Overview of the Admin monitoring workspace

The admin monitoring workspace is an out-of-the-box solution that installs automatically when a Fabric admin accesses it. You can share the entire workspace or individual reports/semantic models with any user or group. Use the reports for insights on user activity, content sharing, capacity performance, and more in your Fabric tenant. Connect to the semantic models to create advanced reporting solutions tailored to your organization's needs (see documentation for more details).

Since the launch of the Admin monitoring workspace, we've made incremental improvements:

• Modernized Admin Monitoring Report Design: A more intuitive and user-friendly interface for easier monitoring and management.
• Additional Reporting Fields: Metadata attributes like DLP scan time/status, Org sharing links, and deleted status for deeper insights and comprehensive reporting.
• Direct Access URLs: Item and workspace URLs for taking direct actions on flagged items/workspaces.
• Reporting Enhancements: Improvements to the Adoption report and Inventory page for better functionality and usability.
• Data Model Optimizations: Performance improvements through optimizations to the data model, including the Fabric unified model.

The Content Sharing report

We are pleased to announce our latest addition, the Content Sharing report, which aims to provide administrators and security and compliance teams with a comprehensive view of item access within the Fabric tenant (see documentation for more details).

The report has several pages:

• Inventory Overview - Provides a high-level overview of Fabric items across your organization
• Analysis - Analyze inventory across different dimensions through a decomposition tree visualization
• Workspace - Shows detailed inventory information for one or multiple workspaces
• Details - Lists all Fabric items in a tabular view

How you can use this report

Starting with the Overview page, the report looks to address some of these broad topics:  

• Which workspaces in my tenant have the most items?
• Which Fabric item types are most used in my organization?
• How are my items distributed by endorsement and sensitivity label?
• Is my organization effectively using domains to organize its Fabric inventory?

Next, we will look at the different metrics available in the report and conclude with some common scenarios.

Metrics available in the report

The report focuses on several key aspects of inventory management:

• Total Access Counts: The report provides detailed information on the number of users and group members that have access to specific items. Total access counts also include access granted via sharing links.
• Sensitivity and Endorsement Labels: The report includes visuals to show items with (or without) sensitivity and endorsement labels, helping users to identify and manage sensitive data or improve data governance practices.
• Deleted Items: Users can track items that have been deleted and who last modified an item, for better item lifecycle management in their tenant.
• Workspace URL and Item URL: On the Details page, users can navigate directly to the workspace/item without leaving the browser. 

Note, you need access to the underlying workspace/item for the URL link to work.

Regarding Item URL, at the moment these URLs are only available for legacy Power BI (Reports/Semantic Models/Dataflows) along with these data items (Datawarehouse/Datamart/Lakehouse).

Content_Sharing_Report_Preview

Scenarios

The Content Sharing report is useful in various scenarios:

• Inventory distribution: Users can leverage the metadata in the Overview page to get a summary view of their inventory by domain, capacity, workspace, and item sensitivity/endorsement and item type. There are additional slicers and filters to further describe their items such as “Last modified by” (the user which last made changes to an item), “DLP policy violation” (for data loss prevention), and more.  From the Overview page, users can navigate to the Analysis/Workspace/Details pages directly or by drilling through for a more specific analysis.

Content_Sharing_Report_Preview

• Aggregated vs Workspace-specific views:   Using the filters and slicers on any page, users can filter the data for the workspaces or capacities that they frequently use or manage. The Analysis and Workspace pages also function as drill through targets, so users can drill through on a specific data point to continue their analysis.

In this example, we filtered for all items which are shared with the whole organization, have a sensitivity label of Confidential, and with a DLP policy violation. We found 524 such items in workspace “Kate”, with 396 such items belonging to user “Admin1” , and the top item types are Synapse Notebooks.

Content_Sharing_Report_Preview

• Correlate workspace inventory by various metadata attributes: Users can navigate to the Workspace page to see unique inventory scenarios such as widely shared items, items by type, sharing links, deleted items, and more.
• Sharing Risks Detection: The Overview page can help flag areas of potential over-sharing by looking at the most widely shared items across the tenant, combined with criteria such as sensitivity labelling.

Example: Identify sharing risks for sensitive items:

1. Start by going to the Analysis page of the Content Sharing report.

Change Analyze by to “access counts” (the total number of individual users with access to an item).

Look for Analyze by at the bottom left side of the page located in the Filters section

2. Group by Sensitivity label. In this example we focus on label “Confidential” which may or may not exactly match for your particular organization.

3. Group by Item type. Here, we focus on “Report” (Power BI Reports).

4. Group by Item Id. 

In this example we look at the number one top ranked “Confidential”-labeled Report which is accessible by the highest number of users.

Note that the high access count comes from sharing with a wide security group.

For example, if the data is considered sensitive and a report is shared with the entire organization via a security group, then this can pose some risks for some organizations. 

5. Right-click on the item to drill-down to the Details page.

Content_Sharing_Report_Preview

Mitigating Steps

6. Once in the Details page, click the Workspace URL or the Item URL to go to the service. Review the groups with access to the item and remove any groups that should not have access.

Note: You will need Admin/Member/Contributor role to the workspace to be able to navigate to the item using the Urls.

Next Steps

To maximize the benefits of the Content Sharing report, users should:

• Utilize sensitivity and endorsement labels: Apply these labels to better manage sensitive data items and to correlate sensitivity with items which are widely shared. They will start to show up on the Content Sharing report.
• Alerts/report subscriptions: Users can set up alerts and report subscriptions in the Content Sharing report. They can notify the relevant stakeholders when items with particular criteria (ie. a sensitivity label of confidential) are shared to a large audience for example.
• Use the Analysis Page or Connect to the semantic model: Users can get richer views through the Analysis page or by connecting to the data model to extend the data with additional attributes such as licensing or departments.
• How to access the report?

You can access the report from the Admin monitoring workspace. To access the workspace, you must be a Fabric administrator.

You can also have an admin share the report or semantic model directly with you.

With build permissions to the semantic model, users can design a custom report that relies on the same underlying data.

The Content Sharing report is a valuable tool for organizations looking to enhance their inventory management and data security practices. By leveraging its features and functionalities, users can gain deeper insights into their content and make informed decisions to improve overall data governance.