Table of Content

1. Introduction: Microsoft Fabric as a SAAS Platform

2. Authentications to Microsoft Fabric

3. Network Protections to Microsoft Fabric

4. Data Encryption in Microsoft Fabric

5. Fine-Grained Security and Access Controls in Microsoft Fabric

6. Monitoring and Logging in Microsoft Fabric

7. Conclusion

Introduction: Fabric as SAAS platform

Microsoft Fabric, a SaaS platform, enables users to access, create, and visualize data with ease. It offers robust, built-in security features to protect your data at rest and in transit, leveraging Microsoft’s expertise to patch vulnerabilities, monitor threats, and ensure regulatory compliance. Fabric also provides tools to manage, control, and audit security settings as your needs evolve. Whether using Power BI, Data Factory, or the next-gen Synapse, Fabric ensures data reliability and recovery, even in cases of infrastructure failures or disasters.

Key security features of Fabric include:

Authentications to Microsoft Fabric

Microsoft Entra tenant provides identity and access management (IAM) capabilities to applications and resources used by your organization. Since Fabric is deployed to a Microsoft Entra tenant, authentication and authorization are handled by Microsoft Entra.

• Access token authentication:

  Fabric relies on Microsoft Entra ID to authenticate users or service principals, when authenticated, users or service principals receive access tokens from Microsoft Entra ID. Fabric uses these tokens to perform operations in the context of the user or application.
  Example: When a user logs into Fabric, they are authenticated by Microsoft Entra ID and receive an access token. This token is then used to access various resources within Fabric.

• Non-Access token authentication:

  Non-access token activity in Fabric enables you to utilize external data sharing. Fabric external data sharing is a feature that allows Fabric users to share data from their tenant with users in another Fabric tenant.
  Example: If you enable external data sharing, you are explicitly trusting other tenants, allowing them to access the shared data without complying with your Entra Conditional Access Policy. To enforce CA Policy for all cases, it is recommended to turn off external data sharing at the tenant level unless there is a specific need to use such external data.

• Authorization in Workspace level

  Organizational teams can have individual workspaces where different personas collaborate and work on generating content. Access to the items in the workspace is regulated via workspace roles assigned to users by the workspace admin. You can either assign roles to individuals or to groups. There are four Workspace roles, and they apply to all items within the workspace. Users that don’t have any of these roles can’t access the workspace.

  Viewer – Can view all content in the workspace but can’t modify it.
  Contributor – Can view and modify all content in the workspace.
  Member – Can view, modify, and share all content in the workspace.
  Admin – Can view, modify, share, and manage all content in the workspace, including managing permissions.

Network Protections to Microsoft Fabric

Inbound Network Security

Private Links

Private Links enable secure connectivity to Microsoft Fabric by restricting public access and connecting your Fabric tenant to an Azure Virtual Network (VNet) via private endpoints. These endpoints assign a private IP within your VNet, enabling secure communication. External devices access the service through a private tunnel, ensuring Fabric is entirely inaccessible from the public internet.

Entra ID Conditional Access

Fabric relies on Microsoft Entra ID to authenticate users (or service principals), providing access tokens for user-context operations. A key feature of Microsoft Entra ID is conditional access.

Conditional access ensures that customers can secure apps in their tenants, including:

• Multifactor authentication
• Allowing only Intune enrolled devices to access specific services
• Restricting user locations and IP ranges

Firewall Rules

Firewall rules in Microsoft Fabric let you restrict workspace access to trusted IP addresses only. This boosts security by blocking unauthorized connections. You can set these rules in the Fabric admin settings, specifying allowed IP ranges for inbound connections.

Outbound Network Security

Managed Private Endpoints

Managed private endpoints let admins securely access data sources behind firewalls, enabling Fabric to connect to resources like Azure Storage or SQL Database without exposing them. Admins specify the resource ID, sub-resource, and justification, while Fabric manages the endpoints.

Learn more about managed private endpoints in Fabric here

Managed Virtual Networks

Managed virtual networks are created and managed by Microsoft Fabric for each workspace, providing network isolation for Spark workloads. These dedicated networks enable enhanced security with features like managed private endpoints and private link support for Data Engineering and Data Science tasks using Apache Spark.

Trusted Workspace Access

Fabric enables secure access to firewall-enabled ADLS Gen2 accounts using workspace identities. Workspaces can access ADLS Gen2 from selected virtual networks and IPs, with access limited to specific workspaces. Authorization is handled through Microsoft Entra credentials or service principals. To protect access, you can set resource instance rules to allow connections only from specific workspaces.

Learn more about trusted workspace access in ADLS Gen2 here

Data Encryption in Microsoft Fabric

Encryption in-transit

Microsoft Fabric encrypts data in transit using TLS 1.2 as the minimum standard, upgrading to TLS 1.3 where possible. This ensures secure communication between client systems and Fabric endpoints. All traffic within Microsoft services is encrypted and routed over the secure Microsoft global network.

Encryption at-rest

Data stored in Microsoft Fabric is encrypted at rest with Microsoft-managed keys. This includes all customer data, system data, and metadata, ensuring data is never stored unencrypted and meets compliance standards.

Fine-Grained Security and Access Controls in Microsoft Fabric

Item-level Data Security

Granular Permissions

Microsoft Fabric allows fine-grained access control, enabling admins to assign specific permissions (read, write, manage) at the workspace, item, or dataset level, ensuring users only access what they need.

Dynamic Data Masking (DDM)

Microsoft Fabric’s dynamic data masking (DDM) helps protect sensitive data by hiding it from unauthorized users at query runtime. Only privileged users can see original data, while others see masked values.

CREATE TABLE ‘Customer’

(

— Other columns…

CreditCardNumber NVARCHAR (50) MASKED WITH (FUNCTION = ‘partial(0,”XXXX-XXXX-XXXX-“,4)’) NULL

);

Row-level Security (RLS)

RLS restricts access to specific rows based on user identity or role, ensuring users only see authorized data. In Fabric Warehouse and SQL Endpoint, Row-Level Security (RLS) is implemented by using the CREATE SECURITY POLICY Transact-SQL statement, and predicates created as inline table-valued functions.

CREATE SECURITY POLICY SalesFinFilter

ADD FILTER PREDICATE Security.tvf_finsecuritypredicate(SalesPersonID)

ON Sales.SaleDetails

WITH (STATE = ON);

Column-level Security (CLS)

This is a more refined security feature that controls access to specific columns, ensuring users can view only authorized columns. In Fabric Warehouse and SQL Endpoint, CLS implemented using the GRANT T-SQL statement.

GRANT SELECT ON dbo.Customers (CustomerID, FirstName, LastName, Phone, Email) TO [Charlie@contoso.com];

Object-level Security (OLS)

OLS controls access to specific data objects (datasets, tables, views), ensuring users only see data objects necessary for their role.

GRANT SELECT ON dbo.Customers TO [Charlie@contoso.com];

GRANT SELECT ON dbo.Customers TO [Security Group Name];

Shortcuts

Shortcuts in Fabric let you access data from other resources in a lakehouse without copying it. Most Fabric RBAC roles can create and use shortcuts in both the Files and Tables folders of the LH Explorer. Authentication is required for connecting to the original source, with options depending on whether it’s another resource from OneLake, ADLS Gen2, or Amazon S3.

Data governance

Data governance in Microsoft Fabric focuses on security, quality, accessibility, and compliance. It features encryption, access control, and Microsoft Entra ID for secure access. Integration with Azure Purview enables data lineage and traceability. Fabric supports data quality through validation rules and auditing for compliance. RBAC ensures proper permissions, while data stewards oversee governance, ensuring secure, high-quality, and compliant data management.

Monitoring and Logging in Microsoft Fabric

Monitoring

Monitoring involves tracking the health, performance, and availability of your services and infrastructure. Microsoft Fabric provides several tools and services for monitoring:

Logging

Logging involves capturing and storing log data generated by your applications and services. Microsoft Fabric offers several logging mechanisms:

Conclusion:

Microsoft Fabric emerges as a comprehensive SaaS platform designed to prioritize data security at every level. From robust authentication and authorization mechanisms to fine-grained security controls like RLS, CLS, and DDM, Fabric empowers organizations to secure sensitive data effectively. With network protection features such as private links, managed endpoints, and firewall rules, it ensures seamless and secure access to resources.

By integrating these advanced security enhancements, Microsoft Fabric not only protects your data but also provides the tools to adapt to evolving organizational needs, ensuring a reliable, secure, and scalable cloud experience.

Blog Author