As organizations continue to scale analytics and AI initiatives, protecting sensitive data has never been more critical. With Microsoft Fabric, we are building data security directly into the analytics platform—so protection is consistent, automated, and enforced wherever data lives and travels.
Today, we’re sharing several new data protection capabilities in Microsoft Fabric, powered by deep integration with Microsoft Purview. Together, these updates help organizations reduce data oversharing risk, improve visibility into sensitive data usage, and respond faster to potential data theft scenarios, without compromising productivity.
Expanded DLP Restrict Access for Structured Data in OneLake (Preview)
We’ve expanded DLP restrict access capabilities to cover all structured data in OneLake*, giving organizations broader, automatic protection for sensitive information once it is detected, more holistically across their OneLake data.
With this release, restrict access will also apply to SQL databases, KQL databases and Warehouses (on top of Lakehouses and semantic models that were already supported).
As a result, security and compliance teams can reduce the risk of accidental or intentional data exposure while still enabling broad data access for analytics and AI scenarios. These controls are policy-driven, consistent, and enforced automatically helping security teams scale protection without relying on manual processes.
* Support for c is coming soon.
Sensitivity Labels Available Through Public APIs (Generally Available)
To support automation and extensibility, sensitivity labels are now accessible through public APIs. This enables customers and partners to programmatically discover, apply, and manage classification across Fabric assets.
This enhancement includes the following API operations:
- List Items – The response now includes the Sensitivity Label ID for each item.
- Get Item – The response includes the item’s Sensitivity Label ID.
- Create Item – Include a label ID to create an item with a sensitivity label.
- Update Item – The response includes the Sensitivity Label ID.
(Note: labels can be retrieved programmatically but update labels via this API is not supported)
These capabilities align with the existing label management APIs available today:
- Bulk Set Labels allow admins apply sensitivity labels to items.
- Bulk Remove Labels allow admins remove sensitivity labels from items.
Now, users can programmatically access sensitivity label metadata without additional queries, streamlining compliance and improving automation.
Insider Risk Management Support for Lakehouse Indicators (Generally Available)
We’re also extending Microsoft Purview Insider Risk Management to support Lakehouse indicators in Fabric. This allows security teams to detect, investigate, and respond to potentially risky user activities involving sensitive data stored in Fabric Lakehouses.
By ingesting Fabric audit signals into Purview Insider Risk Management, organizations can apply the same insider risk detection and investigation capabilities they already use across Microsoft 365 and other data sources, including Fabric analytics workloads—bringing the real power of a centralized management across your entire data estate.
Figure: Lakehouse indicators used within the IRM tool
New Quick Data Theft Policy in IRM for Fabric (Generally Available)
To simplify and accelerate risk response, we’ve introduced a new quick policy creation of the Data Theft rule for Fabric. This streamlined experience makes it easier to set up protection against data exfiltration scenarios, helping security teams act faster when sensitive Fabric data is at risk.
With fewer steps and clearer guidance, organizations can move more quickly from detection to remediation, reducing exposure while maintaining productivity.
IRM Pay-as-you-go Usage Report (Generally Available)
The Microsoft Purview Insider Risk Management pay-as-you-go feature usage report is designed to provide transparency to the customers, enabling more accurate budget planning and policy tuning. IRM admins can check the distribution of PAYG processing units that were billed across workloads (Fabric), sub workloads (Power BI, Lakehouse), and indicators (downloading power BI reports, etc.) to fine-tune their policies and plan PAYG budgets accordingly.
Purview Data Security Posture Management (DSPM) for AI for Fabric Copilots and data agents (Preview)
As organizations adopt AI, implementing controls becomes crucial to discover risks and prevent data oversharing when using AI. With DSPM for AI for Fabric, organizations can monitor Copilots and data agents interactions in Fabric.
Users can now:
- Surface data security risks by detecting sensitive information in AI prompts and responses, with actionable recommendations available directly in the DSPM dashboard.
- Detect and investigate risky AI behavior using Insider Risk Management, helping security teams identify scenarios where users may have unintentionally shared sensitive data or bypassed established security practices.
- Apply governance and oversight to AI interactions through Purview Audit, eDiscovery, retention policies, and detection of non‑compliant usage, enabling consistent controls across AI-powered experiences.
Bringing it all together
Taken together, these updates reinforce a core principle of Microsoft’s approach to data security:
protection is built in, consistent, and end-to-end.
From sensitivity labeling and automated access restrictions in OneLake to advanced insider risk detection and fast remediation, Microsoft Fabric and Purview work together to help secure data across analytics, AI, and collaboration.
As data estates continue to grow and complexity, we remain committed to delivering security capabilities that scale with your business—without slowing innovation.