Created By: Pankaj Agarwal

Technical Reviewers : Joao De Souza, Elizabeth Antoine

The guidance in this document is not official recommendation from Microsoft Fabric Engineering. This document is authored with the intent to consolidate various pieces of guidance needed for a successful Fabric configuration aligned with best practices published across Fabric documentation.

Content referenced in this document may leverage pre-release features. These features may behave and work differently if/when these are generally available, than mentioned in this document. As per Microsoft guidance, use of pre-release functionality should be for evaluation and feedback purposes only.

Introduction to Cloud Adoption Framework

Microsoft has published extensive guidance through Cloud Adoption Framework (CAF) that guides Customers and Partners to qualify, assess, architect and deploy Azure-native solutions, both from on-premises and other Cloud platforms. This blog series uses the following 8 design areas from CAF’s Landing Zone design to guide users in configuring Microsoft Fabric.

1. Billing and Tenant configuration
2. Identity and Access Management
3. Resource Organization
4. Network Topology and connectivity
5. Security
6. Management
7. Governance
8. Platform Automation and DevOps

Introduction to Microsoft Fabric

Microsoft Fabric is an enterprise-ready, end-to-end analytics platform that offers data integration, data ingestion and storage, data transformation, data science and engineering, data visualization and so much more. Due to the breadth and complexity of this service, it offers following 5 layers at which configuration can be performed. 

1. Fabric Tenant 
2. Fabric Capacity
3. Domains and Sub domains
4. Workspaces 
5. Individual items such as Lakehouse, Eventhouse, Pipeline etc.

While a complex Fabric solution could leverage features across all levels to achieve the most optimal design, this document focuses on the most essential aspects of this configuration. Anyone reviewing this document, should familiarize themselves with features available across all levels to ensure that the final solution leverages all available features optimally. 

Design Area - Billing and Tenant Configuration

Microsoft Fabric is available for purchase in different ways. Each deployment of Fabric requires customers to first procure a capacity and attach this capacity to their Fabric tenant. Fabric Capacity is sold in different SKUs. For more information on the various SKU types refer to this topic in Fabric documentation https://learn.microsoft.com/en-us/fabric/enterprise/buy-subscription 

Capacity SKUs and Pricing

Capacity Estimation: Fabric’s Capacity can be estimated using the guidance provided in the following topic https://learn.microsoft.com/en-us/fabric/enterprise/plan-capacity  Microsoft has also published a SKU calculator that can help estimate the capacity SKU most suitable for a given scenario. This calculator can be accessed at http://aka.ms/fabricskuestimator

Fabric Capacity offers some important settings that are propagated down to all Workspaces. Refer to this topic to refer to these settings and pick the settings best suited for deployment 

https://learn.microsoft.com/en-us/fabric/admin/capacity-settings?tabs=power-bi-premium#capacity-sett... 

A single capacity can then be used to configure one or more workspaces. Given the decoupling of Compute capacity and usage through workspaces, multiple deployment patterns are possible. Review this topic to understand the various deployment patterns https://learn.microsoft.com/en-us/azure/architecture/analytics/architecture/fabric-deployment-patter... 

Fabric Tenant Level Settings

At the time of deployment of a new Fabric Tenant, Tenant level settings can be configured using guidance provided here https://learn.microsoft.com/en-us/fabric/admin/about-tenant-settings 

Its recommended for new tenant admins to pay close attention to the following tenant settings. This list is partial and its recommended that the full list of settings be reviewed prior to tenant deployment. Tenant Admins can enable or disable specific tenant level settings for either the entire organization or specific users that are part of a group. More information on this can be found at this topic https://learn.microsoft.com/en-us/fabric/admin/about-tenant-settings#how-to-use-the-tenant-settings

  Full list of all Tenant level settings can be found at the following topic https://learn.microsoft.com/en-us/fabric/admin/tenant-settings-index 

Fabric Tenant Branding Customization

Microsoft Fabric offers customization of the portal to match organization’s branding guidelines. More information on this can be found at https://learn.microsoft.com/en-us/fabric/admin/service-admin-custom-branding 

Fabric Entra ID Configuration

Microsoft Fabric is deeply integrated and relies upon Entra ID for Identity and Access Management. As a first step in deploying Fabric, an underlying Entra ID tenant is required. If one does not exist, this will need to be addressed before Fabric can be deployed. At the time a new Fabric tenant is created, a user or a group should be a member of Fabric Administrator role (or PowerBI administrator role) as described in this article https://learn.microsoft.com/en-us/fabric/admin/roles. This step may require collaboration with the security team as it requires accessing the M365 admin portal. 

As the Fabric tenant evolves, Fabric Administrator can add additional Entra ID users and groups to the tenant for access. 

Fabric Domains and Sub-domains

Fabric offers a concept of Domains to logically group all data in an organization. Domains can be visualized as a governance boundary between Tenant and Workspaces.  If an organization implements this grouping strategy based on Business Units, the resulting design would represent a Data Mesh that allows for individual business units to manage their data specific to their own regulations, restrictions and needs. 

A sub-domain allows a 2-tiered structure to represent more complex data custodian scenarios in a hierarchical manner. 

There are three RBAC roles available to manage the Domain/sub domain aspect. These are described in the Identity and Access Management section of this blog series.

When using Domains and/or subdomains, some of the Tenant level settings described above can be delegated to Domain level. Refer to this part of Fabric documentation for more information. 

Design Area - Identity and Access Management

Microsoft Fabric relies on Entra ID for all authentication operations. Depending on customer’s Entra ID configuration, they may have access to Entra Conditional Access  which allows a better security configuration when used. Detailed walk-through of Entra ID and Fabric authentication process is described here https://learn.microsoft.com/en-us/fabric/security/security-scenario#connect-to-fabric-inbound-protec... 

Workspace Identity

Microsoft Fabric offers a multi-tiered permission model that allows fine-grain control of who has access to what within Fabric environment. Review the details of this permission model here https://learn.microsoft.com/en-us/fabric/security/permission-model . A user must be able to pass each of the following gates for them  to gain access to specific items within a Fabric tenant. 

1. Entra Authentication – configured at Entra tenant level 
2. Fabric Access – configured at Fabric tenant and workspace level  
3. Data Access – configured at data tier eg. Fabric Lakehouse. 

Fabric Domain RBAC Configuration

Fabric Domains support following built-in RBAC roles. If you decide to implement Fabric with Domain(s), please ensure that these RBAC roles are configured accordingly for each respective Domain being defined. 

Fabric Capacity and Workspace RBAC Configuration

Fabric Capacity and Workspace come pre-built with multiple roles that users can be added to depending on the level of access they require. Thereafter, individually, users can be added or removed from individual items being created in each Workspace. Each Entra ID user can be part of one or more built-in roles at the Workspace level. Built-in roles include Admin, Member, Contributor, and Viewer.  

Each Entra ID user can be part of one or more built-in roles at Workspace level. Built-in roles include the following 

Fabric Workspace can be associated with a Workspace Identity, which is an automatically managed service-principal that can securely read or write to a firewall-enabled Azure Data Lake Storage Gen2 account, through trusted workspace access for OneLake shortcuts. Refer to this page in Fabric documentation for more information on Trusted Workspace Identity. - . Workspace identities are created in the Workspace settings and are automatically assigned the Workspace Contributor role. 

Access Management for OneLake

In a recent post, Microsoft announced limited availability of significant improvements  to data management in OneLake. This includes comprehensive Row and Column level security that is stored directly within OneLake, thereby enabling a centralized data access configuration for all engines within Fabric. More information can be found here https://blog.fabric.microsoft.com/en-us/blog/the-next-evolution-of-onelake-security-enters-early-pre... 

Fabric OneLake offers both built-in roles and capability to create custom roles to suit scenarios where built-in roles are not sufficient. Refer to this topic for steps in how to configure custom roles. https://learn.microsoft.com/en-us/fabric/onelake/security/get-started-data-access-roles 

OneLake Item Permissions

Review guidance provided in Fabric documentation on how to secure following items stored within OneLake  https://learn.microsoft.com/en-us/fabric/security/permission-model#item-permissions 

• Semantic model 
• Data warehouse 
• Data Factory 
• Lakehouse 
• Data science 
• Real-Time Intelligence 

One of the key features in Fabric is the capability for individual users to share valueable data assets with others in their organization. As these scenarios come up, use the following built-in roles for shareable items. 

TO BE CONTINUED IN A FUTURE POST...