audit-tenant-settings
The audit-tenant-settings skill automatically audits Fabric and Power BI tenant settings against a curated baseline, identifies configuration drift, surfaces delegated overrides across capacity and workspace scopes, and investigates associated Entra security groups. Use this skill when users ask about tenant governance, settings compliance, delegated overrides, or security group membership tied to admin configurations.
git clone --depth 1 https://github.com/data-goblin/power-bi-agentic-development /tmp/audit-tenant-settings && cp -r /tmp/audit-tenant-settings/plugins/fabric-admin/skills/audit-tenant-settings ~/.claude/skills/audit-tenant-settingsSKILL.md
# Audit Tenant Settings Audit Fabric / Power BI tenant settings against a curated baseline, surface drift, enumerate delegated overrides at capacity / domain / workspace scope, investigate the Entra security groups those settings reference, and turn findings into a grounded discussion about what to do next. Always invoke the `fabric-cli` skill alongside this skill; it provides the `fab` CLI guidance, admin API references, and the `microsoft-learn` MCP server that this skill depends on. ## Prerequisites This plugin is an add-on to the `fabric-cli` plugin. It requires: - **fabric-cli plugin** installed and enabled; provides `fab` CLI guidance, the `microsoft-learn` MCP server, and admin API reference docs. - **fab CLI** (`ms-fabric-cli`) authenticated with a Fabric / Power BI admin account. - **az CLI** authenticated with Graph permissions (`Group.Read.All`, `User.Read.All`, `Directory.Read.All`, `RoleManagement.Read.Directory`) when investigating security groups. ## Settings Per-project configuration via `.claude/fabric-admin.local.md`: ```markdown --- enabled: true tenant_label: "Contoso" snapshot_path: "~/.cache/fabric-admin-audit/last-snapshot.json" drift_threshold_high: 5 drift_threshold_medium: 15 notification_level: "info" schedule: "weekly" --- # Fabric Admin Configuration Additional context or tenant-specific notes. ``` | Field | Type | Default | Purpose | |---|---|---|---| | `enabled` | bool | `true` | Toggle the plugin on/off | | `tenant_label` | string | none | Label for PDF masthead and audit reports | | `snapshot_path` | string | `~/.cache/fabric-admin-audit/last-snapshot.json` | Where to store/read the last-run snapshot JSON | | `drift_threshold_high` | int | `5` | Alert when high-risk drift count exceeds this | | `drift_threshold_medium` | int | `15` | Alert when total drift count exceeds this | | `notification_level` | string | `info` | Verbosity: `quiet`, `info`, `verbose` | | `schedule` | string | `weekly` | Preferred audit cadence: `daily`, `weekly`, `monthly`, `ad-hoc` | ## When to use this skill Invoke for any tenant-, delegation-, or SG-scoped governance question that needs an interpreted answer rather than a raw API call. Typical asks: - "Run a tenant governance audit" - "Has anything drifted since last month?" - "What does PublishToWeb do and should we have it on?" - "Which settings are scoped to the PowerBI_ServicePrincipals group and who is in it?" - "Show me every capacity / domain / workspace override" - "Is this setting safe to enable for my scenario?" ## Critical rules - **Never guess.** Tenant-setting behavior, SG membership, and override effects must come from the curated metadata, the live API, or Microsoft Learn. When sources are silent or contradict each other, say so plainly. - **Gather requirements.** Use your `AskUserQuestion` skill to regularly interview the user about their tenant, user behavior, and adoption. Use the `fabric-cli` skill and `fab` to understand an inventory of what's in the tenant, how it's structured, and the activity log / events to understand user adoption and activity. Flag key patterns, anomalies, and high-risk operations or scenarios (like publish-to-web, exports, and sharing with external users, full-org, or C-level employees) - **Do not fabricate portal titles, descriptions, recommendations, risk levels, SG membership, or ACL shapes.** If the metadata or API lacks the fact, fetch it. - **No absolute compliance claims** (HIPAA, SOC 2, GDPR, etc.). Limit conclusions to observed drift against the curated baseline and the raw API findings. - **Recommendations are general, not prescriptive or universal.** The curated `recommended` field reflects subjective and community defaults, not the user's scenario. Always present the nuance and let the user decide. - **Be pragmatic and critical; avoid alarmist language.** Consider the practicality of the user's scenario and engage with them in decision-making and planning so that they can understand the functional consequences of their current tenant setting configuration: - What does this mean for governance: what users can do, access, and create? - How does this affect key processes like creation, sharing, and distribution? - How does it affect capacity usage in Fabric and resource constraints? - How does it create friction that could inhibit effective analytics? - Would enabling or disabling result in blocking users or creating new dependencies? ## Authoritative sources (in order) 1. **Curated metadata**: `references/tenant-settings-metadata.yaml`. Holds `human_name`, `description`, `preview`, `source_url`, `recommended`, `risk`, and `recommendation_nuance` for every known setting. Check this first for any tenant-settings question. 2. **Live APIs** via `fab api` and `az`: - Tenant-wide state: `fab api "admin/tenantsettings"` - Delegated overrides: `fab api "admin/capacities/delegatedTenantSettingOverrides"`, `admin/domains/...`, `admin/workspaces/...` - Entra groups and role assignments: `az ad group`, `az rest --method get --uri https://graph.microsoft.com/v1.0/...` 3. **Microsoft Learn** via the `microsoft-learn` MCP server (`microsoft_docs_search`, `microsoft_docs_fetch`, `microsoft_code_sample_search`) or the `pbi-search` CLI as an alternative. Use when metadata is stale, the setting is brand new, or the user asks a feature question the baseline cannot answer. ## Workflow Follow these steps in order. Skip a step only with a clear reason; never silently drop one. ### 1. Verify prerequisites - `fab --version` is current; run `uv tool upgrade ms-fabric-cli` if stale. - `fab auth status` confirms a live session; ask the user to run `fab auth login` if not. - Admin access sanity check: `fab api "admin/capacities" 2>&1 | head -5`. A 401 / 403 means the account is not a Fabric / Power BI admin; stop and ask the user how to proceed (ask an admin to run it, or pivot to the non-admin scripts). - If any SG investigation will be needed, `az account
Expert guidance for using the Fabric CLI (`fab`) to fully interact with Fabric workspaces, items, and configuration. Automatically invoke this skill whenever the user mentions "Fabric" or "Power BI Service" or a "Fabric/Power BI workspace".
TOM and ADOMD.NET guidance via PowerShell for connecting to Power BI Desktop's local Analysis Services instance. Covers model enumeration, DAX queries, metadata modification, annotations, calendar definitions, field parameters, query tracing, DAX library package management (daxlib.org), and the Desktop Bridge for reloading and screenshotting the report canvas. Automatically invoke when the user mentions "Power BI Desktop", "Analysis Services port", "TOM", "ADOMD", "daxlib", "DAX library", "DAX UDF package", or asks to "connect to PBI Desktop", "query PBI Desktop with DAX", "modify PBI Desktop model", "add a measure to PBI", "capture visual queries", "create a field parameter", "validate DAX", "intercept DAX queries", "install daxlib", "add DAX SVG", "add IBCS", "reload the report canvas", "screenshot a report page", "Desktop Bridge", or to work with the model and report in Power BI Desktop together.
Expert guidance for the Power BI Project (PBIP) file format; project structure, cross-cutting operations (renames, forking), and PBIX extraction/conversion. Automatically invoke when the user mentions PBIP, PBIX, .pbip/.pbism/.platform files, or asks about "PBIP project structure", "PBIP vs PBIX", "thin report vs thick report", "rename a table", "cascade rename", "fork a PBIP project", "convert pbix to pbip", "extract pbix", "what files are in a PBIP", "PBIP encoding", "definition.pbir", or discusses project-level file structure and post-rename verification.
Format reference for Power BI Enhanced Report (PBIR) JSON schemas and patterns. Automatically invoke when the user asks about PBIR JSON structure, visual.json properties, PBIR expressions, objects vs visualContainerObjects, theme inheritance, conditional formatting patterns, extension measures, bookmarks, field references, filter formatting, query roles, PBIR page structure, report wallpaper, or any PBIR metadata format question.
Direct TMDL file authoring and BIM-to-TMDL conversion for semantic models in PBIP projects. Automatically invoke when the user asks to "edit TMDL", "add a measure in TMDL", "TMDL syntax", "fix formatString", "fix summarizeBy", "TMDL indentation", "convert BIM to TMDL", "add a column description", "create a calculated column in TMDL", or mentions .tmdl file editing or BIM-to-TMDL migration.
Step-by-step workflow for creating complete Power BI reports from scratch using pbir CLI. Covers model discovery, report creation, page layout, theme setup, visual placement, field binding, filtering, formatting, validation, and publishing. Automatically invoke when the user asks to "create a new report", "build a report from scratch", "make a dashboard", "set up a report with KPIs", "create an executive dashboard", "add pages and visuals to a new report".
Deneb visual creation, Vega/Vega-Lite spec authoring, and Deneb best practices for PBIR reports. Automatically invoke whenever the user mentions "Deneb" in any context, or asks about Vega/Vega-Lite specs in Power BI, Deneb cross-filtering, Deneb interactivity, pbiColor theme integration, Deneb field name escaping, or Deneb rendering issues.
Design, enforce, audit, and validate Power BI report themes. This skill MUST be invoked when a report uses the default or built-in theme, has a minimal custom theme (few or no visualStyles), or has accumulated many visual-level formatting overrides (objects/visualContainerObjects in visual.json); these are signs the theme needs attention. Also automatically invoke when the user asks to "create a theme", "design a theme", "enforce theme compliance", "audit theme adherence", "push formatting to theme", "clear visual overrides", "standardize report formatting", "update theme colors", "change theme typography", "set theme text classes", "validate a theme", "add visual-type overrides to the theme", "copy a theme", "download a theme", "apply a template", or mentions theme design, enforcement, compliance, or visual formatting inconsistency.