Skip to content

Workspace inbound access protection

Overview

Workspace inbound access protection is a network security feature that ensures that connections to a workspace are from secure and approved networks. It prevents the items from establishing unsecure connections to sources outside the workspace boundary unless allowed by the workspace admin.

The Configure workspace-level inbound network rules tenant setting in the Fabric admin center allows tenant admins to enable or disable the ability for workspace admins to restrict inbound public access to their workspaces. This setting is disabled by default, meaning workspace admins can't restrict inbound public access to their workspaces. However, if permitted in Azure, workspace admins can still set up workspace-level private links in Azure.

If the tenant admin chooses to enable this setting, workspace admins can configure restricted inbound public access for their workspaces.

Workspace level Private Link for Fabric

What it does

  • Enforces a default‑deny posture for inbound (egress) network calls from supported Fabric items in the workspace.
  • Allows administrators to define specific approved destinations.
  • Blocks non‑approved destinations and surfaces an error.
  • Provides auditing/monitoring signals for denied attempts (where available in Fabric monitoring).

Scope

The protection is applied per workspace after you enable it. It governs inbound calls initiated by supported Fabric items running inside that workspace. It does not change inbound connectivity to the workspace. inbound access protection only supports workspaces hosted on Fabric SKUs. Other capacity types and F SKU trials aren't supported.

Enable the feature (high‑level steps)

  1. Open the admin portal and go to the tenant settings.
  2. Find and expand the Configure workspace-level inbound network rules tenant setting.
  3. Switch the toggle to Enabled.

WS_inbound Protection

  1. In the workspace settings, turn on Allow connections only from workspace level private links.
  2. Save changes and validate workloads.

Restrict inbound public access to a workspace

Once the tenant setting is enabled, workspace admins can restrict inbound public access for individual workspaces:

  1. In the Fabric portal, navigate to your workspace.
  2. Select Settings from the workspace menu.
  3. Go to the Network tab.
  4. Under Inbound access protection, switch the toggle to Restrict public access.
  5. Review the warning and confirm your selection.
  6. Select Save to apply the changes.

[!NOTE] After restricting public access, only approved private endpoints or networks can connect to the workspace. Public internet access is blocked unless explicitly allowed.

Resources

Feedback
Let us know what information would be most helpful on this page.