How to: Secure data Microsoft Fabric mirrored databases from Azure SQL Database (Preview)

This guide helps you establish data security in your mirrored Azure SQL Database in Microsoft Fabric.

Security requirements

1. The System Assigned Managed Identity (SAMI) of your Azure SQL logical server needs to be enabled. After enabling the SAMI, if the SAMI is disabled or removed, the mirroring of Azure SQL Database to Fabric OneLake will fail.

   To configure, go to your logical SQL Server in the Azure portal. Under Security the resource menu, select Identity. Under System assigned managed identity, select Status to On.

2. Fabric needs to connect to the Azure SQL database. For this purpose, create a dedicated database user with limited permissions, to follow the principle of least privilege. Create either a login with a strong password and connected user, or a contained database user with a strong password. For a tutorial, see Tutorial: Configure Microsoft Fabric mirrored databases from Azure SQL Database (Preview).

Important

Any granular security established in the source database must be re-configured in the mirrored database in Microsoft Fabric. For more information, see SQL granular permissions in Microsoft Fabric.

Data protection features

You can secure column filters and predicate-based row filters on tables to roles and users in Microsoft Fabric:

• Row-level security in Fabric data warehousing
• Column-level security in Fabric data warehousing

You can also mask sensitive data from non-admins using dynamic data masking:

• Dynamic data masking in Fabric data warehousing

Related content

• What is Mirroring in Fabric?
• SQL granular permissions in Microsoft Fabric