Microsoft Fabric security and governance: a practical guide

Fabric makes it easy to put data in front of the whole business, which is exactly why governance has to come first. Here is what security and governance look like in Fabric and the controls worth setting up before you scale beyond a pilot.

Identity and access

Fabric uses Entra ID (formerly Azure AD) for identity, so users, groups, and conditional access policies you already have apply automatically. Permissions are layered: tenant settings control what is available, workspaces control who can build, and item-level permissions control who sees specific reports, lakehouses, or warehouses. Use groups, not individual users, for anything you expect to last more than a quarter.

Workspace design

Workspaces are where most governance lives in practice. A clean pattern: one workspace per domain (finance, ops, sales), with development, test, and production variants. Avoid the temptation to have one shared workspace for everything; it becomes ungovernable fast and you lose the ability to promote changes safely.

Sensitivity labels

Microsoft Purview sensitivity labels flow into Fabric. Labels applied to a dataset travel with the data when it is exported to Excel, PowerPoint, or PDF, and they show up in Power BI reports. If your business already classifies documents, extending the same labels to Fabric is one of the highest-value governance moves you can make.

OneLake security

Because OneLake is shared across the tenant, getting OneLake permissions right matters more than getting any single workload right. Use OneLake security to control read access at the data level, and remember that shortcuts inherit the permissions of the source, not the workspace you put them in.

Auditing and monitoring

Fabric activity flows into the Microsoft 365 audit log, so the same tooling your security team uses for Teams and SharePoint covers Fabric. The Fabric admin portal also has its own monitoring views for capacity usage, which is worth watching weekly during rollout to catch a runaway dataset before it slows everything down.

Five controls to set up before you scale

One: restrict who can create workspaces (default is everyone, which gets messy fast). Two: define a naming convention for workspaces and items. Three: turn on sensitivity labels and require them on new items. Four: set up domain-based workspace structure rather than department-based. Five: review tenant settings monthly during the first quarter, then quarterly thereafter.

Row-level and object-level security

Beyond workspace permissions, Fabric supports row-level security (RLS) and object-level security (OLS) in semantic models. RLS filters what individual users see within the same report - a regional sales manager only sees their region, even though the dashboard is shared with the whole sales team. OLS hides specific tables or columns - HR data can live in a model that other users access, but salary fields stay invisible to anyone outside HR. Both flow through to Copilot, so a Copilot answer never reveals data the user could not otherwise see.

Compliance and certifications

Fabric inherits the compliance posture of the wider Microsoft cloud. That includes ISO 27001, ISO 27018, SOC 1 and SOC 2, GDPR, HIPAA in regions where it applies, and the UK Cyber Essentials Plus scheme. For UK businesses in regulated sectors (financial services, healthcare, legal) that means there are usually no fresh certifications to chase before adopting Fabric - the existing Microsoft 365 compliance evidence covers most of it. Your data residency follows your tenant region, so a UK tenant keeps OneLake data in UK Azure regions by default.

Governance roles worth defining

Two roles make the difference between a tidy Fabric estate and a chaotic one. A platform owner (usually in IT) who controls tenant settings, capacity, and the workspace catalogue. And a domain owner per major business area (finance, sales, ops) who controls what gets published into that domain and approves new datasets. Without the second role, every dashboard tends to land in a shared workspace and governance dies a slow death. With it, each domain self-governs within a clear shared framework.

If you want help setting this up, see our Microsoft Fabric and data readiness pages.

Let's talk

Ready to talk to a real human?

Whether you have a quick question or a bigger project, the Axon team is here to help.