One notebook. 13 tools. Zero guesswork.
A comprehensive diagnostic, remediation, and security auditing toolkit for Microsoft Fabric semantic models — delivered as a single self-contained Fabric notebook with an interactive ipywidgets console. Scans any Import / Direct Lake / DirectQuery model, produces a full HTML dashboard with scores and findings, and auto-applies fixes via TOM writes.
Three features in this notebook solve problems that no existing Fabric or Power BI tool addresses end-to-end:
🔒 Security X-Ray — Effective Access Map
Enterprise Power BI security is managed through Azure AD groups, not individual users. An AD group assigned to an RLS role might contain 200 users, nested sub-groups, and service principals. Until now there was no tool, no REST API, no sempy function that answered:
"Given all the RLS filters, OLS restrictions, AD group memberships, and workspace roles — what does each real human actually see?"
Security X-Ray combines TOM + DAX INFO.ROLES() + Microsoft Graph /transitiveMembers + Fabric REST roleAssignments into a single Effective Access Map that flags the critical blind spot: users who bypass RLS via workspace Admin/Member/Contributor privileges — a silent risk the standard Power BI UI never surfaces.
🤖 AI Generation — Schema-Aware Descriptions at Scale
Writing meaningful descriptions, synonyms, and AI instructions across hundreds of tables, columns, and measures is impractical by hand. Generic AI prompts miss business context and produce bland, interchangeable text that weakens Copilot quality. Bringing rich schema context into AI generation from inside a Fabric notebook hasn't been possible — until now.
"How do I make every measure, column, and table in my model Copilot-ready with descriptions, synonyms, and AI instructions that actually reflect my business — without writing them all by hand?"
AI Generation combines Azure OpenAI via Fabric Copilot auth (no API key, no endpoint config — just synapse.ml.fabric.credentials.get_openai_httpx_sync_client()) with full schema context injection: relationships, data types, DAX expressions, and user-supplied business domain. Every generated description is grounded in the actual model, not hallucinated. Reviewable plan before any TOM write, with graceful fallback to rule-based templates when AI is unavailable.
🔄 Model Diff — Cross-Workspace Drift Detection
Semantic models live across multiple workspaces — dev, test, UAT, prod, client A, client B. There is no built-in Fabric tool that compares two models to answer "what changed?" Drift happens silently: someone adds a measure in dev, tweaks a DAX formula in prod, removes a column during a refactor — and these changes go unnoticed until a report breaks.
"What changed between my dev model and my prod model? Which tables, columns, or measures were added, removed, or modified — and are any DAX expressions different?"
Model Diff uses sempy TOM reads across two workspaces + tabular schema comparison + DAX expression normalization to produce a structured drift report covering tables, columns, measures, relationships, and DAX changes. Essential for DataOps / release workflows and multi-tenant engagements where models live in many places.
🎯 13 Tools In One Scan
- Copilot Readiness — descriptions, synonyms, hidden keys, format strings, AI Prep
- Lineage — measure → source, blast radius, unused columns, dead code
- Test Framework — every DAX measure evaluated, relationships validated
- Model Diff — compare across workspaces (dev vs prod drift)
- Report Visuals — broken refs, unused measures (model-filtered)
- Security Audit — role compliance, RLS/OLS coverage
- Security X-Ray — effective access + workspace bypass detection
- Data Quality — referential integrity, null-rate (batched DAX UNION, 10× faster)
- DAX Dependencies — fan-in/fan-out, circular references
- sempy_labs integrations — BPA, Vertipaq, Direct Lake, Capacity (opt-in)
⚙️ Auto-Fix 9 Categories Via TOM
Preview all generated fixes in a reviewable plan, then apply selected ones: AI/template descriptions, synonyms (Culture ObjectTranslation), hidden keys, format strings, summarize-by, model CustomInstructions, AI instructions, schema reduction (isAvailableInMDX + LinguisticMetadata Entity Visibility), role descriptions.
🏗️ Technical Highlights
- Chunked HTML rendering — overcomes Fabric's ~100 KB displayHTML limit
- SPN Graph token via MSAL — 0.3s vs 60s+ notebookutils.credentials hang
- Azure OpenAI via Fabric auth — no API key needed
- AAD group expansion — recursive /transitiveMembers with pagination
- Scan log capture — contextlib.redirect_stdout keeps the config form visible
- Demo Mode — sequential pseudonyms for safe public screenshots
🚀 Quick Start
Cell 1 (install) → Cell 2 (engine) → Cell 3 (console + Run Scan) → Cell 4 (scan log) → Cell 5 (dashboard) → Cell 6 (apply fixes).
Graceful degradation: works without SPN (skips Graph expansion), without Copilot (falls back to template descriptions), without Directory.Read.All (shows object GUIDs), and read-only mode if no write access.
📦 Complete Repo
GitHub — full repo, 37 screenshots, sample HTML dashboard, MIT license
Author: Natarajan Manivasagan
LinkedIn · Fabric Community Profile
https%3A%2F%2Fgithub.com%2FNatarajanManivasagan%2FFabric-Semantic-Link-Developer-Experience-Challenge-2026-Apr%2Fblob%2Fmain%2F2026_SemanticLink_NatarajanManivasagan_ModelHealthAndSecuritySuite.ipynb
