Security options in Microsoft Fabric

This article summarizes key Microsoft Fabric security capabilities.

IMPORTANT
Manage access through Microsoft Entra ID (Azure Active Directory) and apply least privilege across workspaces, items, and data layers.

Identity and access management

• Microsoft Entra ID integration: Authentication and authorization use Entra ID. Use security groups for scalable access management.
• Workspace roles: Admin, Member, Contributor, Viewer (and item‑specific roles where applicable) define scoped permissions.
• Item permissions: Grant direct access to individual items (reports, semantic models, notebooks, pipelines, Lakehouses, warehouses) when finer control than workspace role membership is required.
• Row-level security (RLS) and object-level security (OLS): Secure data in semantic models so users see only authorized rows or objects.

Data access and governance

• OneLake access control: Permissions flow through Fabric items; enforce least privilege to shared lake data.
• Data lineage and impact analysis: Use lineage view to understand dependencies before changing secured assets.
• Data loss prevention (DLP) policies: Apply supported data policies to govern sensitive data usage.

Data protection

• Encryption: Data is encrypted at rest and in transit with Microsoft-managed keys.
• Sensitivity labels (Microsoft Purview Information Protection): Apply and propagate labels on supported items; downstream artifacts inherit labels where supported.
• Endorsement (Promoted / Certified): Use certification to highlight vetted, trusted content sources.

Monitoring and auditing

• Audit logs: Retrieve Fabric (Power BI) activities via Microsoft 365 unified audit log or admin APIs.
• Usage metrics: Review item and workspace usage to detect anomalies.
• Admin portal: Monitor tenant and capacity settings (export controls, sharing restrictions, security toggles).

Sharing and external access controls

• Sharing policies: Control sharing, publish to web (if enabled), template app creation.
• B2B collaboration: Use Entra ID B2B for external users; apply RLS/OLS and sensitivity labels to constrain exposure.

Compliance and governance alignment

• Compliance offerings: Refer to Microsoft compliance documentation for certifications of underlying services.
• Data residency: Select regions at tenant/capacity provisioning; review regional availability guidance.

Secure development and operations

• Git integration (where enabled): Use source control for versioning and review of artifacts.
• Deployment pipelines: Promote between development, test, and production with consistent security settings.

Best practices

TIP
Combine workspace roles, item permissions, and RLS/OLS for layered defense. Apply sensitivity labels early so protection propagates.

• Use groups over individual assignments.
• Periodically review and remove dormant access.
• Classify and label data on creation.
• Monitor audit logs for unusual export or sharing events.
• Restrict external sharing unless required.
• Validate RLS logic with representative test accounts.

Related Microsoft Learn resources (links confirmed not 404 at time of drafting)

• Microsoft Fabric security overview
• Manage workspace roles
• Row-level security in semantic models
• Sensitivity labels in Fabric
• Audit logs
• Data loss prevention policies
• Tenant and admin settings

NOTE
Feature availability can vary by license, region, and preview status. Confirm current support in linked Microsoft Learn articles.