index

Improve Fabric Landing Zone Security

Securing a Microsoft Fabric landing zone is a continuous journey—not a one-time activity. As your workloads and data assets grow in complexity and criticality, so too must your security practices evolve. This section aligns with the Cloud Adoption Framework's "Secure" methodology and translates it into Fabric-specific implementation patterns.

Risk Insights

Cloud security must be business-aligned. For Fabric environments that host sensitive data or mission-critical pipelines, map risk insights directly to Fabric artifacts—like Lakehouses, Warehouses, and Pipelines—and embed security controls close to the data.

• Understand attacker patterns: Targeted workloads, exposed APIs, or weak authentication paths in Notebooks, SQL endpoints, or Eventstreams.
• Use business-aligned threat models: Classify Fabric workloads by business value and sensitivity.

Security Integration

Security must be embedded into every role:

• Admins and Engineers: Automate baseline policies via Deployment Pipelines and enforce RBAC/ABAC at workspace level.
• Data Scientists and Analysts: Ensure data access adheres to OneLake security roles and does not bypass governance via shortcuts or APIs.
• Platform Teams: Integrate security testing in Fabric CI/CD pipelines using the Fabric CLI and REST APIs.

Business Resilience

Assume breach principles apply to all stages of Fabric data processing:

• Plan for data exfiltration attempts: Monitor OneLake activity and access logs.
• Ensure rollback paths: Use Git-connected Notebooks and YAML-deployed Pipelines for rapid recovery.
• Protect lineage: Secure semantic models, lineage graphs, and metadata catalogs.

Access Control

Adopt a layered access model:

• Workspace roles: Admin, Member, Contributor, Viewer.
• Item-level permissions: via sharing or OneLake data access roles.
• Compute access (SQL endpoints): Row/column level security per user role.
• Zero Trust Enforcement: Require MFA for Admin roles and restrict direct OneLake API access by default.

Security Operations

Monitor Fabric artifacts and audit their usage:

• Use Microsoft Purview for data sensitivity labeling and access monitoring.
• Log access to all Fabric items, workspaces, and compute resources to a centralized Sentinel workspace or Fabric Monitoring dashboard.
• Automate anomaly detection using Defender for Cloud and Entra ID sign-in logs.

Asset Protection

Secure all artifacts based on classification:

• Lakehouses and Warehouses: Apply OneLake security roles and encryption.
• Notebooks and Pipelines: Secure Git integration and restrict edit access to signed-in identities.
• Eventstreams and Real-Time Analytics: Monitor for high-volume write or query patterns.

Security Governance

Fabric requires strong security governance at both the workspace and platform level:

• Automate policy enforcement: Use YAML templates and CI/CD pipelines to deploy standard access models.
• Security reviews: Include Fabric artifacts in monthly security risk reviews.
• Integrate incident response: Build runbooks for key security events (e.g., unauthorized access to shared Lakehouse).

Innovation Security

Embrace DevSecOps practices in your Fabric workflow:

• Secure pipelines with IaC and Fabric CLI.
• Scan artifacts (e.g. Notebooks, Datasets) before deployment.
• Integrate security gates in PR reviews for YAML-based deployments.

Summary

Securing your Fabric Landing Zone requires collaborative effort, technical controls, and cultural alignment. Use these principles to build a resilient, secure-by-design data platform that empowers innovation—without compromising protection.