By Leon Godwin, Cloud Evangelist
During our recent webinar, Mastering Security and Governance in Microsoft Fabric, I was joined by Microsoft’s Rana Kamel to unpack one of the biggest tensions we’re seeing amongst IT teams right now.
The session covered a lot of ground and generated a huge amount of interest, which means there were some great questions that we just didn’t get to in time. So I’ve pulled together your questions and answered them here to give a bit more clarity.
How does security actually work across OneLake, shortcuts, and SQL endpoints?
This came up in lots of different ways, but the core concern was the same:
Does data stay secure as it moves across Fabric?
The short answer is yes, but only if it’s configured properly.
- OneLake enforces security through identity. Every request is validated through Microsoft Entra ID, which helps prevent cross-workspace or cross-tenant leakage.
- Shortcuts respect the original source permissions through pass-through identity. Users still need access to the underlying data, not just the shortcut itself.
- Sensitivity labels and governance rules flow with the data, so encryption and export controls are maintained.
Where people get caught out is SQL endpoints.
- To apply OneLake security properly, SQL Analytics Endpoints must run in User Identity mode.
- If you use Delegated mode, OneLake security is bypassed and you need to manage permissions manually.
So nothing “magically bypasses” security, but misconfiguration can create gaps.
How should we approach access control at scale?
Another big theme was how to manage access when different users need different views of the same data. The key is layering your controls rather than relying on one mechanism:
- Workspace roles control who can access environments
- Row-level and column-level security control what data users can see
- Microsoft Purview adds governance through classification, lineage, and policy enforcement
At scale, this becomes less about individual permissions and more about design:
- Use governed, certified datasets
- Apply consistent patterns across Lakehouses
- Centralise policies where possible
On ABAC specifically, the practical equivalent today comes from combining identity, roles, and Purview policies rather than relying on a single ABAC model.
Do security rules carry through the medallion architecture?
Security does not automatically carry through from Bronze to Silver to Gold.
- Each layer is effectively new data, created through transformation
- That means security has to be reapplied or redesigned at each stage
In practice, many organisations:
- Apply stricter controls at ingestion in Bronze
- Refine access in Silver
- Enforce business-ready security models in Gold
The key takeaway: do not assume inheritance. Design for it.
When should we move to a shared Lakehouse model?
Many organisations start with a tenant-per-workspace model for isolation, which is a safe approach but it doesn’t scale forever. The recommendation is to move to a shared Lakehouse only when:
- Your pipelines are fully automated and auditable
- You can enforce row-level security reliably
- You have clear tenant partitioning in place
This is less about a fixed point in time and more about maturity.
How does Fabric prevent data leakage in multi-tenant environments?
Fabric provides protection at the platform level:
- Compute workloads run in containerised Spark sessions that do not share memory
- Every interaction is validated through identity to prevent cross-tenant access
That said, platform security alone is not enough. Poor data design or missing governance can still introduce risk, especially when introducing AI tools.
What should we put in place now if we want to introduce AI and Copilot later?
AI doesn’t create new security issues, it exposes the ones you already have. The best approach is to design with governance from day one:
- Implement data classification and DLP policies
- Ensure end-to-end data lineage for auditability
- Certify trusted data sources
- Control access consistently across your estate
Without this, AI tools can surface sensitive data to the wrong users.
How should we handle edge cases like BYOD or isolated systems?
Two scenarios came up a lot as questions: external users and isolated applications.
For BYOD users (contractors, volunteers):
- Follow a Zero Trust approach
- Enforce MFA and device registration
- Use Intune app protection to prevent data leakage onto local devices
For isolated systems (like HR platforms):
- Keep them deliberately separate if required
- Integrate via controlled, one-way pipelines
- Use anonymised or filtered data when connecting to OneLake
What roles do DBAs and data teams play in Fabric?
Fabric doesn’t remove responsibilities; it shifts them.
- DBAs move towards capacity planning, cost management, and performance optimisation
- Data teams can work more flexibly, using tools like notebooks for Python and R alongside Power BI
It’s a broader role, but arguably a more strategic one.
After the session, Rana shared her perspective:
Security in Microsoft Fabric has to be treated as a core design principle rather than something applied later. The general availability of OneLake security at the beginning of May marks a significant milestone, as it introduces a more consistent and unified way to enforce access across users, items, and data paths, with capabilities continuing to roll out. As organisations scale their data platforms, this becomes the foundation for maintaining governance and trust. It also has a direct impact on how AI interacts with data, ensuring that insights are generated within the right security boundaries and only surfaced to the appropriate users.
Rana Kamel, Cloud Solution Architect at Microsoft
Security in Fabric isn’t something you layer on later. It’s something you design from day one. Get that right, and everything else becomes easier, from scaling your data platform to introducing AI safely and with confidence.
Missed the webinar?
If there’s information we’ve not covered here, or you simply want to learn even more about security and governance in Microsoft Fabric, you can access the on-demand recording to watch the webinar back in full.
