Securing Microsoft Fabric: User Authentication & Authorization Guidelines
Did you wonder what are the options to define users and permissions to access and operate in Microsoft Fabric?
Considering Conditional Access for Fabric users?
Looking to understand the best practices to define user roles in workspace level?
In this blog, we will talk about authentication and authorization options in Fabric including use case example.
Microsoft Fabric is a software as a service (SaaS) platform that lets users get, create, share, and visualize data.
Security is a top priority for any organization that wants to succeed in the digital age. You need to safeguard your assets from threats and follow your organization’s security policies.
One of the security design principles is Implement strong access controls that authenticate and authorize access to the system.
This blog describes recommendations for authenticating and authorizing users that are attempting to access Microsoft Fabric.
First, let understand Microsoft Fabric main infrastructure components with this diagram:
In this diagram, we can see the different components in Fabric and the possible relation:
Tenant – A tenant is a single instance of Fabric for an organization and is aligned with a Microsoft Entra ID.
OneLake – a single, unified, logical data lake for your whole organization. A data Lake processes large volumes of data from various sources. OneLake is the foundation of Microsoft Fabric for your tenant. There is one OneLake per Tenant.
Capacity – Capacity is a dedicated set of resources that is available at a given time to be used. Capacity defines the ability of a resource to perform an activity or to produce output. Different items consume different capacities at a certain time. Fabric offers capacity through the Fabric SKU and Trials. You can have multiple capacities for one OneLake.
Workspace – A workspace is a collection of items that bring together different functionality in a single environment designed for collaboration. It acts as a container that uses capacity for the work that is executed, and provides controls for who can access the items in it. For example, in a workspace, users create reports, notebooks, semantic models, etc. You can have multiple workspaces at one capacity.
Now, let’s examine Entra ID authentication and authorization on top of the layers.
Authentication
Microsoft Entra tenant provides identity and access management (IAM) capabilities to applications and resources used by your organization. Since Fabric is deployed to a Microsoft Entra tenant, authentication and authorization are handled by Microsoft Entra.
Access token authentication:
Fabric relies on Microsoft Entra ID to authenticate users or service principals, when authenticated, users or service principals receive access tokens from Microsoft Entra ID. Fabric uses these tokens to perform operations in the context of the user or application.
Example: When a user logs into Fabric, they are authenticated by Microsoft Entra ID and receive an access token. This token is then used to access various resources within Fabric.
Note:An identity is a directory object authenticated and authorized for access to a resource. There are identity objects for human (users) and nonhuman identities. Human identities are referred to as identities, and nonhuman identities are workload identities. Nonhuman entities include application objects, Service Principals, managed identities, and devices. Generally, workload identity is for a software entity to authenticate with a system. This blog describes authentication options for users/humans while service principal/nonhuman is out of scope.
Non-Access Token authentication:
Non-access token activity in Fabric enables you to utilize external data sharing. Fabric external data sharing is a feature that allows Fabric users to share data from their tenant with users in another Fabric tenant.
Example: If you enable external data sharing, you are explicitly trusting other tenants, allowing them to access the shared data without complying with your Entra Conditional Access Policy. To enforce CA Policy for all cases, it is recommended to turn off external data sharing at the tenant level unless there is a specific need to use such external data.
Secured authentication via Conditional Access (CA)
A key feature of Microsoft Entra ID is conditional access. Conditional access ensures that customers can secure apps in their tenants, including:
Multifactor authentication
Allowing only Intune enrolled devices to access specific services
Restricting user locations and IP ranges
To configure conditional access for users in Fabric, you need to select several Azure services: Power BI, Azure Data Explorer, Azure SQL Database, and Azure Storage.
Setup of Power BI, Azure Data Explorer, Azure SQL Database, and Azure Storage block any access token activity in Fabric incase CA policy fails.
Authorization
All Fabric permissions are stored centrally by the metadata platform. Fabric services query the metadata platform on demand in order to retrieve authorization information and to authorize and validate user requests.
In this blog, we will focus on Workspace level permissions, you can read more on Item permissions here
Authorization in Workspace level
Organizational teams can have individual workspaces where different personas collaborate and work on generating content. Access to the items in the workspace is regulated via workspace roles assigned to users by the workspace admin.
You can either assign roles to individuals or to groups.
Guidance: Data owners should recommend users who could be workspace administrators. These could be team leaders in your organization, for example. These workspace administrators should then govern access to the items in their workspace by assigning appropriate workspace roles to users and consumers of the items.
There are four Workspace roles and they apply to all items within the workspace. Users that don’t have any of these roles can’t access the workspace. The roles are:
Viewer – Can view all content in the workspace but can’t modify it.
Contributor – Can view and modify all content in the workspace.
Member – Can view, modify, and share all content in the workspace.
Admin – Can view, modify, share, and manage all content in the workspace, including managing permissions.
You can define workspace level access in Fabric via:
UI as explained in Give users access to workspaces via UI
API as explained in Add Workspace Role Assignment via Fabric API
This diagram demonstrates the Authentication and Authorization options described above:
What can you do to manage access easily and efficiently?
Microsoft Entra groups are used to manage users that all need the same access and permissions to resources, such as potentially restricted apps and services. Instead of adding special permissions to individual users, you create a group that applies the special permissions to every member of that group.
When user leave the organization, you can easily remove the user form the group, that will remove user access to the different workspaces.
Let look on one example: Organization with multiple users granting access to Fabric dev, test and prod workspaces via Entra groups.
The first step will be to define groups for Fabric users in Microsoft 365 admin center.
Potential groups implementation:
1.Fabric all – include all Fabric users that will get access to Fabric
2.Development + Test users:
Fabric dev+test workspace viewers – assign users per need
Fabric dev+test workspace members – assign users per need
Fabric dev+test workspace contributors – assign users per need
Fabric dev+test workspace admins – potentially assign to workspace owners + team leads
3.Production users:
Fabric prod workspace viewers – assign users per need
Fabric prod workspace members – assign users per need
Fabric prod workspace contributors – assign users per need
Fabric prod workspace admins – potentially assign to workspace owners + team leads
Here you can see sample groups from Microsoft 365 admin center:
The next steps will be:
Define Conditional Access policy for Fabric users, via the group we created before – Fabric all, as explained in Conditional access – Microsoft Fabric | Microsoft Learn
Define workspace level access in Fabric UI as explained in Give users access to workspaces or via API as explained in Workspaces – Add Workspace Role Assignment
Here we can see sample UI of assigning Admin rights on the workspace via the group we created before:
1.Go to Manage Access
2.Add the relevant group:
3.Assign permission to the group:
In conclusion, implementing strong access controls to authenticate and authorize users is a crucial security design principle for any organization using Microsoft Fabric. Understanding the different components and layers of the platform can aid in the configuration of authentication and authorization options, such as Entra ID and Conditional Access policies.
Conditional Access provides an additional layer of security and requires Microsoft Entra ID P1 licenses.
Authorization at the workspace level is regulated via workspace roles, which can be assigned to users or groups.
It is recommended that data owners assign workspace administrators and govern access to the workspace by assigning appropriate roles to users and consumers of the items
Additional reference: End-to-end security overview for Fabric can be found here
Assaf & Inbal.
Microsoft Tech Community – Latest Blogs –Read More
