Please enter your information to subscribe to the Microsoft Fabric Blog.

Thanks for subscribing to the Microsoft Fabric Blog. You’ll receive email notifications when we publish new posts.

Microsoft Fabric Updates Blog

  1. Updates
  2. All

The next evolution of OneLake security (Preview)

OneLake security features have always worked together with the robust security features inside each of Fabric’s analytical engines to provide comprehensive end to end security. We are thrilled to announce the next evolution of this security model—OneLake security. These new capabilities build on the existing model, by allowing granular security definitions like row and column level security to now be defined directly in OneLake alongside your data. With the granular security now stored in OneLake, Fabric engines like Spark, SQL Endpoint and Power BI in Direct Lake mode will automatically follow the same security rules rather than requiring additional rules in each individual engine.

This evolution of OneLake security is still in development. Over the next few months, we will be expanding OneLake security’s integration across the platform, adding even more robust capabilities, and boosting performance. Customers wishing to get an early look at these capabilities and provide feedback before the broad public preview, can sign up for the early access preview. Once we’ve enabled your workspaces, these new features will show up as new capabilities within OneLake data access roles.

OneLake security – early access signup form

OneLake security features

OneLake security provides the following capabilities:

  • Create roles in OneLake to grant access to data.
  • Define the tables and/or folders reach role can access.
  • Restrict tables further using row or column level security.
  • Easily manage assignment of your roles with a new user interface.

Fabric workload support for OneLake security

As part of OneLake security, Fabric workloads now support enforcing OneLake security. Newly created items will default to using OneLake security for access enforcement, and existing items can be left in the current delegated mode or migrated to use OneLake security. The sections below give a quick overview of how OneLake security works in each engine.

Spark

Spark notebooks in Fabric now support OneLake security enforcement, including row and column level security. Any OneLake security role set on data are automatically enforced when querying through a notebook.

SQL Analytics Endpoint

SQL Analytics Endpoints now support ‘user identity’ mode, allowing them to directly enforce OneLake security. Newly created endpoints will start in user’s identity mode, while existing endpoints maintain their delegated mode behavior. However, all endpoints can be easily switched to running in user’s identity mode for enforcing OneLake security. To simplify security management, SQL engine security is not permitted on tables when running in user’s identity mode. This ensures that OneLake security is the source of truth for all access through SQL endpoints.

Semantic models

Semantic models using Direct Lake on OneLake storage mode now fully support OneLake security! When accessing data through a Direct Lake semantic model, OneLake security is seamlessly enforced to ensure users only see the data they are allowed to when building reports or editing the semantic model. Getting started is now even easier, with Direct Lake semantic model creation and editing available in Power BI Desktop. Learn more on the Power BI March 2025 Updates blog

OneLake security new UI

To enable the new features of OneLake security, we are launching a new user interface. The new UI simplifies many of the role management components, while adding new features like row and column level security.

  • New role creation is consolidated to a single step for both granting access and assigning members.
  • New views for understanding what data were assigned by a role and viewing and editing the role membership.
  • All new experiences for row and column level security:
    • Easily secure your tables by writing T-SQL to limit access to certain rows.
    • Remove column access using column level security.

Sign up for OneLake security

If you are interested in trying out OneLake security on your workspaces, you can sign up for OneLake security – early access form. As part of the early access program, you can simply provide us with a list of workspaces you want OneLake security enabled on, and we will enable them in the coming weeks. We’d love to hear what you think of this new experience, and you can opt out at any time.

Next steps:

Learn more about OneLake security in the documentation: OneLake, the OneDrive for data.

Related blog posts

The next evolution of OneLake security (Preview)

Blog's featured image

Integrating Fabric with Databricks using private network
May 29, 2025 by Amit Chandra

Microsoft Fabric and Azure Databricks are widely used data platforms. This article aims to address the requirement of customers who have large data estates in Azure databricks and want to unlock additional use cases in Microsoft Fabric arising out of different business teams. When integrating the two platforms, a crucial security requirement is to ensure … Continue reading “Integrating Fabric with Databricks using private network”

Read more
Blog's featured image

Eventhouse Accelerated OneLake Table Shortcuts (Generally Available)
May 27, 2025 by Anshul Sharma

Turbo charge queries over Delta Lake and Iceberg tables in OneLake Eventhouse accelerated OneLake Table shortcuts aka. Query Acceleration is now Generally Available! OneLake shortcuts are references from an Eventhouse that point to internal Fabric or external sources. Previously, queries run over OneLake shortcuts were less performant than on data that is ingested directly to … Continue reading “Eventhouse Accelerated OneLake Table Shortcuts (Generally Available)”

Read more