Skip to main content

Plan for governance, security, and compliance

Before using Microsoft Fabric at scale, it's essential to define how governance, security, and compliance will be handledโ€”both technically and organizationally. This chapter outlines the key concepts and implementation strategies to ensure trust, alignment with regulatory standards, and operational stability in your Fabric environment.

๐Ÿ”’ Governance in Microsoft Fabricโ€‹

Governance ensures that the use of Fabric services aligns with organizational goals, standards, and compliance obligations. Key elements include policy enforcement, cost control, tagging, access governance, and workspace strategy.

Fabric-specific policy enforcementโ€‹

While Microsoft Fabric doesn't currently support Azure Policy directly, many governance patterns from Azure still apply, especially when using multiple capacities, resource separation via workspaces, and Power BI Admin APIs.

  • Use Fabric workspaces to create logical boundaries per domain or lifecycle stage (Dev/Test/Prod).
  • Apply workspace naming conventions and metadata tagging (see Organize Fabric Artefacts) for classification.
  • Track sensitive datasets via tags or catalog metadata in Purview.

Align with the Cloud Adoption Frameworkโ€‹

Refer to the CAF Govern methodology: CAF Govern

๐Ÿ›ก๏ธ Security Strategy for Microsoft Fabricโ€‹

Fabric is built on the Power BI service, which provides rich security mechanisms. In addition, organizations should:

Define secure tenant boundariesโ€‹

  • Use separate capacities for departments, customers, or environments to prevent noisy-neighbor effects and enforce billing boundaries.
  • Control who can create capacities via the Power BI Admin portal.

Manage access centrallyโ€‹

Use Microsoft Entra ID to enforce authentication and apply RBAC consistently. See the section Manage Access.

  • Use group-based access control for Workspaces, Pipelines, and Dataflows.
  • Leverage Privileged Identity Management (PIM) for temporary assignment of roles such as:
    • Power BI Service Administrator
    • Fabric Administrator
    • Capacity Administrator

๐Ÿ“– Learn more about PIM: Microsoft Entra PIM documentation

Protect data in motion and at restโ€‹

  • Leverage OneLake as the central data platform, encrypted by default.
  • Use Fabric items only in trusted regions; see Select Regions.
  • For Real-Time Intelligence workloads, isolate inbound event streams and ensure tenant isolation for IoT scenarios.

๐Ÿงพ Compliance Considerationsโ€‹

Microsoft Fabric inherits compliance features from Microsoft 365 and Azure. Use these to meet industry standards and regulatory requirements.

  • Data Loss Prevention (DLP) policies for Power BI artifacts
  • Sensitivity labels for reports and datasets
  • Microsoft Purview for cataloging and compliance scanning

๐Ÿ“„ See the full list of Microsoft compliance offerings: Compliance offerings - Microsoft

๐Ÿ“Š Monitoring and Auditingโ€‹

Visibility into your Fabric environment is crucial. Enable logging and reporting through:

  • Activity Log (via Power BI Admin API) to monitor workspace events
  • Performance Metrics at capacity level to track consumption, cost attribution, and identify heavy users
  • Microsoft Defender for Cloud Apps for anomaly detection

Use monitoring outputs to refine governance policies and report on compliance.

Next stepsโ€‹

  • Define workspace structure and role responsibilities.
  • Enable PIM for all admin-level roles.
  • Align Fabric artifacts and capacities to regions with compliance requirements.
  • Continue with Manage Access or Costs and Billing.

Contributors