sovereign
Microsoft Fabric Sovereign Landing Zones
The concept of Sovereign Landing Zones is critical for regulated industries and public sector customers adopting Microsoft Fabric under strict compliance and data residency requirements. These environments are aligned with the Microsoft Cloud for Sovereignty initiative and extend the Azure Landing Zone architecture to support Fabric-specific requirements.
Key Characteristics
A Fabric Sovereign Landing Zone supports:
- Data Residency: Ensures OneLake and other Fabric artifacts reside within a selected Azure geography.
- Confidential Computing: Leverages confidential containers, hardware-backed encryption, and customer-managed keys (CMK).
- Policy Enforcement: Uses Azure Policy to restrict regions, enforce private networking, and block unsupported Fabric SKUs.
- Private Networking: Enables Private Link for Fabric services and blocks public endpoints.
- Minimal Trust Operations: Integrates Customer Lockbox, Just-in-Time access, and audit trail for operational transparency.
- Compliance Dashboard: Maps compliance controls (e.g., NIST 800-171, GDPR, Swiss DSG) to technical enforcement in Fabric workloads.
Management Group Hierarchy
The following is an example hierarchy adapted to sovereign needs:
Policy Baselines
- Enforce regional deployments to sovereign-compliant geographies.
- Enforce customer-managed keys (CMK) for all Fabric storage accounts.
- Restrict creation of Fabric capacities or artifacts with public endpoints.
- Enforce tagging standards (e.g.
compliance: NIST800-171).
Deployment Guidance
The sovereign Fabric landing zone is delivered as Bicep templates and can be deployed via Azure CLI or GitHub Actions.
az deployment sub create \
--location switzerlandnorth \
--template-file main.bicep \
--parameters environment=sovereign
Tip: Use a separate Azure AD tenant if your jurisdiction requires full operational isolation from Microsoft operators.
Architecture Integration
The Fabric Sovereign Landing Zone builds on:
- Microsoft Cloud for Sovereignty architecture
- Fabric Landing Zone taxonomy: Domains, Workspaces, Artifacts
- OneLake security and policy enforcement
- Azure Monitor and Defender for Cloud
- Integration with Entra Conditional Access and PIM
Compliance Mapping
Use the integrated Compliance Dashboard to visualize:
- Percentage of compliant Fabric resources
- Region residency violations
- Encryption/key management compliance
- Alignment with national and regional data protection laws (e.g., Swiss nDSG, EU GDPR)
- Network and perimeter security metrics
Next Steps
- Review Microsoft Cloud for Sovereignty documentation
- Explore Bicep templates for Fabric Landing Zones
- Align Fabric tenant configurations with your national regulations (e.g., Swiss Federal Data Protection Act, EU GDPR)
- Review your specific compliance requirements under local laws such as the Swiss Federal Data Protection Act (nDSG) or EU General Data Protection Regulation (GDPR), and align Microsoft Fabric configurations accordingly.
![github-actions[bot] avatar](https://github.com/41898282.png){kind=small}
41898282
TheTrustedAdvisor (Matthias Falland)