workspaces

Workspaces in Microsoft Fabric are the foundational unit of organization, management, security, and deployment. They provide structure and operational control over Fabric artefacts and play a similar role to Azure subscriptions in enterprise-scale cloud design. This guidance helps you define workspace strategies based on environment type, governance models, domain architecture, and application landscape.

Workspace design considerations

Workspaces are deeply integrated with Microsoft Entra ID and operate under the security and policy boundaries of Fabric Domains. Consider the following key points:

• Governance boundary: Workspaces define security scopes and enable role-based access control (RBAC) for artefacts like Lakehouses, Pipelines, Datasets, Reports, and Notebooks.
• Isolation: Use separate workspaces for DEV, TEST, and PROD environments to isolate permissions, data, and operations.
• Policy application: Enforce workspace-level governance using Microsoft Purview policies and Microsoft Fabric’s governance center.
• Capacity management: Workspaces are linked to Fabric capacities (shared or dedicated). Assign workspaces to appropriate capacities to manage resource allocation, performance, and cost.
• Resource limits: Understand workspace artefact quotas and performance constraints (e.g. dataset size limits, concurrent refresh limits).
• Application lifecycle: Align workspaces with CI/CD pipelines using the Fabric Deployment Pipelines feature.

Organizational and architectural structure

Workspaces should be created to mirror the logical and operational segmentation of your organization:

• Per team or domain: Align workspaces with the team or business domain (e.g., “Finance”, “Sales Analytics”).
• Per application or workload: For large or business-critical workloads, create dedicated workspaces per application.
• Per environment: Create separate workspaces for DEV, TEST, and PROD. Fabric Deployment Pipelines support artefact promotion between these environments.
• Per data sensitivity: Keep confidential and regulated data artefacts isolated in secure workspaces with limited access and additional audit controls.

Workspace capacity planning

• Assign workspaces to the appropriate capacity tier based on SLA, concurrency, and performance needs.
• Use dedicated capacities for production and latency-sensitive workloads.
• Monitor and optimize capacity utilization with Fabric Admin Monitoring tools.

Regional and compliance considerations

• Fabric workspaces do not have a region property, but data residency is tied to the region of the underlying Microsoft 365 tenant.
• For data sovereignty, ensure your Microsoft 365 tenant resides in the required geography.
• Use Data Loss Prevention (DLP) and Microsoft Purview to govern data access and sharing across geographies.

Cost and usage management

• Track workspace usage and artefact consumption through Fabric Capacity Metrics.
• Use capacity-based chargeback models to assign cost responsibilities to workspace owners.
• Set artefact refresh schedules and retention policies to optimize resource consumption.
• Use Fabric API to automate usage reporting and integrate with FinOps platforms.

Automation and lifecycle management

• Automate workspace creation using Microsoft Graph API and governance workflows.
• Enforce workspace naming conventions and tagging via provisioning scripts.
• Use Deployment Pipelines and YAML pipelines to promote artefacts across environments with approval gates.

Recommendations

• Keep workspace structure flat and manageable. Don’t deeply nest hierarchy in workspace names or folders.
• Define a provisioning process that includes naming conventions, owner assignment, default roles, and tagging.
• Review workspace ownership, access rights, and activity logs on a quarterly basis.
• Educate users on workspace purpose and data handling responsibilities.

Further reading

• Microsoft Fabric documentation – Workspaces
• Microsoft Fabric Deployment Pipelines
• Govern Fabric environments with Microsoft Purview