What's new and planned for Administration, Governance and Security in Microsoft Fabric
Important
The release plans describe functionality that may or may not have been released yet. The delivery timelines and projected functionality may change or may not ship. Refer to Microsoft policy for more information.
Microsoft Fabric is a unified SaaS platform that enables customers to build diverse projects, spanning from lakehouses to BI reports/dashboards consumed by business users. Microsoft Fabric admins require tools to govern user actions and for compliance management within their tenant. Workspace and capacity administrators need these tools to organize their content and manage costs. Integration with Purview allows visibility across the tenant and tools to manage user activity.
Microsoft Fabric empowers developers to automate user experiences, streamline business processes, and enhance efficiency through a user-friendly developer platform. You can create apps that use Microsoft Fabric as a data and analytics platform, ensuring seamless data processing and collaboration without the need for extensive infrastructure management, while benefiting from built-in governance and security features.
Today, you can automate the Fabric activities in your organization with our REST APIs and SDKs. This includes workspace content deployment between development, testing, and production stages.
To learn more about how administrators can monitor and govern Microsoft Fabric, see the documentation.
Investment areas
Tags for fabric items
Estimated release timeline: Q3 2024
Release Type: Public preview
We are introducing the ability to apply tags on Fabric items, to enhance item discoverability and use. Tenant admins can define a list of tags, from which data owners can selects and apply the relevant tags to their items. Once applied, data consumers can view, search & filter by the applied tags across various experiences.
Enhancements for Domains in Fabric
Estimated release timeline: Q3 2024
Release Type: Public preview
Domains and sub domains enable structuring the data in the organization while enabling optimized consumption experience per business needs. In this semester we plan to strengthen the governance controls such as delegated settings and defining default sensitivity label per domain, and to allow more consumption experiences such as the ability to search by domain/sub domain, filter the WS by domain/sub domain and see the domains details as part of the item location.
Restrict access to content by using Microsoft Purview sensitivity labels to apply protection
Estimated release timeline: Q3 2024
Release Type: Public preview
In the Microsoft Purview Information Protection portal where security admins can create sensitivity labels and also restrict access to Fabric items that the label will be applied to, similar to how they can restrict access to Microsft 365 content (files ,emails, meetings, etc).
For example you can protect content in the following ways:
- Only users within your organization can access items with "Confidential" sensitivity label in Fabric.
- Only users in the finance department can edit data items with "Financial data" sensitivity label, while other users in your organization can only read them.
Limitation: This release will support restrict access to all Fabric item types except for Report, Paginated report, Scorecard, Dashboard, Dataflow, Datamart, Streaming dataset, Streaming dataflow, Mirrored items, Warehouse. Restrict access functionality for these items will be available later this calendar year.
Note: Information Protection sensitivity labels require Microsoft Purview license.
Microsoft Purview data loss prevention policies for Lakehouses in OneLake
Estimated release timeline: Q4 2024
Release Type: Public preview
Security admins can create in Microsoft Purview Data Loss Prevention portal policies to detect the upload of sensitive data (such as social security number) to Fabric Lakehouse. If such an upload is detected, the policies will trigger automatic audit activity and can be configured to show a custom policy tip to data owners and it can also trigger an alert for security admins. DLP policies can help automate the compliance processes to meet enterprise-scale compliance and regulatory requirements in an effective way.
Note: Microsoft Purview data loss prevention policies for Fabric require Microsoft Purview license.
External data sharing enhancements
Estimated release timeline: Q4 2024
Release Type: Public preview
We will introduce additional enhancements to the external data sharing public preview in preparation for GA.
- Public APIs
- Share multiple tables
- Sovereign cloud support
Fabric monitoring
Estimated release timeline: Q4 2024
Release Type: Public preview
Fabric workspace administrators and developers require access to detailed diagnostic logs and workload metrics to troubleshoot performance issues, capacity performance, and data downtime. As part of the Fabric Monitoring feature we intend to provide a read-only database of workspace logs that users can query ad-hoc, analyze for patterns and anomalies, or save drafted queries to as query sets. This helps drive investigations on root-cause analysis for errors, long running queries, refresh failures, and other issues. We will continue to enhance this feature by adding in-context monitoring and diagnostics experiences.
Usage and adoption in admin monitoring
Estimated release timeline: Q1 2025
Release Type: General availability
Fabric tenant administrators need access to detailed audit logs and summarized views, to track usage and adoption growth, support audits, and ensure compliance. Analytical views built on the audit logs can help you understand user actions. You can govern Fabric by identifying specific trends, patterns, and activities. This report currently supports Power BI items and it will expand to cover other Fabric items this semester.
Private Link support at a workspace level
Estimated release timeline: Q1 2025
Release Type: Public preview
While private links at a tenant level enable secure connectivity to Fabric, we intend to provide granular support for this feature at a workspace level. Organizations can use this feature to secure inbound traffic to specific workspaces instead of the entire tenant and this allows them to secure production workspaces but let dev and test workspaces to be accessed over internet. This setup uses Azure Private Link and Azure Networking private endpoints to ensure data traffic travels privately via Microsoft's backbone network, instead if using public endpoints. The Private Link capability at the workspace level will start with few workloads and extend to others in phases. Once Azure Private Link is configured and public internet access is restricted, all the supported scenarios for that Fabric workspace will be routed through private links.
Data exfiltration protection for Spark
Estimated release timeline: Q1 2025
Release Type: Public preview
Fabric administrators want to ensure that data in Fabric isnt exfiltrated to unpermitted destinations outside of Fabric unintentionally or by due to malicious intent . In this milestone, we will provide controls to ensure Spark in a Fabric workspace can only connect to specific data sources or endpoints outside of Fabric. In the future we will addData exfiltration support for other Fabric experiences
Shipped feature(s)
Fabric items - Master data
Shipped (Q3 2024)
Release Type: Public preview
Previously, we introduced endorsement for Fabric items. Certified and promoted endorsements encouraged the use of standardized and trustworthy data. Now, we’re taking it a step further with the introduction of Master Data. This new endorsement stage empowers IT and data teams to define and establish the organization’s single source of truth. By defining master data, your organization can benefit from creating a repository of all critical organizational data, making it available to users with a variety of skills to discover and build upon.
Private Link support at a tenant level
Shipped (Q2 2024)
Release Type: General availability
Organizations can enhance security by using private links, allowing users in their tenant to access Microsoft Fabric securely. This setup uses Azure Private Link and Azure Networking private endpoints to ensure data traffic travels privately via Microsoft's backbone network, instead if using public endpoints. The Private Link capability at the tenant level will expand from Power BI to other workloads in phases. Once Azure Private Link is configured and public internet access is restricted, all the supported scenarios for that Fabric tenant will be routed through private links.
Managed virtual network support for Spark
Shipped (Q2 2024)
Release Type: General availability
Spark, as we know is a distributed processing system used for big data workloads. Hence, Spark in Fabric warrants access to data, at scale but also the ability to connect to protected data sources, as most business-critical data is secured in private networks. The Managed virtual networks feature allows Spark to seamlessly connect with protected data sources in a secure manner via Managed private endpoints in a Microsoft managed virtual network.
Fabric as a trusted service for Azure Storage
Shipped (Q2 2024)
Release Type: General availability
You'll be able to add the Fabric workspace identity (FWI) as a trusted identity for a storage account. This allows seamless connectivity to Azure Storage accounts secured by a firewall. It also enables traffic using that Fabric workspace identity from the corresponding workspace to connect to the storage account. For instance, this feature will enable creating a shortcut to a storage account deployed behind a firewall. Once a shortcut is created, users can work with this data in all Fabric workloads
External data sharing public preview
Shipped (Q2 2024)
Release Type: Public preview
Sharing data across organizations has become a standard part of day-to-day business for many of our customers. External data sharing, now in public preview is built on top of OneLake shortcuts,and enables seamless, in-place sharing of data across tenant boundaries. This can be used by retailers sharing data with suppliers, consumers sharing diagnostic data with manufacturers, healthcare providers sharing data to create better diagnostics, corporations sharing data with their consultants, or for any other business scenario in which data needs to be shared with users outside of the data provider's tenant.
Fabric Admin APIs
Shipped (Q1 2024)
Release Type: Public preview
Admin APIs in Microsoft Fabric offers programmatic access to administrative functions within the Fabric service. Admin APIs play an important role in automating essential admin and governance tasks, including activities such as monitoring, auditing, compliance, access controls, etc. The existing PBI-only admin APIs have encountered issues like timeouts and slow performance while lacking coverage for non-PowerBI Fabric artifacts. In response to these challenges, the next-gen Fabric admin APIs were launched as part of the Fabric GA release in November 2023. The initial set of APIs focuses on the discovery and exploration of Workspaces, non-PowerBI Fabric items, and user access details at the workspace and item levels. To further enhance functionality, in Q1 2024, we are planning to extend these discovery and exploration APIs to include PowerBI items. Moreover, the Fabric API surface will be expanded to include APIs for adding and deleting users and workspaces. It's important to note that Microsoft will continue to support PowerBI-only Admin APIs to ensure a seamless transition to the new Fabric APIs.
Managed virtual network support for Spark
Shipped (Q1 2024)
Release Type: Public preview
Spark, as we know is a distributed processing system used for big data workloads. Hence, Spark in Fabric warrants access to data, at scale but also the ability to connect to protected data sources, as most business-critical data is secured in private networks. The Managed VNets feature allows Spark to seamlessly connect with protected data sources in a secure manner via Managed private endpoints in a Microsoft managed virtual network.
Fabric as a trusted service for Azure Storage
Shipped (Q1 2024)
Release Type: Public preview
You'll be able to add the Fabric workspace identity (FWI) as a trusted identity for a storage account. This allows seamless connectivity to Azure Storage accounts secured by a firewall. It also enables traffic using that Fabric workspace identity from the corresponding workspace to connect to the storage account. For instance, this feature will enable creating a shortcut to a storage account deployed behind a firewall. Once a shortcut is created, users can work with this data in all Fabric workloads
Private Link support at a tenant Level
Shipped (Q1 2024)
Release Type: Public preview
Organizations can enhance security by using private links, allowing users in their tenant to access Microsoft Fabric securely. This setup uses Azure Private Link and Azure Networking private endpoints to ensure data traffic travels privately via Microsoft's backbone network, instead if using public endpoints. The Private Link capability at the tenant level will expand from Power BI to other workloads in phases. Once Azure Private Link is configured and public internet access is restricted, all the supported scenarios for that Fabric tenant will be routed through private links.
More users in the organization can edit and republish protected PBIX files in Power BI Desktop
Shipped (Q1 2024)
Release Type: Public preview
This feature allows users with a wider range of sensitivity permissions from the Microsoft Purview compliance portal to open, edit, and publish encrypted PBIX files in Power BI desktop. Some limitations apply.
Microsoft Fabric Git integration (ADO)
Shipped (Q1 2024)
Release Type: Public preview
Git integration is offered to users connecting to Azure DevOps repositories, enabling synchronization between Microsoft Fabric workspace and the selected Git repository (for commits and updates). Additional Microsoft Fabric items will support source control - Data pipeline, Warehouse, Spark Environment and Spark Job Definition. We'll also provide public REST APIs for automating key git operations, such as connecting a workspace to a git branch, committing items, and updating items from git.
Admin API to query delegated tenant settings
Shipped (Q1 2024)
Release Type: Public preview
This API enables tenant administrators to track settings modifications made by other administrators at capacity, domain, or workspace levels. It scans and returns all the units of governance or a group of such units where the tenant admin settings have been overridden. In the initial release, we aim to include the ability to query tenant settings delegated to a capacity.
Purview hub for administrators and data owners
Shipped (Q1 2024)
Release Type: Public preview
Fabric admins and data owners can gain valuable insights about sensitive data, certified and promoted items. They contain insights about sensitive data, certified and promoted items, and a gateway to advanced capabilities in Microsoft Purview portals.
Workspace recovery
Shipped (Q1 2024)
Release Type: General availability
In the event of unintentional workspace deletions, this feature allows tenant admins to recover workspaces, including Fabric items. Admins can set recovery policies and recover the deleted workspaces within a specified timeframe. Deleted workspaces are soft deleted and recoverable by the tenant admins. Tenant admins will be able to configure the retention period via a setting in the Fabric admin portal. This capability, is already supported for workspaces with Power BI items, and it will extend to include workspaces with Fabric items.
Purview Information Protection sensitivity labels
Shipped (Q1 2024)
Release Type: General availability
Microsoft Purview Information Protection sensitivity labels integration into Fabric introduces the familiar concept of sensitivity from Office. In Office, you can see confidential documents and emails, and you may not be authorized to export sensitive data. Similarly in Fabric you can easily identify and control confidential content using Information Protection sensitivity labels. When the owner assigns a sensitivity label to a lakehouse or any other item, the label is inherited with the data to all the downstream items. Additionally, when exporting data from Fabric to Office files, the label and protection settings are automatically applied on the Office files.
Purview Information Protection default sensitivity labels policy
Shipped (Q1 2024)
Release Type: General availability
Compliance and security admins can configure the label policy in Microsoft Purview compliance portal to automatically apply a sensitivity label to newly created Fabric items. This helps organizations meet compliance and regulatory requirements of having all their data in Fabric with sensitivity labels.
Require users to apply Purview Information Protection sensitivity labels
Shipped (Q1 2024)
Release Type: General availability
Compliance and security admins can configure the label policy in Microsoft Purview compliance portal to require users to apply sensitivity label to newly created Fabric items. This helps organizations meet compliance and regulatory requirements of having all their data in Fabric with sensitivity labels.
Disaster recovery support
Shipped (Q1 2024)
Release Type: General availability
The goal of Business Continuity and Disaster Recovery (BCDR) is to ensure uninterrupted access to data and services during data center outages or regional disasters. As we shift towards a self-service SaaS model for our cloud-scale analytics solutions, we understand the need for minimal configuration and planning for critical workloads. In our initial release, we'll provide cross-regional data availability in OneLake if there's a disaster. We also plan to enable capacity-level disaster recovery configuration, allowing you to select replication for essential workspace data while excluding dev and test workspaces.
Deployment pipelines
Shipped (Q4 2023)
Release Type: General availability
As organizations increasingly adopt Deployment pipelines, there's a growing demand to add more stages to these pipelines. This year, we'll enable customers to define and customize the number of stages for each pipeline they create. Furthermore, certain Microsoft Fabric items will become deployable as part of a pipeline deployment processes - Data pipeline, Warehouse.
Microsoft Fabric Reserved Instance offerings in Azure
Shipped (Q4 2023)
Currently all the capabilities of Fabric are available for purchase within Azure with a Pay-as-you-go offering with lower purchase points. You can pause/resume and scale up/down on demand. Soon you can purchase a 1-year reservation for Fabric with large discounts for that commitment.