Nóta
Teastaíonn údarú chun rochtain a fháil ar an leathanach seo. Is féidir leat triail a bhaint as shíniú isteach nó eolairí a athrú.
Teastaíonn údarú chun rochtain a fháil ar an leathanach seo. Is féidir leat triail a bhaint as eolairí a athrú.
This security baseline applies guidance from the Microsoft cloud security benchmark version 1.0 to Microsoft Fabric. The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Microsoft cloud security benchmark and the related guidance applicable to Microsoft Fabric.
When a feature has relevant Azure Policy Definitions, they are listed in this baseline to help you measure compliance with the Microsoft cloud security benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.
Network Security
For more information, see Microsoft cloud security benchmark - Network Security.
NS-1: Establish network segmentation boundaries
Guidance: Create and use managed private endpoints for notebooks, lakehouses, and Spark job definitions to securely connect to datasources behind private endpoints.
Responsibility: Shared
NS-2: Secure cloud native services with network controls
Guidance: Microsoft Fabric supports connecting your Fabric tenant to a private link endpoint and disabling public internet access
NOTE: Microsoft Fabric is a SaaS service that relies on Microsoft Entra ID as authentication provider. Inbound network traffic control for a SaaS service can be attained by using Microsoft Entra ID Conditional Access Policies.
Responsibility: Shared
NS-3: Deploy firewall at the edge of enterprise network
Guidance: Microsoft Fabric as a SaaS offering hosted on Azure Infrastructure, Microsoft has some automatic protections built in for well-known common attack vectors.
Responsibility: Microsoft
NS-4: Deploy intrusion detection/intrusion prevention systems (IDS/IPS)
Guidance: Microsoft Fabric doesn’t have explicit built-in network intrusion detection and intrusion prevention systems (IDS/IPS) features. Microsoft Fabric is an Azure Core service built on Azure foundational services that have some automatic protections built in for well-known common attack vectors as well as customer configurable options. Microsoft Fabric provides access to activity and audit logs that customers can leverage for activity monitoring:
Responsibility: Shared
NS-5: Deploy DDOS protection
Guidance: Microsoft Fabric has built-in DDoS protection for common attack scenarios. These are managed and controlled by Microsoft.
Responsibility: Microsoft
NS-6: Deploy web application firewall
Guidance: Microsoft Fabric has built-in WAF managed and controlled by Microsoft.
Responsibility: Microsoft
NS-7: Simplify network security configuration [N/A]
Guidance: N/A. Microsoft Fabric does not expose underlying configurations; these settings are maintained by Microsoft.
NS-8: Detect and disable insecure services and protocols [N/A]
Guidance: N/A. Microsoft Fabric does not expose underlying configurations; these settings are maintained by Microsoft.
NS-9: Connect on-premises or cloud network privately
Guidance: Microsoft Fabric provides support for virtual network and on-premises Data Gateways.
Responsibility: Customer
NS-10: Ensure Domain Name System (DNS) security [N/A]
Guidance: N/A. Microsoft Fabric does not expose its underlying DNS configurations; these settings are maintained by Microsoft.
Identity Management
For more information, see Microsoft cloud security benchmark - Identity management
IM-1: Use centralized identity and authentication system
Guidance: Microsoft Fabric is integrated with Microsoft Entra ID which is Azure's default identity and access management service. You should standardize on Microsoft Entra ID to govern your organization’s identity and access management.
Securing Microsoft Entra ID should be a high priority in your organization’s cloud security practice. Microsoft Entra ID provides an identity secure score to help you assess identity security posture relative to Microsoft’s best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.
Note: Microsoft Entra ID supports external identities that allow users without a Microsoft account to sign in to their applications and resources with their external identity. For Microsoft Fabric guest user’s scenario, please refer to B2B page below.
Responsibility: Customer
IM-2: Protect identity and authentication systems
Guidance: Secure your identity and authentication system as a high priority in your organization's cloud security practice. Use Microsoft Entra ID security baseline and the Microsoft Entra ID Identity Secure Score to evaluate your Microsoft Entra ID identity security posture and remediate security and configuration gaps.
Responsibility: Customer
IM-3: Manage application identities securely and automatically
Guidance: Use managed identities instead of human accounts for accessing resources. They reduce credential exposure and support automated credential rotation for better security. Microsoft Fabric, Power BI, and Power BI Embedded support the use of workspace identities and Service Principals. Power BI Embedded supports Service Principles Profiles.
Automate Power BI Premium workspace and semantic model tasks with service principals
Use service principal profiles to manage customer data in multitenant apps Power BI
Responsibility: Customer
IM-4: Authenticate server and services
Guidance: Authenticate remote servers using TLS to ensure trusted connections. Clients verify server certificates from trusted authorities. Customers should ensure that their data ingestion processes are adequately secured. Microsoft Fabric enforces TLS 1.2+ on all connections.
Responsibility: Customer
IM-5: Use single sign-on (SSO) for application access
Guidance: Use single sign-on (SSO) to simplify the user experience for authenticating to resources including applications and data across cloud services and on-premises environments.
Microsoft Fabric uses Microsoft Entra ID to provide identity and access management to Azure resources, cloud applications, and on-premises applications. This includes enterprise identities such as employees, as well as external identities such as partners, vendors, and suppliers. This enables single sign-on (SSO) to manage and secure access to your organization’s data and resources on-premises and in the cloud.
Responsibility: Customer
IM-6: Use strong authentication controls
Guidance: Enforce strong authentication controls with centralized identity and authentication management system for all access to resources.
Introduction to passwordless authentication options for Azure Active Directory
Eliminate bad passwords using Microsoft Entra ID Password Protection
Microsoft Fabric relies on Microsoft Entra ID to authenticate users (or service principals). When authenticated, users receive access tokens from Microsoft Entra ID.
Responsibility: Customer
IM-7: Restrict resource access based on conditions
Guidance: Explicitly validate trusted signals to allow or deny user access to resources, as part of a zero-trust access model. Microsoft Entra ID conditional access ensures that tenants are secure by enforcing multifactor authentication, allowing only Intune enrolled devices to access specific services, and restricting user locations and IP ranges.
Responsibility: Customer
IM-8: Restrict the exposure of credentials and secrets
Guidance: A Fabric workspace identity is a credential-free managed service principal that provides authentication for Fabric items by connecting them to Microsoft Entra-supported resources.
For Microsoft Fabric items it is recommended to implement Credential Scanner to identify credentials within your code. Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.
For GitHub, you can use native secret scanning features to identify credentials or other form of secrets within the code.
Responsibility: Customer
IM-9: Secure user access to existing applications
Guidance: Microsoft Fabric supports connecting to on-premises data sources via the On-premises data gateway, securely transferring data from your on-premises environment to Fabric items like Dataflow Gen2, and Semantic models.
Responsibility: Customer
Privileged access
For more information, see Microsoft cloud security benchmark - Privileged Access | Microsoft Learn
PA-1: Separate and limit highly privileged/administrative users
Guidance: Ensure you identify all Microsoft Fabric high business impact accounts such as Fabric or Global Administrators. Limit the number of privileged/administrative accounts in your Microsoft Fabric control plane, management plane, and data/workload plane. You must secure all roles with direct or indirect administrative access. Consider using Privileged Identity Management (PIM) and Service Principals with task specific permissions (e.g., SPN read-only access to Admin APIs). Exercise caution and care when delegating settings to capacity and workspace Admins
Responsibility: Customer
PA-2: Avoid standing access for user accounts and permissions [N/A]
Guidance: N/A
PA-3: Manage lifecycle of identities and entitlements
Guidance: Use an automated process or other suitable technical control to monitor and manage access permissions to the tenant and its items.
Responsibility: Customer
PA-4: Review and reconcile user access regularly
Guidance: As a Microsoft Fabric service admin, you can analyze usage for all Fabric resources at the tenant level by using custom reports based on the Activity or Microsoft 365 Audit logs. You can download the activities by using a REST API or PowerShell cmdlet. You can also filter the activity data by date range, user, and activity type.
You must meet these requirements to access the Activity log:
You must either be a Global admin or a Fabric service tenant admin.
You have installed the Power BI Management cmdlets locally or use the Power BI Management cmdlets in Azure Cloud Shell.
Once these requirements are met you can follow the guidance below to track user activity within Fabric:
Perform regular user access reviews to ensure that permissions are appropriately set based on user and business function.
Responsibility: Customer
PA-5: Set up emergency access [N/A]
Guidance: N/A
PA-6: Use privileged access workstations
Guidance: Secured, isolated workstations are critically important for the security of sensitive roles like administrators, developers, and critical service operators. Use highly secure user workstations and/or Azure Bastion for administrative tasks related to managing Microsoft Fabric. Use Microsoft Entra ID, Microsoft Defender Advanced Threat Protection (ATP), and/or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstations can be centrally managed to enforce secured configuration including strong authentication, software and hardware baselines, restricted logical and network access.
Use conditional access policies to enforce highly privileged logins only come from compliant devices on allowed IP ranges.
Responsibility: Customer
PA-7: Follow just enough administration (least privilege) principle
Guidance: Follow the just enough administration (least privilege) principle to manage permissions at fine-grained level. Use features such as role-based access control (RBAC) to manage resource access through role assignments. See permission model in PA-3.
Responsibility: Customer
PA-8 Determine access process for cloud provider support
Guidance: Establish an approval process and access path for requesting and approving vendor support requests and temporary access to your data through a secure channel. In support scenarios where Microsoft needs to access your data, use Customer Lockbox to review and either approve or reject each data access request made by Microsoft.
Responsibility: Customer
Data Protection
For more information, see Microsoft cloud security benchmark - Data protection | Microsoft Learn
DP-1: Discover, classify, and label sensitive data
Guidance: Use sensitivity labels from Microsoft Purview Information Protection on your Microsoft Fabric items to guard your sensitive content against unauthorized data access and leakage. Use sensitivity labels from Microsoft Purview Information Protection to classify and label your reports, dashboards, datasets, dataflows, and other items in Microsoft Fabric service and to protect your sensitive content from unauthorized data access and leakage when content is exported from Microsoft Fabric to file formats that support labels such as Excel, PowerPoint, and PDF files.
Responsibility: Customer
DP-2: Monitor anomalies and threats targeting sensitive data
Guidance: Use Microsoft Purview Data Loss Prevention Policies to detect upload of sensitive data and trigger automatic risk remediation issues.
Track user activities in Power BI - Power BI | Microsoft Learn
Responsibility: Customer
DP-3: Encrypt sensitive data in transit
Guidance: Ensure for HTTP traffic, that any clients and data sources connecting to your Microsoft Fabric resources can negotiate TLS v1.2 or greater.
Responsibility: Customer
DP-4: Enable data at rest encryption by default
Guidance: Microsoft Fabric encrypts all data at rest and in transit. By default, Microsoft Fabric uses Microsoft-managed keys to encrypt your data.
Responsibility: Microsoft
DP-5: Use customer-managed key option in data at rest encryption when required
Guidance: If required for regulatory compliance, define the use case and service scope where customer-managed key option is needed. Enable and implement data at rest encryption using customer-managed keys in Microsoft Fabric service. Organizations can choose to use their own keys for encryption of data at rest for imported semantic models hosted in workspaces in Premium capacities.
Responsibility: Customer
DP-6: Use a secure key management process
Guidance: Use a secure key vault service for key generation, distribution, and storage. Rotate and revoke your keys based on the defined schedule as required by applicable standards and when there is a key retirement or compromise.
NOTE: Power BI BYOK supports HSM key import into AKV Premium.
Responsibility: Customer
DP-7: Use a secure certificate management process [N/A]
Guidance: N/A
DP-8: Ensure security of key and certificate repository [N/A]
Guidance: N/A
Asset Management
For more information, see Microsoft cloud security benchmark - Asset Management | Microsoft Learn
AM-1: Track asset inventory and their risks
Guidance: As a SaaS service the physical inventory of hardware and devices is monitored by Microsoft. For monitoring of Fabric resources use the Fabric Scanner API to set up metadata scanning of your organization’s Fabric items.
Responsibility: Shared
AM-2: Use only approved services
Guidance: Use Azure Policies to control who can provision Fabric capacities. Ensure that only approved Microsoft Fabric workloads can be used on the tenant, by auditing and restricting which workloads users can create and access in the tenant. Use combination of tenant, capacity, or workspace Admin delegated controls that provide this level of control.
Responsibility: Customer
AM-3: Ensure security of asset lifecycle management
Guidance: Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to access, data sensitivity level, network configuration, and administrative privilege assignment to Microsoft Fabric tenant, capacities, and workspaces.
Identify and remove Microsoft Fabric resources when they are no longer needed.
Responsibility: Customer
AM-4: Limit access to asset management
Guidance: Use the principle of least privilege when assigning user permissions to tenants, workspaces, and artifacts. Ensure that the number of users that have highly privileged roles is limited. Limit users' access to Microsoft Fabric management features, to avoid accidental or malicious modification of the items in your Microsoft Fabric tenant.
What is Microsoft Fabric administration? - Microsoft Fabric | Microsoft Learn
Workspace admin settings - Microsoft Fabric | Microsoft Learn
Manage your Fabric capacity - Microsoft Fabric | Microsoft Learn
Roles in workspaces in Microsoft Fabric - Microsoft Fabric | Microsoft Learn
Responsibility: Customer
AM-5: Use only approved applications in virtual machine [N/A]
Guidance: N/A
Logging and Threat Detection
For more information, Microsoft cloud security benchmark - Logging and threat detection | Microsoft Learn
LT-1: Enable threat detection capabilities
Guidance: To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies. Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sources to reduce false positives. Activity and Microsoft 365 logging on Microsoft Fabric tenant are enabled by default.
Microsoft Purview Compliance Manager alerts and alert policies
Considerations for DSPM for AI & data security and compliance protections for Copilot
Responsibility: Customer
LT-2: Enable threat detection for Azure identity and access management
Guidance: Forward any logs from Microsoft Fabric to your SIEM which can be used to set up custom threat detections. Additionally, use Microsoft Defender for Cloud Apps controls in Power BI to enable anomaly detection by following the guide Using Microsoft Defender for Cloud Apps controls in Power BI.
Responsibility: Customer
LT-3: Enable logging for security investigation
Guidance: Activity and Audit logs in Microsoft Fabric are enabled by default. There are additional logging and monitoring options available and configurable at workspace level for high value assets.
Responsibility: Customer
LT-4: Enable network logging for security investigation
Guidance: Microsoft Fabric is a fully managed SaaS offering and the underlying network configuration and logging is Microsoft’s responsibility. For customers utilizing Private Links some logging and monitoring is available that can be configured.
Responsibility: Shared
LT-5: Centralize security log management and analysis
Guidance: Microsoft Fabric centralizes logs in two places: the Power BI activity log and the unified audit log. These logs both contain a complete copy of the Microsoft Fabric auditing data, but there are several key differences, as summarized below.
Unified Audit Log:
Includes events from SharePoint Online, Exchange Online, Dynamics 365, and other services in addition to the Power BI and Microsoft Fabric auditing events.
Only users with View-Only Audit Logs or Audit Logs permissions have access, such as global admins and auditors.
Global admins and auditors can search the unified audit log by using the Microsoft Defender XDR portal and the Microsoft Purview portal.
Global admins and auditors can download audit log entries by using Microsoft 365 Management APIs and cmdlets.
Keeps audit data for 180 days.
Retains audit data, even if the tenant is moved to a different Azure region.
Power BI Activity Log:
Includes only the Microsoft Fabric and Power BI auditing events.
Global admins and Microsoft Fabric service admins have access.
Global admins and Microsoft Fabric service admins can download activity log entries by using a Power BI REST API and management cmdlet.
Keeps activity data for 30 days.
Doesn't retain activity data when the tenant is moved to a different Azure region.
For more information, see the following references:
Responsibility: Customer
LT-6: Configure log storage retention
Guidance: Configure your storage retention policies for your Audit logs according to your compliance, regulation, and business requirements.
Responsibility: Customer
LT-7: Use approved time synchronization sources
Guidance: Microsoft Fabric does not support configuring your own time synchronization sources. The Microsoft Fabric service relies on Microsoft time synchronization sources, and is not exposed to customers for configuration.
Responsibility: Microsoft
Incident response
Microsoft cloud security benchmark - Incident Response | Microsoft Learn
IR-1: Preparation - update incident response plan and handling process
Guidance: Update your organization's incident response process to include the handling of incidents in Microsoft Fabric. Based on the Microsoft Fabric workloads used and your applications that rely on Microsoft Fabric, customize the incident response plan and playbook to ensure they can be used to respond to the incident in the cloud environment.
Responsibility: Customer
IR-2: Preparation - setup incident notification
Guidance: Set up security incident contact information in Microsoft Defender for Cloud. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alerts and notification in different Azure services based on your incident response needs.
Responsibility: Customer
IR-3: Detection and analysis - create incidents based on high-quality alerts
Guidance: Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use the Microsoft Defender for Cloud data connector to stream the alerts to Microsoft Sentinel. Microsoft Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation.
Export your Microsoft Defender for Cloud alerts and recommendations using the export feature to help identify risks to Microsoft Fabric and other Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion.
Responsibility: Customer
IR-4: Detection and analysis - investigate an incident
Guidance: Understand how to access and use enabled by default Microsoft Fabric activity and audit logs. Enable optional logging for high value assets (see LT-3). Consider exporting your logs to Microsoft Sentinel. Leverage logs provided by services that Microsoft Fabric integrates with such as Microsoft Entra ID. NOTE: we don’t track user sign-in to Power BI or Fabric in the activity logs; audit logs do capture service sign-ins. Record Type category is different (e.g., use PowerBIAudit for Power BI and Microsoft Fabric events and AzureActiveDirectoryStsLogon to track service logins).
Responsibility: Customer
IR-5: Detection and analysis - prioritize incidents
Guidance: Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.
Similarly, Microsoft Sentinel creates alerts and incidents with an assigned severity and other details based on analytics rules. Use analytic rule templates and customize the rules according to your organization's needs to support incident prioritization. Use automation rules in Microsoft Sentinel to manage and orchestrate threat response in order to maximize your security operation's team efficiency and effectiveness, including tagging incidents to classify them.
Responsibility: Customer
IR-6: Containment, eradication, and recovery - automate the incident handling
Guidance: Use workflow automation features in Microsoft Defender for Cloud and Microsoft Sentinel to automatically trigger actions or run a playbook to respond to incoming security alerts. Playbooks take actions, such as sending notifications, disabling accounts, and isolating problematic networks.
Azure implementation and additional context:
Responsibility: Customer
IR-7: Post-incident activity - conduct lessons learned and retain evidence
Guidance: Use the outcome from the lessons learned activity to update your incident response plan, playbook (such as a Microsoft Sentinel playbook) and reincorporate findings into your environments (such as logging and threat detection to address any gaps in logging) to improve your future capability in detecting, responding, and handling of incidents in Microsoft Fabric.
Keep the evidence collected during the "Detection and analysis - investigate an incident step" such as logs in storage such as an Azure Storage account for immutable retention.
Responsibility: Customer
Posture and Vulnerability Management
For more information, see Microsoft cloud security benchmark - Posture and Vulnerability Management | Microsoft Learn
PV-1: Define and establish secure configurations
Guidance: Use Microsoft Fabric Microsoft Cloud Security Benchmark baseline to define your configuration baseline for each workload. Refer to the Microsoft Fabric security documentation to understand security controls and configurations that may be needed across Microsoft Fabric resources.
Responsibility: Customer
PV-2: Audit and enforce secure configurations
Guidance: Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Microsoft Fabric Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources.
Use Azure Policy, e.g., [deny] rules to enforce secure configuration across Azure resources.
For resource configuration audit and enforcement not supported by Azure Policy, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement. Monitor your Microsoft Fabric instance using the Admin REST APIs.
Responsibility: Customer
PV-3: Define and establish secure configurations for compute resources
Guidance: ensure that only authorized personnel can provision, manage, and access Microsoft Fabric compute resources such as Spark jobs. Otherwise Microsoft Fabric is a fully managed SaaS offering, the service's underlying compute resources are secured and managed by Microsoft.
Responsibility: Shared
PV-4: Audit and enforce secure configurations for compute resources
Guidance: Microsoft Fabric is a fully managed SaaS offering, the service's underlying compute resources are secured and managed by Microsoft.
Responsibility: Microsoft
PV-5: Perform vulnerability assessments
Guidance: Microsoft security teams, third party vendors, and engineering teams conduct regular rigorous vulnerability testing and assessment of Microsoft Fabric products and services per requirements of attained certifications standards and SDL practices. Customers may choose to perform their own vulnerabilities assessment for Microsoft Fabric resources at all tiers on a fixed schedule or on-demand.
Responsibility: Microsoft
PV-6: Rapidly and automatically remediate vulnerabilities
Guidance: Microsoft Fabric is a fully managed SaaS offering, the service's underlying compute resources are scanned and managed by Microsoft.
Responsibility: Microsoft
PV-7: Conduct regular red team operations
Guidance: As required, conduct penetration testing or red team activities on your implementation and use of Microsoft Fabric resources and ensure remediation of all critical security findings. As a fully managed SaaS offering Microsoft Fabric performs regular penetration testing; however customer implementations are the responsibility of the customer to secure.
Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
Responsibility: Shared
Endpoint security
For more information, see Microsoft cloud security benchmark - Endpoint security | Microsoft Learn
Guidance: Microsoft Fabric does not deploy any customer-facing compute resources which would require customers to configure Endpoint Detection and Response (EDR) protection. The underlying infrastructure for Microsoft Fabric is handled by Microsoft, which includes anti-malware and EDR handling.
For more information, see the Azure Security Benchmark: Network Security
Responsibility: Microsoft
Backup and recovery
For more information, see Microsoft cloud security benchmark - Backup and recovery | Microsoft Learn
BR-1: Ensure regular automated backups
Guidance: Power BI is a fully managed service that has built-in. There are additional backup options available for high value Power BI assets. Broader Microsoft Fabric backup options are available as well: Reliability in Microsoft Fabric | Microsoft Learn.
Fabric provides experience-specific guidance for backup and disaster recovery of data and processes stored inside and outside of OneLake.
When data is stored in OneLake: Fabric offers cross-region replication for data stored in OneLake. Customers can opt in or out of this feature based on their geo-redundancy requirements. In a regional disaster scenario, Fabric guarantees data access, with certain limitations. While the creation or modification of new items is restricted after failover, the primary focus remains on ensuring that existing data in OneLake remains accessible and intact. Fabric provides a structured set of instructions to guide customers through the recovery process for data.
When data is stored outside of OneLake: customers must copy critical data and processes stored outside of OneLake to another region in a way that aligns to their disaster recovery plan.
Power BI includes disaster recovery by default, no activation needed. Power BI uses Azure storage geo-redundant replication and Azure SQL geo-redundant replication to ensure backup instances exist in other regions for greater availability and reduced risk. During disruptions, Power BI items (semantic models, reports, dashboards) stay accessible in read-only mode, supporting ongoing analysis and decision-making.
BR-2: Protect backup and recovery data
Guidance: Power BI is a fully managed service that has built-in BCDR managed by Microsoft. Fabric provides a structured set of instructions to guide customers through the recovery process for data.
Responsibility: Shared
BR-3: Monitor backups
Guidance: Power BI is a fully managed service that has built-in BCDR managed by Microsoft. Power BI and Microsoft Fabric items backups configured by customer should be managed and monitored by customer.
Responsibility: Shared
BR-4: Regularly test backup
Guidance: Power BI is a fully managed service that has built-in BCDR managed by Microsoft. Microsoft engineering team performs regular BCDR tests; customers will not be able to simulate BCDR event and test Microsoft owned backups of their tenant data. Customer created and owned backups such as semantic models backups created by customer and Microsoft Fabric item backups are customer responsibility.
Responsibility: Shared