Identity Security Best Practices in Microsoft Fabric
Fabric relies on Microsoft Entra ID as the backbone for identity and access control. Below are core best practices, contextualized for Microsoft Fabric, with practical CLI examples to support implementation.
Treat Identity as the Primary Security Perimeter
In modern cloud-native architectures, the traditional network perimeter has become porous due to mobility, BYOD, and SaaS. Microsoft Fabric adopts Microsoft Entra ID as its identity backbone to align with the principle that identity is the new perimeter. All authentication and authorization decisions should be based on trusted identities rather than static IP boundaries.
Failing to treat identity as the perimeter exposes workloads to lateral movement from compromised credentials or improperly scoped roles.
Best practice: Assign and govern access via Entra identities—not through individual resource-level credentials.
Fabric CLI Example: Assign default workspace roles
fabric workspace user add \
--workspace-id <workspace-id> \
--user-email user@contoso.com \
--role Admin
Centralize Identity Management
Organizations operating in hybrid or multi-cloud scenarios should adopt a single Microsoft Entra tenant as the authoritative identity provider. This simplifies role assignments, policy enforcement, and auditing.
Integrating Entra with on-prem AD via Microsoft Entra Connect ensures seamless identity lifecycle and avoids security gaps introduced by shadow IT or fragmented identity islands.
Best practice: Avoid synchronizing high-privileged legacy AD accounts to the cloud. Keep the authoritative identity store in Entra and scope sync policies narrowly.
CLI Note: Use az ad CLI commands for Microsoft Entra Connect configuration monitoring.
Enable Single Sign-On (SSO)
Single sign-on boosts productivity and reduces password fatigue. In Fabric, enabling SSO ensures users can authenticate once and access interconnected artifacts and services without repeated prompts.
Without SSO, users are likely to reuse passwords or store them insecurely, increasing risk of compromise.
Best practice: Group-based assignments via Microsoft Entra improve manageability and simplify onboarding/offboarding.
Fabric CLI Example: Assign default sign-in permissions via group
fabric workspace group assign \
--workspace-id <workspace-id> \
--group-id <entra-group-id> \
--role Viewer
Enable Conditional Access
Conditional Access policies evaluate real-time signals like user risk, device compliance, and location to make dynamic access decisions. In Microsoft Fabric, this ensures sensitive artifacts (e.g., Lakehouses or Pipelines) are only accessible under secure conditions.
Not using Conditional Access can allow legitimate credentials to be misused from unmanaged or risky environments.
Best practice: Start with templates for baseline protection and iterate to align with organizational needs.
Azure CLI (Outside Fabric):
az rest --method put \
--uri https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies \
--body @policy.json
Enable MFA for Admins and Privileged Roles
MFA protects against credential-based attacks. Enabling MFA—especially for users with Fabric Admin or Contributor roles—helps protect critical data and pipelines from unauthorized access.
Best practice: Use Conditional Access to require MFA for high-risk sign-ins or for all privileged Entra roles.
Azure CLI:
az ad user update --id admin@contoso.com --force-change-password-next-login true
Use Role-Based Access Control (RBAC)
RBAC ensures users and groups only receive the permissions they need. In Microsoft Fabric, applying RBAC at workspace level allows clear separation of duties and simplifies auditability.
Avoid assigning roles directly to individuals. Instead, manage access via Entra groups and enforce least privilege.
Best practice: Periodically review role assignments and prune unused access.
Fabric CLI Example:
fabric workspace user update \
--workspace-id <workspace-id> \
--user-email dev1@contoso.com \
--role Contributor
Lower Exposure of Privileged Accounts
Privileged accounts are prime targets for attackers. Limiting their exposure via just-in-time elevation (using Entra PIM) and requiring MFA reduces the window of opportunity for misuse.
Best practice: Use dedicated admin accounts with no productivity tool access, and define break-glass procedures with non-synced cloud-only Entra accounts.
CLI Example (PIM activation - via Microsoft Graph):
az rest --method post \
--uri https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments \
--body @pim-assignment.json
Storage Authentication with Microsoft Entra ID
Fabric uses OneLake as the unified storage layer. Using Entra-based authentication for OneLake ensures consistent policy enforcement, traceability, and easy revocation of access.
Best practice: Avoid access keys or SAS tokens. Prefer RBAC at container or Lakehouse level via Entra roles.
Azure CLI Example:
az role assignment create \
--assignee user@contoso.com \
--role "Storage Blob Data Contributor" \
--scope "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<account>/blobServices/default/containers/<container>"
Monitor for Suspicious Activities
Continuous identity monitoring enables early detection of compromise attempts, such as unusual sign-ins or permission changes.
Microsoft Entra ID Protection and Identity Secure Score offer actionable insights into posture and anomaly trends.
Best practice: Set alerts on risky sign-ins, password spray patterns, and assign security review tasks as part of regular governance cadence.
Azure CLI Example:
az security alert list --location "Central US"
This guidance will evolve as Microsoft Fabric and Microsoft Entra ID introduce more advanced security capabilities.
![github-actions[bot] avatar](https://github.com/41898282.png){kind=small}
41898282
TheTrustedAdvisor (Matthias Falland)