Disclaimer: This is work in progress intended to consolidate information from various sources for learning purposes. For the latest information please consult the documentation (see the links below)!
Last updated: 25-May-2025
|
| Microsoft Fabric Security [2] |
- {def} a comprehensive security framework designed for the Microsoft Fabric platform [1]
- {goal} always on
- every interaction with Fabric is encrypted by default and authenticated using Microsoft Entra ID [1]
- all communication between Fabric experiences travels through the Microsoft backbone internet [1]
- data at rest is automatically stored encrypted [1]
- support for extra security features [1]
- ⇐ allow to regulate access to Fabric [1]
- Private Links
- enable secure connectivity to Fabric by
- restricting access to the Fabric tenant from an Azure VPN
- blocking all public access
- ensures that only network traffic from that VNet is allowed to access Fabric features [1]
- used to provide secure access for data traffic in Fabric including specific workspaces [4]
- Azure Private Link and Azure Networking private endpoints sends traffic privately using Microsoft’s backbone network instead of using the public internet [4]
- Entra Conditional Access
- the connection to data is protected by a firewall or a private network using trusted access [1]
- access firewall enabled ADL Gen2 accounts securely [1]
- can be limited to specific workspaces [1]
- workspaces that have a workspace identity can securely access ADL Gen 2 accounts with public network access enabled, from selected virtual networks and IP addresses [1]
- workspace identities can only be created in workspaces associated with a Fabric F SKU capacity [1]
- helps users connect to services quickly and easily from any device and any network [1]
- each request to connect to Fabric is authenticated with Microsoft Entra ID [1]
- allows users to safely connect to Fabric from their corporate office, when working at home, or from a remote location [1]
- {feature} Conditional Access
- allows to secure access to Fabric on every connection by
- defining a list of IPs for inbound connectivity to Fabric [1]
- using MFA [1]
- restricting traffic based on parameters such as country of origin or device type [1]
- conditional access policies
- implemented through Microsoft Entra
- restrict access based on user, group, network location, application, device, and risk detection [4]
- {goal} compliant
- data sovereignty provided out-of-box with multi geo capacities [1]
- support for a wide range of compliance standards [1]
- Fabric services follow the SDL)
- a set of strict security practices that support security assurance and compliance requirements [2]
- helps developers build more secure software by reducing the number and severity of vulnerabilities in software, while reducing development cost [2]
- {goal} governable
- leverages a set of governance tools
- data lineage
- information protection labels
- data loss prevention
- Purview integration
- configurable
- in accordance with organizational policies [1]
- evolving
- new features and controls are added regularly [1]
- {feature} managed private endpoints
- allow secure connections to data sources without exposing them to the public network or requiring complex network configurations [1]
- e.g. as Azure SQL databases
- secure and private access to data sources from certain Fabric workloads [4]
- {feature} managed virtual networks
- virtual networks that are created and managed by Microsoft Fabric for each Fabric workspace [1]
- provide network isolation for Fabric Spark workloads
- the compute clusters are deployed in a dedicated network and are no longer part of the shared virtual network [1]
- enable network security features
- managed private endpoints
- private link support
- {feature} data gateway
- allows to connect to on-premises data sources or a data source that might be protected by a firewall or a virtual network
- {option} On-premises data gateway
- acts as a bridge between on-premises data sources and Fabric 1[]
- installed on a server within the network [1]
- allows Fabric to connect to data sources through a secure channel without the need to open ports or make changes to the network [1]
- {option} Virtual network (VNet) data gateway
- allows to connect from Microsoft Cloud services to Azure data services within a VNet, without the need of an on-premises data gateway [1]
- {feature} Azure service tags
- allows to ingest data from data sources deployed in an Azure virtual network without the use of data gateways [1]
- e.g. VMs, Azure SQL MI and REST APIs
- can be used to get traffic from a virtual network or an Azure firewall
- e.g. outbound traffic to Fabric so that a user on a VM can connect to Fabric SQL connection strings from SSMS, while blocked from accessing other public internet resources [1]
- minimize the complexity of updating network security rules using Azure service tags to group and manage IP addresses for a service [4]
- {feature} IP allow-lists
- allows to enable an IP allow-list on organization's network to allow traffic to and from Fabric
- useful for data sources that don't support service tags [1]
- e.g. on-premises data sources
- {feature} Telemetry
- used to maintain performance and reliability of the Fabric platform [2]
- the telemetry store is designed to be compliant with data and privacy regulations for customers in all regions where Fabric is available [2]
- {feature} trusted workspace access
- allows to ccess firewall-enabled ADLS Gen2 accounts in a secure manner from Fabric [4]
- {process} authentication
- relies on Microsoft Entra ID to authenticate users (or service principals) [2]
- when authenticated, users receive access tokens from Microsoft Entra ID [2]
- used to perform operations in the context of the user [2]
- {feature} conditional access
- ensures that tenants are secure by enforcing multifactor authentication [2]
- allows only Microsoft Intune enrolled devices to access specific services [1]
- restricts user locations and IP ranges.
- {process} authorization
- all Fabric permissions are stored centrally by the metadata platform
- Fabric services query the metadata platform on demand to retrieve authorization information and to authorize and validate user requests [2]
- authorization information is sometimes encapsulated into signed tokens [2]
- only issued by the back-end capacity platform [1]
- include the access token, authorization information, and other metadata [1]
- {concept} tenant metadata
- information about the tenant
- is stored in a metadata platform cluster to which the tenant is assigned
- located in a single region that meets the data residency requirements of that region's geography [2]
- include customer data
- customers can control where their workspaces are located
- in the same geography as the metadata platform cluster
- by explicitly assigning workspaces on capacities in that region [2]
- by implicitly using Fabric Trial, Power BI Pro, or Power BI Premium Per User license mode [2]
- all customer data is stored and processed in this single geography [2]
- in Multi-Geo capacities located in geographies (geos) other than their home region [2]
- compute and storage is located in the multi-geo region [2]
- (including OneLake and experience-specific storage [2]
- {exception} the tenant metadata remains in the home region
- customer data will only be stored and processed in these two geographies [2]
- {concept} data-at-rest
- all Fabric data stores are encrypted at rest [2]
- by using Microsoft-managed keys
- includes customer data as well as system data and metadata [2]
- ⇒ data is never persisted to permanent storage while in an unencrypted state [1]
- data can be processed in memory in an unencrypted state [2]
- {default} encrypted using platform managed keys (PMK)
- Microsoft is responsible for all aspects of key management [2]
- data-at-rest on OneLake is encrypted using its keys [3]
- {alternative} Customer-managed keys (CMK)
- allow to encrypt data at-rest using customer keys [3]
- ⇒ customer assumes full control of the key [3]
- {recommendation} use cloud storage services with CMK encryption enabled and access data from Fabric using OneLake shortcuts [3]
- data continues to reside on a cloud storage service or an external storage solution where encryption at rest using CMK is enabled [3]
- customers can perform in-place read operations from Fabric whilst staying compliant [3]
- shortcuts can be accessed by other Fabric experiences [3]
- {concept} data-in-transit
- refers to traffic between Microsoft services routed over the Microsoft global network [2]
- inbound communication
- always encrypted with at least TLS 1.2. Fabric negotiates to TLS 1.3 whenever possible [2]
- inbound protection
- concerned with how users sign in and have access to Fabric [3]
- outbound communication to customer-owned infrastructure
- adheres to secure protocols [2]
- {exception} might fall back to older, insecure protocols when newer protocols aren't supported [2]
- incl. TLS 1
- outbound protection
- concerned with securely accessing data behind firewalls or private endpoints [3]
- OneLake security
- allows defining access permissions once [4]
- ⇐ Fabric enforces the permissions consistently across all engines
- security propagates automatically
- data owners can
- create security roles
- refine permissions
- control access at the row and column levels to securely share data [4]
- workspace security
- managed by assigning users to workspace roles [4]
- item security
- grant access to an individual Fabric item without granting access to the entire workspace [4]
- data encryption
- encrypts data and metadata at-rest with Microsoft-managed keys [4]
- encrypts data in-transit with at least TLS 1.2 and TLS 1.3 when possible [4]
- customer lockbox
- allows to control how Microsoft engineers access data [4]
- [warehouse] dynamic data masking
- prevents unauthorized viewing of sensitive data by specifying how much sensitive data to reveal, with minimal effect on the application layer [4]
- [warehouse] granular permissions
- standard SQL allows more granular control
- [Purview] sensitivity labels
- same labels used in Microsoft 365 apps
- [Purview] Information Protection policies
- allows to automatically enforce access permissions to sensitive information [4]
- [Purview] Data Loss Prevention
- allows to automatically identify the upload of sensitive information to Fabric and trigger automatic risk remediation actions [4]
- [Purview] Data Security Posture Management
- allows to discover data risks with Copilot in Fabric and immediately take action [4]
- e.g. sensitive data in user prompts and responses
References:
[1] Microsoft Learn (2024) Security in Microsoft Fabric [link]
[2] Microsoft Learn (2024) Microsoft Fabric security fundamentals [link]
[3] Microsoft Learn (2024) Microsoft Fabric end-to-end security scenario [link]
[4] (2025) Connect to your most sensitive data with end-to-end network security in Fabric [link]
Resources:
[R1] Microsoft Learn (2024) Microsoft Fabric security [link]
[R1] Microsoft Learn (2024) Microsoft Fabric security [link]
[R2] Microsoft Learn (2025) Fabric: What's new in Microsoft Fabric? [link]
Acronyms:
ADL - Azure Data Lake
API - Application Programming Interface
CMK - Customer-Managed Keys
API - Application Programming Interface
CMK - Customer-Managed Keys
MF - Microsoft Fabric
MFA - Multifactor Authentication
MI - Managed Instance
PMK - Platform-Managed Keys
MFA - Multifactor Authentication
MI - Managed Instance
PMK - Platform-Managed Keys
REST - REpresentational State Transfer
SDL - Security Development Lifecycle
SDL - Security Development Lifecycle
SKU - Stock Keeping Unit
TLS - Transport Layer Security
TLS - Transport Layer Security
VM - Virtual Machine
VNet - virtual network
VNet - virtual network
VPN - Virtual Private Network
