{"id":28632753,"url":"https://github.com/nemmusu/powerbi-extractor","last_synced_at":"2025-06-12T14:38:32.250Z","repository":{"id":292398318,"uuid":"980782039","full_name":"nemmusu/powerbi-extractor","owner":"nemmusu","description":"PowerBI Extractor is a fully open-source auditing and exploration tool for Microsoft Power BI environments, it performs deep metadata extraction, access control validation, user-role mapping, and optional DAX/report export operations.","archived":false,"fork":false,"pushed_at":"2025-06-10T07:03:43.000Z","size":11,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-10T07:32:48.123Z","etag":null,"topics":["acl","audit","dax","dump","enumeration","hacking","harvest","harvester","microsoft","penetration-testing","penetration-testing-tools","powerbi","redteaming","redteaming-tools","scanner","tool","user-enumeration","vulnerability","web-hacking-tool"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nemmusu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-09T17:50:40.000Z","updated_at":"2025-06-10T07:06:56.000Z","dependencies_parsed_at":"2025-06-10T07:32:52.622Z","dependency_job_id":"c89f82b8-3bd5-4f1c-acfa-faa8be97160f","html_url":"https://github.com/nemmusu/powerbi-extractor","commit_stats":null,"previous_names":["nemmusu/powerbi-harvest","nemmusu/powerbi-extractor"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/nemmusu/powerbi-extractor","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemmusu%2Fpowerbi-extractor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemmusu%2Fpowerbi-extractor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemmusu%2Fpowerbi-extractor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemmusu%2Fpowerbi-extractor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nemmusu","download_url":"https://codeload.github.com/nemmusu/powerbi-extractor/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemmusu%2Fpowerbi-extractor/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259483686,"owners_count":22864996,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acl","audit","dax","dump","enumeration","hacking","harvest","harvester","microsoft","penetration-testing","penetration-testing-tools","powerbi","redteaming","redteaming-tools","scanner","tool","user-enumeration","vulnerability","web-hacking-tool"],"created_at":"2025-06-12T14:38:31.526Z","updated_at":"2025-06-12T14:38:32.239Z","avatar_url":"https://github.com/nemmusu.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# Power BI Extractor\n\n`powerbi_extractor.py` is a **fully open-source auditing and exploration tool** for **Microsoft Power BI** environments.  \nDesigned for **red teams**, **security auditors**, and **data analysts**, it performs deep metadata extraction, access control validation, user-role mapping, and optional DAX/report export operations — all from the command line.\n\n[![GitHub Stars](https://img.shields.io/github/stars/nemmusu/powerbi-extractor?style=social)](https://github.com/nemmusu/powerbi-extractor/stargazers)\n[![GitHub Forks](https://img.shields.io/github/forks/nemmusu/powerbi-extractor?style=social)](https://github.com/nemmusu/powerbi-extractor/forks)\n[![GitHub Issues](https://img.shields.io/github/issues/nemmusu/powerbi-extractor)](https://github.com/nemmusu/powerbi-extractor/issues)\n[![GitHub Last Commit](https://img.shields.io/github/last-commit/nemmusu/powerbi-extractor)](https://github.com/nemmusu/powerbi-extractor/commits/main)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)\n\n---\n\n## 📌 Why Power BI Extractor?\n\nMicrosoft Power BI is a widely adopted business intelligence platform — yet security misconfigurations are common.  \n`powerbi_extractor.py` enables structured discovery and validation of:\n\n- 🔐 Access Control Lists (ACLs)\n- 📊 Report + Dataset mapping\n- 👤 Role-Based Access Control (RBAC)\n- 📤 Export-to behavior\n- 🔎 Data exposure via DAX\n- 🧑‍💼 User enumeration and role visibility\n- 🧠 AAD Group lookups (optional via Microsoft Graph)\n\n---\n\n## 🚀 Features\n\n- ✅ List accessible workspaces\n- ✅ Extract report metadata and export tokens\n- ✅ Dump datasets and DAX output (when permitted)\n- ✅ Perform ACL and RBAC checks\n- ✅ Enumerate workspace users and roles (opt-in)\n- ✅ Map users → workspaces → permissions\n- ✅ Save audit logs, summaries, and vulnerabilities\n- ✅ Optional integration with Microsoft Graph\n\n---\n\n## ⚙️ Installation\n\n```bash\ngit clone https://github.com/nemmusu/powerbi-extractor.git\ncd powerbi-extractor\npip install -r requirements.txt\n```\n\nRequirements (in `requirements.txt`):\n\n```txt\nrequests\ntabulate\npandas\n```\n\n---\n\n## 🧪 Usage\n\n```bash\npython3 powerbi_extractor.py --token \u003cBEARER_TOKEN\u003e [--enum-users] [--audit] [--output OUTPUT_DIR]\n```\n\n### Arguments\n\n- `--token`: Required. A Power BI access token.\n- `--enum-users`: List users and roles for each workspace.\n- `--audit`: Trigger ACL and export token validation.\n- `--output`: Destination directory. Defaults to `output/YYYYMMDD_HHMMSS`.\n\n---\n\n## Output\n\n### Terminal Output (Example)\n\n```\n[=] Workspace: Finance_Dept\n    → Your role: Contributor\n    ↪ Report: Quarterly_Summary\n    ├─ [✓] Fetched reportId: 7a1df76...\n    ├─ ⚙️ Checking embed token...\n    ├─ [✓] Embed token generated (HTTP 200)\n    ├─ [✓] Sent ExportTo request → jobId: 3a1f...\n    ├─ [✓] Export succeeded\n    [✔] DAX OK: FinancialsDataset (24 columns)\n\n    ↪ Report: Forecast_2024\n    ├─ [✓] Fetched reportId: 9bbff3e...\n    ├─ ⚙️ Checking embed token...\n    ├─ [✓] Embed token generated (HTTP 200)\n    ├─ [✓] Sent ExportTo request → jobId: 8ab7...\n    ├─ [✘] Polling attempt 1 → HTTP 404\n    └─ [✘] Export job valid but PDF missing\n\n[=] Workspace: HR_Team\n    → Your role: Unknown (not in list)\n    ↪ Report: Employee_Stats\n    ├─ [✘] Embed token failed → HTTP 403\n    ↪ Report: Headcount_Report\n    ├─ [✓] Fetched reportId: b821ffe...\n    ├─ ⚙️ Checking embed token...\n    ├─ [✓] Embed token generated (HTTP 200)\n    ├─ [✓] Sent ExportTo request → jobId: c771...\n    ├─ [✘] Export job failed\n\n[✔] DAX OK: FinancialsDataset (24 columns)\n[✘] DAX FAIL: HR_Dataset (HTTP 403)\n\n🧑‍💼 Users Summary:\n╭────────────────────────────┬────────────────────────────┬──────────────┬──────────╮\n│ displayName                │ emailAddress               │ identifier   │ role     │\n├────────────────────────────┼────────────────────────────┼──────────────┼──────────┤\n│ Alice Admin                │ alice@contoso.com          │ ...          │ Admin    │\n│ Bob Viewer                 │ bob@contoso.com            │ ...          │ Viewer   │\n│ Carol Contributor          │ carol@contoso.com          │ ...          │ Contributor│\n╰────────────────────────────┴────────────────────────────┴──────────────┴──────────╯\n\n📌 User → Workspace Mapping (with roles):\n╭────────────────────┬──────────────────────────────────────────────╮\n│ User               │ Workspaces (Role)                            │\n├────────────────────┼──────────────────────────────────────────────┤\n│ alice@contoso.com  │ Finance_Dept (Admin), HR_Team (Viewer)       │\n│ bob@contoso.com    │ Finance_Dept (Viewer)                        │\n│ carol@contoso.com  │ HR_Team (Contributor)                        │\n╰────────────────────┴──────────────────────────────────────────────╯\n\n[✓] Summary saved to output/20250509_172302/summary.txt\n[✓] Full output saved to output/20250509_172302/full_output_summary.txt\n\n🚨 Vulnerabilities Detected: 3\n╭─────────────┬─────────────────────────────────────────────────────────────╮\n│ Type        │ Vulnerability                                               │\n├─────────────┼─────────────────────────────────────────────────────────────┤\n│ 🔴 VULN     │ Embed token can be generated for: Quarterly_Summary         │\n│ 🔴 VULN     │ Dataset executed without error or RLS: FinancialsDataset    │\n│ 🔴 VULN     │ Export job valid but PDF missing: Forecast_2024             │\n╰─────────────┴─────────────────────────────────────────────────────────────╯\n```\n\n---\n\n### Example `summary.txt`\n\n```\n📊 Workspace: Finance_Dept\n  📄 Reports:\n    [✔] Quarterly_Summary         → exported\n    [✘] Annual_Overview           → failed_403\n    [✘] Legacy_Budget             → export_failed_404\n  🧬 Datasets:\n    [✔] FinancialsDataset         → DAX OK, 24 col\n    [✘] HR_Dataset                → FAIL (fail_403)\n\n📊 Workspace: HR_Team\n  📄 Reports:\n    [✘] Employee_Stats            → failed_403\n    [✘] Salary_Overview           → export_failed\n  🧬 Datasets:\n    [✘] StaffData                 → FAIL (fail_403)\n\n📋 Enumerated Users:\n\n| displayName     | emailAddress          | identifier | role       |\n|-----------------|-----------------------|------------|------------|\n| Alice Admin     | alice@contoso.com     | ...        | Admin      |\n| Bob Viewer      | bob@contoso.com       | ...        | Viewer     |\n| Eve External    | eve@external.com      | ...        | Contributor|\n\n=== USERS → WORKSPACES MAP ===\n╭────────────────────┬────────────────────────────────────────────────────────╮\n│ User               │ Workspaces (Role)                                      │\n├────────────────────┼────────────────────────────────────────────────────────┤\n│ alice@contoso.com  │ Finance_Dept (Admin), HR_Team (Contributor)            │\n│ bob@contoso.com    │ Finance_Dept (Viewer)                                  │\n│ eve@external.com   │ HR_Team (Contributor)                                  │\n╰────────────────────┴────────────────────────────────────────────────────────╯\n\n=== AUDIT VULNERABILITY SUMMARY ===\n╭─────────────┬──────────────────────────────────────────────────────────────╮\n│ Type        │ Vulnerability                                                │\n├─────────────┼──────────────────────────────────────────────────────────────┤\n│ 🔴 VULN     │ Embed token can be generated for: Quarterly_Summary          │\n│ 🔴 VULN     │ Dataset executed without error or RLS: FinancialsDataset     │\n│ 🔴 VULN     │ Export job valid but PDF missing: Legacy_Budget (jobId: ...) │\n╰─────────────┴──────────────────────────────────────────────────────────────╯\n```\n\n---\n\n### Example `full_output_summary.txt`\n\n```\n======================================================================\nSUMMARY\n======================================================================\n📊 Workspace: Finance_Dept\n  📄 Reports:\n    [✔] Quarterly_Summary         → exported\n    [✘] Annual_Overview           → failed_403\n    [✘] Legacy_Budget             → export_failed_404\n  🧬 Datasets:\n    [✔] FinancialsDataset         → DAX OK, 24 col\n    [✘] HR_Dataset                → FAIL (fail_403)\n\n📊 Workspace: HR_Team\n  📄 Reports:\n    [✘] Employee_Stats            → failed_403\n    [✘] Salary_Overview           → export_failed\n  🧬 Datasets:\n    [✘] StaffData                 → FAIL (fail_403)\n\n📋 Enumerated Users:\n\n| displayName     | emailAddress          | identifier | role       |\n|-----------------|-----------------------|------------|------------|\n| Alice Admin     | alice@contoso.com     | ...        | Admin      |\n| Bob Viewer      | bob@contoso.com       | ...        | Viewer     |\n| Eve External    | eve@external.com      | ...        | Contributor|\n\n=== USERS → WORKSPACES MAP ===\n╭────────────────────┬────────────────────────────────────────────────────────╮\n│ User               │ Workspaces (Role)                                      │\n├────────────────────┼────────────────────────────────────────────────────────┤\n│ alice@contoso.com  │ Finance_Dept (Admin), HR_Team (Contributor)            │\n│ bob@contoso.com    │ Finance_Dept (Viewer)                                  │\n│ eve@external.com   │ HR_Team (Contributor)                                  │\n╰────────────────────┴────────────────────────────────────────────────────────╯\n\n=== AUDIT VULNERABILITY SUMMARY ===\n╭─────────────┬──────────────────────────────────────────────────────────────╮\n│ Type        │ Vulnerability                                                │\n├─────────────┼──────────────────────────────────────────────────────────────┤\n│ 🔴 VULN     │ Embed token can be generated for: Quarterly_Summary          │\n│ 🔴 VULN     │ Dataset executed without error or RLS: FinancialsDataset     │\n│ 🔴 VULN     │ Export job valid but PDF missing: Legacy_Budget (jobId: ...) │\n╰─────────────┴──────────────────────────────────────────────────────────────╯\n\n======================================================================\nREPORT LOGS\n======================================================================\n\n📄 Quarterly_Summary.log\n--------------------------------------------------\nReport Name: Quarterly_Summary\nWorkspace: Finance_Dept\nGroup ID: GID-FIN-001\nReport ID: RPT-123\nDataset ID: DS-456\nEmbedTokenCheck: HTTP 200\nEmbedToken: eyJ0eXAi...\nJob ID: JOB-789\n\n📄 Legacy_Budget.log\n--------------------------------------------------\nReport Name: Legacy_Budget\nWorkspace: Finance_Dept\nGroup ID: GID-FIN-001\nReport ID: RPT-LEG-333\nDataset ID: DS-LEGACY\nEmbedTokenCheck: HTTP 200\nEmbedToken: eyJ0eXAi...\nJob ID: JOB-XYZ\nPolling: 404 NOT FOUND\n\n📄 Salary_Overview.log\n--------------------------------------------------\nReport Name: Salary_Overview\nWorkspace: HR_Team\nGroup ID: GID-HR-002\nReport ID: RPT-SAL\nDataset ID: DS-HR-02\nEmbedTokenCheck: HTTP 200\nJob ID: JOB-FAIL\nStatus: FAILED\n\n======================================================================\nAUDIT FINDINGS\n======================================================================\n[OK] Token context → service_principal=False, guest=False, admin=False\n[INFO] Embed URL detected: https://app.powerbi.com/reportEmbed?reportId=...\n[OK] Token subject explicitly in report ACL: Quarterly_Summary\n[VULN] Embed token can be generated for: Quarterly_Summary\n[VULN] Dataset executed without error or RLS: FinancialsDataset (cols: 24)\n[OK] RLS roles defined for dataset: FinancialsDataset\n[OK] RLS enforcement confirmed: FinancialsDataset\n[VULN] Export job valid but PDF missing: Legacy_Budget (jobId: JOB-XYZ)\n```\n\n---\n\n## 🗂 Output Structure\n\n- `reports/\u003cworkspace\u003e/`: Exported report PDFs (if accessible)\n- `dax/\u003cworkspace\u003e/`: Dataset output in JSON format\n- `logs/\u003cworkspace\u003e/`: Detailed logs for each export\n- `users.csv` / `users.json`: Workspace user listings (if enabled)\n- `summary.txt`: Human-readable summary\n- `full_output_summary.txt`: Full logs + findings\n\n## Notes\n\n- Tokens must be valid for the Power BI REST API. Microsoft Graph access (e.g., AAD group resolution) requires additional scopes but is optional.\n- Export and DAX operations do not guarantee access — HTTP errors are logged and reported.\n\n## ⚠️ Disclaimer\n\nThis tool is released for educational and authorized assessment purposes only.  \nIt is always distributed as **Python source code**.  \n**⚠️ Beware of `.exe` versions: they are unofficial and potentially malicious.**\n\n---\n\n## 📫 Contact\nGitHub: [nemmusu/powerbi-extractor](https://github.com/nemmusu/powerbi-extractor)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnemmusu%2Fpowerbi-extractor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnemmusu%2Fpowerbi-extractor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnemmusu%2Fpowerbi-extractor/lists"}