Power BI supports the use of custom visuals to extend its capabilities. Developed by Microsoft, partners, and others, custom visuals provide enhanced functionality to solve both common and novel analytic challenges. After a custom visual is developed, it is consumed internally or uploaded to AppSource to allow the world to use. Many developers offer their custom visuals for free on AppSource. The gallery of visuals in AppSource are useful to solve an organization's needs without any development time.
Free visuals already developed and tested to solve Power BI requirements? This all sounds great! Generally, this is a great feature, but there is one concern.
Concern: Data Security
How can one trust the code underlying the custom visual in AppSource? Looking at one of the visuals in AppSource, it states it could be accessing external services. Is this going to steal my data? Is this a cybersecurity risk?
Solution: Certified Visuals
What are "Certified" visuals?
Certified visuals are vetted at the source code level by Microsoft engineers. See the excerpt below from Microsoft Docs:
Certified Power BI visuals are Power BI visuals in AppSource that meet the Microsoft Power BI team code requirements. These visuals are tested to verify that they don't access external services or resources, and that they follow secure coding patterns and guidelines.
How do you know a visual is certified? Look for the "PBI Certified" badge for visuals in AppSource.
Visual Governance
Logically, the next question that comes up is "can we turn off the capability to use uncertified visuals?". The short answer is "Yes". There is a setting in the Admin Portal to only allow using certified visuals. Unfortunately, nothing can prevent using a non-certified visual in Power BI Desktop. If a user or team member uses a visual that is not certified, that report will not render once deployed to the Power BI Service.
Example: Proceed with caution
Below, there is an example of a slicer that is not certified. At initial glance, this visual is a custom slicer and looks harmless. This could be useful to address requirements the standard slicer cannot.
Furthermore, the description reads as useful for providing additional functionality not provided by the standard slicer.
Continuing down the page, the warning, mentioned earlier, exists stating this visual may be sending data to external services! Now, is this what someone desires when they use this visual? Likely not! Unfortunately, because this visual is not certified, there is no way to know if best practices for security and accessing external services have been followed.
In all likelihood, many of the un-certified visuals are safe with no harmful intentions. That being said, best be cautious and not take the risk unless there is absolute confidence the visual is safe.