Manage access in Microsoft Fabric using Azure role-based access control (RBAC)
Managing access in Microsoft Fabric is essential to ensuring secure collaboration and compliance across your data and analytics estate. Fabric inherits its security model from the underlying Azure ecosystem, primarily using Azure role-based access control (RBAC) to govern access at various scopes—from tenant to resource level.
RBAC allows organizations to control who can access what and how, with a strong focus on the principle of least privilege.
Scoping RBAC for Fabric
In Fabric, access control typically follows this hierarchy:
Notes:
- RBAC is applied at or above the Workspace level via Azure.
- Fabric-specific permissions (e.g., for items like Lakehouses or Pipelines) are managed inside Fabric at the Workspace and Artifact level.
- Each Fabric capacity must be assigned to a specific region and Azure subscription, which is where RBAC at the subscription/resource group level becomes important.
- Power BI service roles also affect access to Fabric and should be considered, especially for admins, contributors, and viewers.
- Note that the Power BI service itself plays a central role in Microsoft Fabric. Each tenant has a Power BI Admin role, configured via the Power BI Admin Portal, which governs global settings, usage metrics, audit logs, and tenant-wide configurations—including many aspects of Fabric behavior.
- Ensure your Power BI Admins are involved in Fabric governance decisions, especially for workspace configuration defaults, audit policies, and tenant settings that affect cross-capacity behavior.
Recommended Practices
🛡️ Grant Least Privilege
Assign users only the roles they need:
| Role | Scope | Description |
|---|---|---|
| Reader | Tenant / Subscription / Capacity | View-only access to monitor resources |
| Contributor | Workspace / Capacity | Create and manage Fabric artifacts, but cannot assign roles |
| Owner | Subscription / Resource Group / Capacity | Full management rights, including assigning roles |
| Fabric Admin | Workspace (via Fabric portal) | Fabric-specific permissions like adding Dataflows, Pipelines, etc. |
| Power BI Admin | Tenant | Tenant-wide governance for Power BI and Fabric, including audit, usage, and tenant settings |
👥 Use Group-based Assignments
Assign access to Microsoft Entra security groups, not individuals. This simplifies audits and reduces mistakes.
🔐 Audit and Review Regularly
Use Azure Access Reviews and Privileged Identity Management (PIM) to manage time-bound or elevated roles.
Power BI Admin and Fabric Admin roles can also be managed using Microsoft Entra Privileged Identity Management (PIM) to enable just-in-time access and reduce standing permissions. See Use PIM for Microsoft Entra roles for more details.
Visual Overview of Role Assignments
This diagram shows which roles typically exist at each Azure scope. Fabric aligns most closely with the Subscription, Resource Group, and Resource levels—especially for Workspace and Capacity access.
Grant Access in Azure
Grant access to a Resource Group
- Go to Resource groups in the Azure portal.
- Select the resource group that hosts the Fabric capacity.
- Go to Access control (IAM).
- Click + Add > Add role assignment.
- Select the role, then choose the user, group, or service principal.
Grant access to a Subscription
- Navigate to Subscriptions in Azure.
- Select the subscription used for Fabric.
- Go to Access control (IAM).
- Click + Add > Add role assignment.
- Assign the appropriate role.
![github-actions[bot] avatar](https://github.com/41898282.png){kind=small}
41898282
TheTrustedAdvisor (Matthias Falland)