Deep Dive

Are Power BI Custom Visuals Safe? What the Data Says (2026)

· By Nawaf Sharaf · Founder & Reliability Engineer

TL;DR

Mostly yes — with caveats. Every custom visual runs in a locked-down sandbox (an isolated iframe) with no file-system access, and Microsoft-certified visuals pass a code review that forbids any external network calls: no HTTP/S, WebSocket, fetch, or XMLHttpRequest. Uncertified visuals aren't automatically unsafe, but they can call external services — the real exfiltration risk. Verify the blue certified badge and lock down tenant settings.

Every few weeks a security or governance team asks the same question before approving a Power BI custom visual: can this thing phone home with our data? It's a fair worry — but the honest answer is more reassuring, and more nuanced, than either the marketing gloss or the fear-mongering suggests. This piece lays out what Microsoft's own 2026 documentation actually says, and previews a data study we're publishing on the state of custom-visual safety.

What a .pbiviz visual can and cannot do

A Power BI custom visual is a .pbiviz package — bundled TypeScript/JavaScript (usually with a library like D3) plus a capabilities file — that Power BI runs inside a sandboxed iframe. That sandbox is the whole security story: the visual only ever sees the data the report author explicitly binds to it, which Power BI pushes in. It cannot reach your file system, read your other visuals or pages, touch the semantic model directly, or interfere with the rest of the Power BI service. Microsoft's security white paper puts it plainly: all custom visual code runs in a sandbox environment so that errant code cannot adversely affect the rest of the service. The flip side, in Microsoft's own words, is that Microsoft does not security-review most visuals before they reach the gallery — 'it's the customer's responsibility to review and determine whether custom visual code should be relied upon.' Sandboxing contains the blast radius; it does not, by itself, stop a visual from sending the data it legitimately receives somewhere else.

Certified vs. uncertified: where the line really is

Certification is the dividing line that matters. A certified Power BI visual is one in AppSource that has met Microsoft's code requirements and passed testing specifically designed to confirm the visual does not access external services or resources. In practice that means a certified visual makes no outbound network calls at all: no HTTP/S or WebSocket requests leave Power BI, WebAccess privileges must be empty or omitted in capabilities.json, and the code may not use fetch, XMLHttpRequest, eval(), Function(), or unsanitized innerHTML. Microsoft reviews the actual source — submitted on a branch literally named 'certification' — and confirms the compiled package matches it. Certified visuals also unlock features uncertified ones can't use, such as export to PowerPoint and rendering inside subscription emails. Two honest caveats keep this balanced. First, certification is optional, so a visual being uncertified does not make it unsafe — many good visuals simply use a commercial library or connect to a map service and therefore can't qualify. Second, an uncertified visual can legitimately call external services: Microsoft notes, for example, that Bing Maps and ESRI visuals transmit data out of the Power BI service in order to render. That outbound capability is exactly what a governance review needs to reason about.

How to tell if a visual is certified

You don't have to take a vendor's word for it. Inside Power BI Desktop or the service, a certified visual shows a blue certified badge, and the 'Get more visuals' dialog offers a 'Power BI Certified' filter so you can browse only certified options. In AppSource, look for the small yellow badge on the visual's card, or the 'PBI Certified' badge on the visual's detail page. One timing gotcha worth knowing: after a visual is approved, Microsoft says its certification badge can take up to about three weeks to appear, so a brand-new certified visual might not display the badge immediately. If a visual claims certification but shows no badge in the Power BI interface, treat that claim as unverified until it does.

The real risk model — how data could actually leave

Strip away the anxiety and the concrete risk is narrow and specific: an uncertified visual that makes outbound web calls could, in principle, send the data bound to it — the summarized values and configuration it can see — to an external endpoint. It cannot exfiltrate your file system, your other reports, or your credentials; the sandbox never receives them. A few adjacent tenant settings widen what a visual can touch and are worth knowing: 'Allow downloads from custom visuals' lets a visual export its bound data to a file; 'AppSource Custom Visuals SSO' lets a visual request Microsoft Entra tokens that carry the signed-in user's name and email across regions; and browser local-storage access lets a visual cache data on the device. None of these are back doors — each requires the visual to be built for it and the tenant setting to be enabled — but they are the surface a security review should enumerate. The mitigation is straightforward and covered next: prefer certified visuals, and gate everything else through admin controls.

Admin and tenant controls that enforce safety

Power BI gives Fabric administrators direct levers, all under Tenant settings > Power BI visuals in the Fabric admin portal. The strictest is 'Add and use certified visuals only (block uncertified)': when enabled, only certified visuals render, and any uncertified AppSource or .pbiviz visual returns an error. One level broader is 'Allow visuals created using the Power BI SDK', which controls whether users can add AppSource or uploaded .pbiviz visuals at all. Both settings are disabled by default and can be scoped to specific security groups. Crucially, neither setting applies to your organizational store: an admin can vet a specific visual — even an uncertified .pbiviz — and publish it to the org store as an allow-listed exception that overrides the tenant restriction for just that visual. Microsoft even warns at that step that a visual uploaded from a file could contain code with security or privacy risks, so trust the author and source first. That is the recommended pattern: block broadly, allow-list deliberately. The UI toggles govern the Power BI service; to enforce the same policy in Power BI Desktop, set the matching Group Policy registry values.

enforce-certified-visuals.ps1

# Power BI Desktop: enforce a certified-only policy via Group Policy (registry)
# Key: HKLM\Software\Policies\Microsoft\Power BI Desktop

# Block UNCERTIFIED visuals  (0 = block, 1 = allow [default])
reg add "HKLM\Software\Policies\Microsoft\Power BI Desktop" /v EnableUncertifiedVisuals /t REG_DWORD /d 0 /f

# Or block ALL SDK / AppSource / .pbiviz visuals  (0 = block, 1 = allow [default])
reg add "HKLM\Software\Policies\Microsoft\Power BI Desktop" /v EnableCustomVisuals /t REG_DWORD /d 0 /f

# Fabric admin portal (Power BI service) equivalents, under Tenant settings > Power BI visuals:
#   'Add and use certified visuals only (block uncertified)'
#   'Allow visuals created using the Power BI SDK'

Owning the source: auditable instead of a black box

Here's the governance gap the settings above can't fully close: even a certified visual is, to your security team, a black box — you trust Microsoft's review, but you never read the code. VizForge inverts that. Because VizForge generates the visual from your prompt and hands you the complete TypeScript source of the .pbiviz, the visual is auditable rather than opaque. Your reviewer can read every line, grep for fetch, XMLHttpRequest, WebSocket, or WebAccess privileges, and confirm for themselves that nothing phones home — the same properties Microsoft's certification checks, but on code you own and can diff over time. Generated visuals are built to avoid external network calls in the first place, which keeps them on the right side of that no-external-services requirement and lets you deploy them through your organizational store as a vetted, allow-listed visual. And because VizForge is priced as one-time credit packs rather than a subscription, owning that source isn't a recurring rental — the code is yours to audit, modify, and keep.

What the data will say (study coming)

This explainer is the qualitative half of a bigger project. We're compiling a State of Power BI Custom Visuals 2026 data study, measuring how the ecosystem actually behaves: how many popular visuals are certified, how many request network, export, or SSO capabilities, and how those numbers are shifting. We won't quote figures we can't yet stand behind, so this piece sticks to what Microsoft's documentation verifiably states today; the measured numbers follow when the study publishes. Either way, if you govern a Power BI tenant the practical takeaways don't change — prefer certified, gate the rest through admin controls, and favor visuals whose source you can actually read.

Generate an auditable visual you own

You get the full TypeScript source — no black box, no subscription.

FAQ

Can a Power BI custom visual steal my data?

Not from your file system or your other reports — the sandboxed iframe never receives those. The realistic risk is narrower: an uncertified visual that makes outbound web calls could send the data you bind to it to an external service. Certified visuals are tested to make no external calls, and admins can block uncertified visuals tenant-wide, so the exposure is controllable rather than open-ended.

Are certified Power BI visuals safe?

Certified visuals have passed a Microsoft code review and testing confirming they don't access external services — no HTTP/S, WebSocket, fetch, or XMLHttpRequest, and no WebAccess privileges. That's a strong safety signal. Microsoft is careful to note it isn't the author of third-party visuals and can't guarantee their functionality, but on the specific question of 'does this send my data out,' certification is the clearest assurance Power BI offers.

How do I block uncertified visuals across my organization?

In the Fabric admin portal, open Tenant settings > Power BI visuals and enable 'Add and use certified visuals only (block uncertified)'. Uncertified AppSource and .pbiviz visuals then return an error instead of rendering. For Power BI Desktop, set the Group Policy value EnableUncertifiedVisuals to 0. You can still permit specific vetted visuals by publishing them to your organizational store, which overrides the block for just those visuals.

Is an AI-generated custom visual safe?

It depends entirely on what the generated code does — 'AI-generated' is neither a safety guarantee nor a red flag on its own. The advantage of a tool like VizForge is that you receive the full TypeScript source, so 'is it safe?' becomes a question you can answer by reading the code rather than trusting a black box. Confirm it makes no network calls (no fetch, XMLHttpRequest, or WebAccess privileges) and deploy it through your org store like any other vetted visual.

Do certified visuals really make no external network calls?

That's the core certification requirement. Microsoft's tests are designed to confirm the visual doesn't access external services or resources: no HTTP/S or WebSocket traffic leaves Power BI, WebAccess privileges must be empty or omitted, and fetch and XMLHttpRequest are disallowed. A visual that genuinely needs an external service — a live map-tile server, say — cannot be certified, which is why some perfectly legitimate visuals remain uncertified.

Sources

Related reading

About the author

Nawaf Sharaf · Founder & Reliability Engineer

Nawaf is a reliability engineer and long-time Power BI practitioner, and the founder of VizForge. He builds the product solo — the AI generation pipeline, the visual code generator, and this site — from the perspective of someone who has spent years shipping Power BI reports in production.

Cite this article as:

VizForge. “Are Power BI Custom Visuals Safe? What the Data Says (2026).” July 8, 2026. https://vizforge.ai/blog/are-power-bi-custom-visuals-safe

Your next visual
ships in 4–10 min.

Sign up free. 5 credits to generate your first visuals on us. No credit card required.