Skip to main content

Incorporating Zero Trust in Microsoft Fabric Landing Zones

Zero Trust is a security strategy built around the principle that no entity—inside or outside the organizational perimeter—should be implicitly trusted. Within Microsoft Fabric Landing Zones, Zero Trust must be infused across all platform layers, from Entra ID identity to workspace access and data protection in OneLake.

Principles of Zero Trust in Fabric

  • Verify Explicitly: Always authenticate and authorize based on user identity, device health, location, data sensitivity, and anomalies.
  • Use Least Privilege Access: Limit user and service principal access using Microsoft Entra roles, workspace roles, and item-level permissions.
  • Assume Breach: Isolate domains and workspaces, implement monitoring, and proactively enforce access audits and data loss prevention.

Mapping Fabric to Zero Trust Pillars

Zero Trust PillarFabric Concept Alignment
IdentityMicrosoft Entra ID, PIM, Workspace roles
DevicesEntra conditional access, BYOD policy via Intune
ApplicationsWorkspace + Item access control, Notebooks, Pipelines
DataOneLake security roles, data access roles, row-level security
InfrastructureDomain segmentation, Lakehouse isolation, Monitoring
NetworksPrivate Links, Endpoint restrictions
Visibility, Automation, OrchestrationFabric Monitoring, Microsoft Purview, Defender for Cloud

Identity & Access Controls

  • Use Microsoft Entra ID for workspace and item access governance.
  • Apply Conditional Access and MFA policies for developers and analysts.
  • Leverage PIM to manage privileged roles in workspaces.
  • Segment domain-level access for organizational or regulatory separation.

Workspace & Item Security

  • Assign roles at the workspace (Admin, Member, Contributor, Viewer).
  • Use item-level permissions (Read, ReadData, ReadAll) for data access granularity.
  • Enforce default Deny policies via OneLake security roles.
  • Use shortcut-aware access rules to propagate permission models.

Data Protection with OneLake

  • Apply OneLake security roles to folders, rows, or columns (preview).
  • Protect sensitive data via Microsoft Purview classification and labeling.
  • Monitor access with audit logs and activity tracking.

Network & Endpoint Controls

  • Use private endpoints for secured OneLake communication.
  • Apply BYOD controls and risk-based sign-in via Intune and Entra.
  • Restrict API access to OneLake using network rules and authentication scopes.

Monitoring, Automation, and Threat Response

  • Deploy Fabric-native monitoring with Audit Logs and Activity Hub.
  • Integrate with Microsoft Sentinel for SIEM/SOAR capabilities.
  • Use CI/CD pipelines (GitHub Actions or Azure DevOps) with guardrails (Policies, Validators).
  • Implement threat detection rules for anomalous data access or notebook activity.

Continuous Improvement

  • Conduct quarterly access reviews across all Fabric domains and workspaces.
  • Evaluate deployment against Microsoft Cloud Security Benchmark.
  • Iterate access policies and automation based on security telemetry.

Diagram: Zero Trust in Microsoft Fabric

For implementation guidance, see Zero Trust deployment plans.

Contributors