboarding training, where he will not take away computing capacity from other developers? Why not use the lowest option of F2 capacity, which would be turned on only for a limited period, and pin this capacity to the personal workspaces of these beginning developers? Most onboarding training does not result in a functional production solution but are demo materials that users should have if something needs to be repeated or relearned. At that moment, using “my workspace” seems rational and legitimate.

Experimenting is part of learnin process Experimenting is part of learnin process

To give you another piece of the puzzle, I’ll add that the average user can’t just pin the capacity under their “my workspace” from the workspace settings (although it seems like they probably could) to be able to do that, so would have to have special authorization for this within the capacity. And pinning capacity to someone else’s space is done from the Workspaces overview within the Power BI Admin Portal / Fabric Admin Portal. The workspace then has the same diamond mark as a normal one.

My workspace My workspace

It is also possible to set all personal workspaces to be automatically created with a specific capacity. This ability to pin capacity did not come with Microsoft Fabric but has long been a part of Power BI. You can even pin the capacity of the Premium Per User license. What’s new is that Admin can prevent you from switching your workspace back to shared capacity.

Block user from reassigning personal workspaces Block user from reassigning personal workspaces

But back to the fact that personal workspaces can be assigned below capacity. This is something that many users and even admins don’t know. Let alone the fact that it is possible to pin them there automatically. So it will be good to know how to do it!

Assigning a Personal Workspace to a Capacity

There are two main ways to do this. For the first one, I already described that it could be done directly in the workspace settings. Still, as a reminder, I emphasize again that you need to have the appropriate license within the given capacity to do it! Therefore, you must be a Capacity Admin or Capacity Contributor.

Personal Workspace settings Personal Workspace settings

I have yet to consider the second option. As part of that, I can add any personal workspace, not just mine, under some capacity in my administration (so again, it requires permissions, as mentioned earlier). Within the Admin Portal, select the Workspaces tab.

Workspace blade in Admin portal Workspace blade in Admin portal

Here I need to find the personnel workspace I’m looking for and use the icon of three vertical dots to open the submenu and select Reassign workspace.

This path offers one option you need in the first option, even if you are a Power BI Admin. I am talking about adding capacity from Premium Per User under “My workspace.”

Reassign workspace Reassign workspace

I dare to add a third option! And the automatic one, when all “My workspace” is automatically pinned under one selected capacity. Attention!!! You do not have this option in the TRIAL variants. Of course, this option is also missing with Premium Per User settings. Let me split this option into two parts New, Existing. For new personal workspaces, the best option is to turn on the following option in the selected capacity settings.

Capacity of Workspace Capacity of Workspace

But if I want to pin an existing one, don’t worry. There’s no need for a ticket towards MSFT support, manual clicking for every workspace, or PowerShell magic. It is enough to add workspaces to the capacity by selecting the “Assign workspaces” button, which will show you additional options.

Preferred capacity for all new workspaces Preferred capacity for all new workspaces

Among these, you can find an option for mass transfer which is ideal! Assign workspaces Assign workspaces

If you have more capacity, you can perform mass migration of workspaces with this option.

Assign all personal workspaces Assign all personal workspaces to capacity

Boosted capabilities of personal workspaces with capacity

I mentioned earlier that adding capacity to the personal workspace can give users their sandbox. From a capacity point of view, this should be separated from production and development so that it is indeed a sandbox.

But if you support the personal workspace with capacity, you add many options you can use. Of course, it depends on the type of capacity, but if we were to support it with, for example, Fabric capacity, we can use all these artifacts:

Cheatsheet Personal Workspace Fabric Cheatsheet

In addition to these artifacts, something else is hidden here that is very valuable and necessary. After all, I cannot simply transfer my content from my workspace to another. This should help me because it is a personal analytics environment or a sandbox. But what if there was an option to connect this space to Git? Then one could also think that I can send the change from “My workspace” to another so that the variability of these workspaces would increase again.

GIT Integration in Personal Workspace Personal Workspace with GIT Integration

I have good and bad news for you. The workspace modified in this way can be connected to Git, you can even commit, but there is a catch. These workspaces, or their UI, have quite a bit of trouble with this option and often disappear like the rest of the settings, where it even lets you change the name. Don’t worry. It won’t let you!

Error message in Personal WS settings Error message when trying to overwrite the name of workspace

Here is a trick that will allow you to display these particular options. Create an artifact from Fabric, return to My workspace, and suddenly you see new possibilities again. After the next refresh of the page, those options will disappear again. So I was setting up new Notebooks so I could test it. At the same time, I noticed that possibilities remain forever and do not disappear—for example, the Lineage view.

Lakehouse in Workspace Lakehouse in Workspace

There is still a sad minus. Streaming Dataflow, an artifact slowly leaving the Power BI Service, is still offered here in My Workspace when creating a new artifact. If you try to start it, it will return this message.

Unable to create artefact Unable to create artefact

Even with streaming dataflows ending, it will be good to remind all users of this message so they don’t forget it (if they use them). Everything seems to be caught so that even if it offers that you can do something you shouldn’t, it immediately informs you that you can’t do it. Even though I would have preferred a proactive solution rather than a reactive one, which at this moment I would instead irritate the user, I would have preferred a preventive solution, where I would not be offered anything that I really can’t do or at least these options would be greyed out (deactivated).

Auditing, Accessing, and restoring personal workspaces

Now the exciting part completely refutes some of the concerns from the beginning of the article. Over time, the possibility was added for the Admin to assign access to the personal workspaces of any user, which was an option that all admins very much welcomed because, at that moment, you break down the ideas of a black box over which you have no management options except for assigning capacity, previewing names and types of stored content. Now, if something doesn’t seem right to the Admin or he wants to check or help with moving content / solving a problem, he allows access for 24 hours. So for 24 hours, the Admin will see the given workspace among his workspaces, and the name of this workspace will be the name of the given user. According to the documentation, it should have the “my workspace” icon, but when I write this article, the workspace assigned in this way has the same icon as shared workspaces. (Admin can’t assign access to anyone but myself!)

Standard Workspace logo Standard Workspace logo

If we delete the user from AAD (respectively from Entra), according to what we said, his workspace will also be deleted gradually. But before the workspace completely disappears, it can be restored from the Admin’s point of view as a standard application workspace so that more users can be added to it, and thus, the content does not disappear and is not trapped here! You can find an exact description of how to do it here ~ View workspaces.

As far as auditing is concerned, I can access the content and its details using the REST API, just like with any other workspace. If I were to ask for ”./myorg/groups”, for example, I would not see personal workspaces, not even my own. I have to request Admin rights ”./myorg/admin/groups?$top=xxx” and get it. Of course, it is also possible to ask for help from the ScannerAPI (Metadata scanning - Power BI) to scan them and return deeper details. However, if you need more than these variants and want to know what the user is doing in this workspace, then you have two main options! Use the new Admin monitoring, where you can find the appropriate personal workspace in the Feature Usage and Adoption report on the Analysis page to look at the operations performed. However, this report is in Preview so it may be unstable. For example, I noticed that it currently only works with some of the operations that the user can do. If I wanted to get all of them, I could call the API again using the Activity Events endpoint. This endpoint returns the same data as the O365 Compliance Center. The bases for working with this endpoint can be found in this link to the official documentation Track user activities in Power BI or here in more specifics Get Activity Events. Also in documentation you can find this great part about implementation and planning Tenant-level auditing

All these auditing and heap control capabilities, including support for private key encryption, should hopefully give you peace of mind about your workspaces, as they allow you to identify the content that users are storing there, how they’re working with it, and of course, reacting. It requires knowing that it’s good to watch these types of workspaces. To remind you, what kind? Personal Group! These are the workspaces you’re looking for, and you can’t disable them.

Auditing is necessary for you and helps you keep everything under control Auditing is necessary for you and helps you keep everything under control

Summary

Worry usually stems from what we don’t understand and can’t control. Therefore, concerns also arise from personal workspaces. On the other hand, we already know this is not a black box of mysteries to which no one but one person has access, and we may not lose the contents.

Many thanks to the wonderful Melissa Coates for her help and review of that article.

I have a little summary for you at the end:

  • But do they require our increased attention? If we’re Power BI admins, sure we do. But! All users should be properly taught how to use them also.
  • Are they a danger to us? Only if we don’t audit them and if we don’t educate our users.
  • Can they serve us for testing or educational purposes? Definitely!
  • Can the data inside these spaces be encrypted like in regular workspaces? Yes, they will, but it requires pinning them under the encrypted premium capacity.
  • Can a deleted personal workspace be restored? At some point, yes, and that’s why they need to be monitored.
  • Can we ban them? NO!
Personal Workspaces in Times of Fabric
Older post

Lessons learnt from PySpark Notebooks and extracting APIs

From time to time, there is a need to talk about the possibilities, benefits, and dark sides that personal workspaces, aka "My workspace," bring.

Newer post

Copy Activity, Dataflows Gen2, and Notebooks vs. SharePoint Lists

From time to time, there is a need to talk about the possibilities, benefits, and dark sides that personal workspaces, aka "My workspace," bring.

Personal Workspaces in Times of Fabric