Skip to content

Workspace outbound access protection

Overview

Workspace outbound access protection helps prevent unintended data exfiltration by controlling which external destinations Microsoft Fabric items in a secured workspace can reach. When the feature is enabled for a workspace, outbound calls from supported Fabric items are allowed only if they match: 1. A Microsoft‑managed (system) allow set required for platform operation. 2. Explicit allow entries you configure for that workspace.

All other outbound destinations are denied by default.

Workspace Outbound Protection

What it does

  • Enforces a default‑deny posture for outbound (egress) network calls from supported Fabric items in the workspace.
  • Allows administrators to define specific approved destinations.
  • Blocks non‑approved destinations and surfaces an error.
  • Provides auditing/monitoring signals for denied attempts (where available in Fabric monitoring).

Scope

The protection is applied per workspace after you enable it. It governs outbound calls initiated by supported Fabric items running inside that workspace. It does not change inbound connectivity to the workspace. Outbound access protection only supports workspaces hosted on Fabric SKUs. Other capacity types and F SKU trials aren't supported.

Core concepts

Concept Description
Default deny Any outbound destination not on the system list or your allow list is blocked.
System allow list Required Microsoft endpoints essential to Fabric operation; not editable.
Workspace allow list Administrator‑configured entries (for example, specific fully qualified domain names).
Evaluation order System allow list is checked first, then workspace allow list, then implicit deny.
Auditing Denied attempts generate telemetry (refer to Fabric monitoring documentation).

How it works (flow)

  1. A Fabric item in the workspace initiates an outbound network request.
  2. Destination endpoint (e.g., FQDN) is resolved.
  3. Engine checks system (platform) allow list.
  4. If not matched, engine checks workspace allow entries.
  5. If still not matched, the request is denied and an error is returned.

Enable the feature (high‑level steps)

  1. Open the admin portal and go to the tenant settings.
  2. Find and expand the Configure workspace-level outbound network rules tenant setting.
  3. Switch the toggle to Enabled.

Workspace Outbound Protection

  1. In the workspace settings, turn on outbound access protection.
  2. Add required allow entries for the workspace.
  3. Save changes and validate workloads.

Configuring allow entries

For each entry provide (as applicable): - Name/label - Destination type (for example, FQDN) - Exact hostname - Optional description / rationale

Use only the specific hosts required; avoid broad domains not needed by workloads.

Testing after enablement

Test case Expected result
Call to allowed destination Succeeds
Call to destination not allowed Fails with an access / network restriction error
Refresh / operation using only allowed endpoints Succeeds
Operation referencing a non‑allowed external host Fails and is logged

Monitoring

  • Review Fabric monitoring / audit capabilities for events indicating denied outbound attempts.
  • Use these events to refine the allow list (add only when justified).

Operational guidance

  • Start with the minimum set of required destinations.
  • Periodically review and remove unused entries.
  • Maintain documentation (entry purpose, owner, approval reference).
  • Re‑test critical workloads after changes.

Security alignment

  • Supports least privilege by restricting egress to known destinations.
  • Complements other Fabric data protection controls (for example, labeling, access policies).

Troubleshooting (common patterns)

Symptom Cause Action
Outbound request blocked Destination not on allow list Add required FQDN after verification and approval
New platform dependency appears blocked Additional system endpoint required Check updated Microsoft Learn documentation
Intermittent failures involving redirects Redirect/CNAME host not allowed Identify and add the specific redirect host if required

Resources

Feedback
Let us know what information would be most helpful on this page.