Security Best Practices in Microsoft Fabric

Security in Microsoft Fabric operates at multiple levels, from tenant settings to row-level data access.

Security Layers

Tenant Level Global settings controlled by Fabric administrators: - Feature enablement - Export restrictions - External sharing policies

Capacity Level Resource access and management: - Capacity admins - Workload controls

Workspace Level Content organization and team access: - Admin, Member, Contributor, Viewer roles - Control who can edit vs consume

Item Level Individual artifact permissions: - Share specific items - Grant or restrict access - Build permissions for datasets

Data Level Row-level and column-level security: - Filter data based on user identity - Hide sensitive columns - Dynamic security rules

Implementing Security

Workspace Roles - Admin: Full control, manage access - Member: Create and edit content - Contributor: Edit assigned content - Viewer: Consume content only

Row-Level Security Create roles with DAX filters: - Static roles with fixed filters - Dynamic roles using USERPRINCIPALNAME() - Hierarchical security for managers

Object-Level Security Hide tables or columns: - Prevent sensitive data access - Simplify model for users

Compliance Considerations

Fabric supports: - SOC 1, SOC 2 compliance - ISO 27001 certification - HIPAA (with BAA) - GDPR compliance features - FedRAMP (select regions)

Frequently Asked Questions

What compliance certifications does Fabric support?

Microsoft Fabric supports SOC 1/2, ISO 27001, HIPAA (with Business Associate Agreement), GDPR, and FedRAMP in applicable regions. Check Microsoft compliance documentation for current certifications.

How does row-level security work in Fabric?

RLS uses DAX expressions to filter data based on user identity. You define roles in semantic models with filter expressions, then assign users to roles in Power BI Service. Filters apply across all reports using that model.