Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

pankaja_ms
Microsoft Employee
‎07-01-2025 07:40 AM

Microsoft Fabric CAF Configuration Guide - Part 2

In this post, we will continue to build on the background and first two configuration categories associated with Cloud Adoption Framework's Landing Zone pillars as applicable to Microsoft Fabric.

 

Design Area - Resource Organization

Microsoft Fabric offers multiple features that enable an organization to simplify and streamline Analytics solutions and processes. The base of these features is OneLake – Enterprise grade, limitless, secure and performant Data Lake.

Workspace Organization

Permissions to create new workspaces and the resources a specific workspace can use are controlled at Tenant configuration level. Each Fabric Workspace is a resource organization boundary. This allows different parts of the same organization to create analytics assets in a private environment and publish them to their colleagues when the asset is ready. Workspaces can be monitored at Workspace level, but also at Tenant level – primarily to ensure that a workspace’s consumption of compute and storage is within expectations.

Data Storage Choices

Microsoft Fabric offers native functionality to store data in multiple ways.

  1. Lakehouse
  2. Data Warehouse
  3. Eventhouse
  4. Fabric SQL Database
  5. PowerBI datamart

In addition to native storage, Fabric also offers features to access data outside of Fabric without data movement using Shortcuts. Refer to the following decision guide to review data storage options and determine the best strategy to organize your resources based on the feature/functionality offered by each one.

https://learn.microsoft.com/en-us/fabric/fundamentals/decision-guide-data-store

Refer to the following topic for more information on OneLake Shortcuts.

https://learn.microsoft.com/en-us/fabric/onelake/onelake-shortcuts

Naming Convention

Each workspace and its underlying objects should be given a unique name every time. While each customer’s requirements and expectations may be different, a combination of group, project, envivonment and user could perhaps provide uniqueness and readability. Each type of Microsoft Fabric asset can be uniquely identified using a two letter identifier. Following table provides some examples of how to organize resources in order to ensure both uniqueness and meaningfulness. This table is by no means is a complete list of all nameable objects within Fabric or final guidance on how to name. Rather its a framework that can be applied to any given implementation.

 

Asset TypeIdentifierNaming ConventionExample
Workspacewsws_<group>_<usage>ws_finance_dev
Lakehouselhlh_<project>_<usage>lh_finance_bronze_dev
Data Warehousedwdw_<project>_<usage>dw_hr_silver_preprod
Eventhouseevev_<project>_<usage>ev_it_iotingest_prod
Notebooknbnb_<project>_<functionality>nb_cleandata_sapingestion
Pipelineplpl_<project>_<functionality>pl_ingestfromsap_prod
Dataflowdfdf_<project>_<functionality>df_dataintegration_saptodw
Semantic Modelsmsm_<project>_<usage>sm_internalreport_finance
PowerBI Dashboardpdpd_<project>_<usage>pd_analyticsreporting_dataset1

 

Design Area - Network Topology and Connectivity

Microsoft Fabric supports integration with virtual networks through private endpoint and managed virtual networks. Reducing the exposure surface area by configuring Fabric tenant and/or workspaces with Private Link is highly recommended.

Protection for Inbound Traffic

Use Microsoft Private Link configuration for Fabric tenant to protect against inbound traffic. Using Private Link only traffic allowed over the virtual network that Private Link is configured on will be able to access Fabric. There are multiple considerations and limitations that this configuration choice brings. Review these here https://learn.microsoft.com/en-us/fabric/security/security-private-links-overview#other-consideratio...

Protection for Outbound Traffic

Use Microsoft managed virtual network at Fabric Workspace level to protect against outbound traffic. A Managed VNet is deployed the first time a SPARK job is initiated, if a Fabric admin configures the Fabric Tenant to be attached to a Private Link OR if a Workspace is configured with a Managed Private Endpoint.

Managed Private endpoints have limitations and considerations attached that will require a review before a design is finalized. Refer to this topic for more information https://learn.microsoft.com/en-us/fabric/security/security-managed-private-endpoints-overview#limita...

Trusted Workspace Access

In scenarios where a specific Fabric Workspace is configured with a Workspace Identity (refer to this page for more information https://learn.microsoft.com/en-us/fabric/security/workspace-identity ), access to firewall enabled ADLS Gen2 storage can be simplified through Trusted Workspace Access. Refer to this topic for more information https://learn.microsoft.com/en-us/fabric/security/security-trusted-workspace-access

 

Design Area - Security

Data Encryption at rest

Microsoft Fabric always encrypts all data stored in OneLake using platform managed keys. For scenarios where customers require their own keys to be used, consider using an alternative storage service such as Azure DataLake Storage Gen2. ADLS G2 is integrated with Azure KeyVault service to enable such configuration. Refer to this topic for more information https://learn.microsoft.com/en-us/fabric/security/security-scenario#customer-managed-key-cmk-encrypt...

Data in Transit

Data travelling to and from Microsoft Fabric over the Microsoft network is encrypted at least at level of TLS 1.2. There is nothing additional needed from configuration standpoint to leverage this encryption level.

Data Residency

At the time a new Fabric tenant is created, its assigned a home location. This home location determines which Azure region(s) will the data be stored at. This tenant level configuration can be modified by selecting a location for a Workspace at the time of creation.

Refer to this topic that describes the Multi-geo configuration in more detail https://learn.microsoft.com/en-us/fabric/admin/service-admin-premium-multi-geo?tabs=power-bi-premium

Customer Lockbox for Fabric

Microsoft Azure offers capability to lock out all support personnel from Microsoft Fabric by enabling Customer Lockbox feature. Refer to this page for more details of how this feature works https://learn.microsoft.com/en-us/fabric/security/security-lockbox

 

Design Area - Management

Microsoft Fabric is a SaaS product that is built to scale, be secure and provide out of box resilience. This said following areas should be on the radar when considering any Fabric deployment.

Resiliency

Microsoft Fabric partially supports Azure Availability Zones for specific experiences. This support requires Fabric tenant to be deployed in one of the regions that supports Availability Zones. Review the full list of pre-requisites and regions that support specific Fabric experiences with Availability Zone at this page.

Disaster Recovery

Disaster Recovery refers to scenarios where a service fails due to one or more underlying failures (eg. Networking, hardware, power etc.). During such events, solution design and DR planning ahead of time becomes paramount to the experience that users have.

Microsoft Fabric offers the following features that will enable reasonable recovery from such events.

Capacity Disaster Recovery setting. This setting is enabled/disabled at the time a new Fabric capacity is configured. Refer to this document for more information related to this setting. https://learn.microsoft.com/en-us/azure/reliability/reliability-fabric#disaster-recovery-capacity-se...Changing this setting once the Capacity is deployed could take up to 30 days for background synchronization activities to ensure that the DR failover is successful in case its needed. OneLake Cross-Region replication is enabled along with other artifacts by switching on the Capacity Disaster Recovery setting described above.

Monitoring

Monitoring a Microsoft Fabric environment involves several critical aspects to ensure its optimal performance and security. Proper monitoring enables the identification of potential issues before they escalate and helps maintain the overall health of the system.

Type of MonitoringWhere to Monitor
Capacity UsageAdmin Monitoring Workspace
PerformanceMonitor Hub
SecurityAudit logs within Fabric Admin Portal. Full list of audit operations found in these logs is documented here.
Feature Usage and AdoptionAdmin Monitoring Workspace. Refer to this page for more information

One aspect of monitoring Fabric is to understand and plan for Throttling events. Throttling happens when a client consumes more capacity than they’ve procured. This event is managed in a predictable manner and its important to for Fabric Admins to understand how Microsoft manages and applies throttling. Refer to this topic for more information https://learn.microsoft.com/en-us/fabric/enterprise/throttling 

Alerting

Microsoft Fabric allows users to configure alerting at Tenant and Capacity levels. At Capacity level, there are multiple notification categories that can be configured.

Refer to this topic for full details of these settings.

Tenant level setting “Receive email notifications for service outages or incidents” can be enabled to be notified.

 

 

 

Next post in this series will conculde this series with description of configuration options for the remaining two pillars of CAF. You can find the first post in the series at the link below

https://community.fabric.microsoft.com/t5/Fabric-platform-Community-Blog/Microsoft-Fabric-CAF-Config...