operational-compliance

Operational Compliance Considerations

As your Microsoft Fabric platform matures, maintaining operational compliance becomes crucial. This includes proactively identifying configuration drift, enforcing update consistency, and ensuring platform alignment with defined governance and security baselines.

Configuration Drift Monitoring

To ensure the platform behaves as expected, you must monitor for deviations in:

• Fabric workspace configurations (e.g., SKU, capacities, region)
• Role assignments and security policies
• Service configurations (e.g., Data Activator, Real-Time Analytics, Lakehouse, Warehouse)

Recommendations

• Use Azure Policy to audit resource properties and enforce desired configurations.
• Combine policies with DeployIfNotExists to remediate non-compliant settings.
• Enable Azure Automanage Machine Configuration where applicable, especially for VM-based services like self-hosted gateways or monitoring agents.

Fabric-Specific Configuration Compliance

Although Fabric is largely a PaaS environment, configuration drift can still occur at the workspace or artifact level. Consider:

• Creating baselines for workspace-level properties

• Tracking Data Pipeline configurations with version control

• Using the Fabric REST API to verify or compare configuration state

• Leveraging Fabric CLI commands such as:

  fabric workspace show --name myworkspace
  fabric pipeline list --workspace myworkspace

Update Management

While Fabric services are managed by Microsoft and regularly updated, your ecosystem may include:

• Azure Virtual Machines (e.g., for hybrid ingestion tools)
• Gateway servers (for on-premises or private network access)
• Developer machines with deployment scripts

Recommendations

• Use Azure Update Manager to patch Windows/Linux VMs.
• Enforce Update Manager policies through Azure Policy.
• Define and document update waves to reflect different criticality levels across your landscape.

Cross-Team Compliance Visibility

• Central platform teams should define guardrails, while application teams remain responsible for compliance within their scope.
• Use Azure Monitor and Log Analytics for compliance dashboards.
• Integrate compliance state checks into CI/CD pipelines for Fabric IaC deployments.

Further Reading

• Azure Automanage Machine Configuration
• Keep your Azure landing zone up to date
• Use infrastructure as code to update Azure landing zones