🔒  Introduction

As organizations scale their use of Microsoft Fabric, leaders, administrators, and data owners need a simple, secure, and transparent way to request, grant, and manage access to workspaces. Strong governance is essential not only to protect sensitive data but also to ensure every access decision is auditable, policy-aligned, and compliant with enterprise and regulatory standards.

This document presents a standardized access management framework built on Microsoft Entra ID Access Packages, Security Groups, and Catalogs. The approach enables structured access requests and time-bound entitlements, aligned with Zero Trust and least-privilege principles. By automating the access lifecycle, the model reduces operational overhead and provides leadership with clear visibility over access to Microsoft Fabric resources across the enterprise.

🚨 Problem Statement

Manual access provisioning for Microsoft Fabric workspaces leads to slow, inconsistent, and error-prone processes that weaken governance. Without standardized, policy-driven workflows, organizations lack a reliable audit trail, making it difficult to understand who has access and why.

Enforcing time-bounded access becomes challenging, as manual methods do not support automatic expiration or periodic reviews. Over time, outdated entitlements accumulate and increase insider risk.

These gaps create security and compliance risks, especially in environments involving enterprise data that is sensitive, highly confidential, and privacy-regulated.

💡 Solution Implemented in the Enterprise Data Lake

To address these governance gaps, the solution implements a policy-driven, automated access model for Microsoft Fabric workspaces built on Microsoft Entra ID. It combines standardized workflows, least privilege enforcement, and full auditability to meet enterprise security and compliance expectations at scale.

The model automates end-to-end access lifecycle management through:

• Security Groups (SGs) as permission boundaries
  Define clean, role-based access layers that prevent permission sprawl and enforce consistent entitlement patterns across all Fabric workspaces.
• Catalogs in Entitlement Management to organize resources
  Organize Fabric resources into governed collections, enabling structured discovery and policy-aligned access management.
• Access Packages to bundle permissions and policies
  Provide a single, controlled entry point for users to request access with embedded rules, expirations, and review schedules aligned to Zero Trust principles.
• Approval flows for governance
  Ensure every access grant passes through auditable, role-appropriate approval steps, creating a complete approval history and reducing human-driven or manual-prone inconsistencies.
• Microsoft Graph API for reporting and auditing
  Centralizes visibility into who has access, why they have it, how long access is valid, and when it must be reviewed, strengthening enterprise data privacy readiness and compliance posture.

This model is applicable wherever Microsoft Fabric supports Azure AD SG–based access, enabling users added to a security group to access the relevant workspaces and associated artifacts - such as lakehouses, semantic models, files, tables, data agents, and shortcuts - where group-based permissions can be enforced.

🛠️  Setup Guide

Microsoft Entra Entitlement Management brings together catalogs and access packages to provide a governed, policy-driven access model. The following setup guide explains how these components are configured and linked with Azure AD Security Groups to enable controlled access to Microsoft Fabric.

1. Create SG

• Create or use an SG with strict naming conventions and clearly documented ownership.
• Assign SGs to relevant resources (for example, Fabric workspace roles such as Viewer, Contributor, or Admin).

2. Create Catalog and Add SG as Resource

• In Microsoft Entra Admin Center, navigate to Identity Governance > Catalogs.
• Create a new catalog with an appropriate name, description, and status.

• Add the SG as a resource to the catalog.
• This is recommended when the SG is reused across multiple access packages or requires centralized management.
• If the SG is required for a single access package only, it can be added directly during access package creation.

3. Create Access Package

• Select the appropriate catalog.
• Create a new access package with a clear name and description.
• Add resource roles by selecting Groups and Teams, choosing the relevant SG, and assigning the Member role.
• Configure request policies:
• Define who can request access (users, service principals, or guests).
• Configure the approval flow (single or multi-stage, such as manager or admin).
• Require justification, if applicable.

• Optionally, add custom questions under Requestor Information.
• Define lifecycle settings:
  • Set assignment expiry carefully to avoid permanent access.
  • Allow users to request a specific access duration.
  • Enable access reviews, if required.

4. Add or Edit Policies

• Access packages can include multiple policies for different requestor types, such as users or service principals.
• Review and adjust policies as needed to support specific use cases.

🔑 Access Onboarding

Users can raise access requests for themselves or for SPN through the MyAccess portal.

• Search for the relevant Access Package under My Access and submit a request.

• Select self or service principal, provide the required information, and submit the request.

 Select a specific access period, if required.

• Assignment Managers or Catalog Owners can also add users or managed identities through the Assignments tab in the Access Package.
• Previously raised requests can be extended before expiration.

• All access requests and their status are visible in the Request history page.

✅ Access Approval

Once a user submits an access request, the relevant approvers review and either approve or reject the request based on defined policies.

• Approvers receive email and portal notifications with the request details.

• Approver review includes:
  • Requestor identity, access package, justification, duration, and policy
  • Risk and compliance signals, if enabled

• Approvers can approve (access is granted and logged) or deny (the requestor is notified and the reason is recorded).

• Multi-stage approvals can be configured, such as manager approval followed by administrator approval.

🔓 Access Removal

Access can be removed automatically or manually before expiration, depending on governance and operational requirements.

• Automatic removal: Access is revoked when the assignment reaches its expiry date or when a user is denied during an access review. The system removes the user’s membership from the Microsoft Entra ID SG, and the user receives an email notification.
• Manual removal (before expiration): When immediate removal is required, the Catalog Owner or Assignment Manager can revoke access via Access Package > Assignments > Select User > Remove. Membership is removed instantly from the Microsoft Entra ID SG, and the user receives an email notification confirming access removal.

📊  Access Monitoring & Governance

All actions including access requests, approvals, assignments, and expirations are logged within the Access Package. These records can be extracted directly from Entitlement Management for governance and audit purposes.

• Microsoft Graph API can be leveraged to retrieve reports on:
  • Access package assignments
  • (SG) memberships
  • Approval history

• The same APIs can be used for consolidated, catalog-level reporting across multiple access packages.
• Integrate extracted data with Power BI or other analytics tools to build custom governance dashboards. Below is the reference dashboard.

📈 Impact

Implementing this automated access model delivers clear, enterprise-grade benefits across security, compliance, and operations:

• Significantly faster and error-free access provisioning through standardized, policy-driven workflows.
• Time-bounded, auditable permissions that enforce least privilege and reduce long-standing entitlements.
• Elimination of manual revocation, removing one of the largest contributors to access drift.
• Automated approval and review cycles, ensuring continuous validation of who has access and why.
• Complete access history and reporting via Microsoft Graph for audit, SOX, and compliance needs.
• Reduced insider risk exposure through consistent expiration, privilege reviews, and Zero Trust guardrails.
• Improved operational efficiency for Admins, Audit and Security teams, Data Owners, and Fabric workspace owners.

⚠️ Considerations

• Access packages work exclusively with cloud-managed Azure AD SGs; directory-synced (on-premises) groups are not supported.
• SG are managed independently, with no support for group-within-group assignments.

⭐ Best Practices

To sustain long-term consistency, security, and compliance across Microsoft Fabric environments:

• Adopt strict naming standards for SGs, catalogs, and datasets, including environment, team prefix, and purpose.
• Keep catalogs minimal and focused, grouping only logically related resources to reduce governance overhead.
• Use separate Access Package policies for different user personas, such as Contributors, Readers, Analysts, and Admins.
• Periodically review SG and access package memberships to remove stale or unused entitlements.
• Enforce multi-stage approvals for high-confidential or privacy-sensitive workspaces.
• Leverage Microsoft Graph API reporting for continuous monitoring of access trends and audit preparation.
• Clearly document ownership for each workspace category to ensure accountability and review responsibility.