Please enter your information to subscribe to the Microsoft Fabric Blog.

Thanks for subscribing to the Microsoft Fabric Blog. You’ll receive email notifications when we publish new posts.

Microsoft Fabric Updates Blog

  1. Updates
  2. All

Introducing Workspace Outbound Access Protection for Spark  

In today’s hyper-connected digital landscape, safeguarding sensitive data is more critical than ever. Microsoft Fabric already offers a robust suite of network security features for inbound and outbound connectivity like Private Links, Trusted Workspace Access, and Managed Private Endpoints which are now generally available.

As organizations increasingly depend on Microsoft Fabric to manage their sensitive data, the demand for exfiltration protection has become equally important.

We’ve heard your feedback — and we’re thrilled to announce the Public Preview of Workspace Outbound Access Protection (OAP) for Spark which will help you achieve data exfiltration protection in combination with other network security features!

With OAP, Organizations can govern outbound connections from Fabric workspaces to external destinations and other Fabric workspaces within the same tenant. This means greater control, tighter security, and a significant step forward in preventing data exfiltration.

In this release, we are introducing OAP for Spark which runs unmanaged code and hence has a higher risk of data exfiltration. We plan to expand to other Fabric experiences in future releases.

What is Workspace Outbound access protection (OAP)?

Workspace Outbound Access Protection (OAP) is designed to help restrict outbound connectivity from a Fabric workspace to help prevent data exfiltration. With OAP, Workspace Admins are in the driver’s seat, deciding exactly which destinations their workspaces can connect to.

Key Benefits

  • Enhanced Outbound Security:

By leveraging managed private endpoints, organizations can ensure that the artifacts from the protected workspace can only connect to a limited set of destinations to which the private endpoints have been set-up. All the other outbound connections to public internet and other destinations are blocked from the workspace.

  • Granular Control:

Control outbound access per workspace instead of at the tenant level. This allows you to apply differentiated controls across business units, environments (dev/test/prod), data domains, or project.

  • Data Exfiltration prevention:

Workspace OAP when combined with Inbound protection can help the customer prevent the data from getting exfiltrated outside the workspace boundary.

  • Better Compliance:

Meet stringent compliance and regulatory requirements by ensuring your sensitive data never leaves the workspace boundary if it’s not allowed by Workspace Admins

What to expect with Outbound access protection (OAP) for Spark?

OAP ensures that the external connections made from the Spark Notebook are secured and allowed by the Workspace Admins thereby reducing the risk of exfiltration.

In the above workflow diagram, to allow connection to external data sources or to another workspace, the workspace admins will have to first enable OAP (#1) and then setup Managed Private Endpoints (MPE) from the Data Engineering workspace to these destinations. Once allowed, spark notebooks can only connect (#2) to these destinations. No other external connection from the workspace is allowed.

Once OAP is enabled on the workspace, only creation of Data Engineering artifacts (Spark Notebook, Spark Job definitions and Lakehouse) is allowed on the workspace. Creation of other unsupported items will be blocked. This is to ensure all artifacts in the workspace respect the outbound rules. As more experiences support OAP, users will be able to create these artifacts in an OAP-enabled workspaces.

In the meantime, unsupported artifacts can be created in an unrestricted workspace and connect to an OAP enabled workspace (#3 above). To further protect the workspace from unauthorized inbound connection, Workspace Admins can enable Inbound protection using Workspace level private links. This will ensure only the allowed inbound connections are made to the protected workspace.

For detailed set-up of WS OAP, its limitations and supported artifacts, please refer to Workspace Outbound Access Protection overview.

What’s next?

We are constantly evolving our security story for Fabric and aim to add more Fabric experiences to expand the scope of OAP. We also recently released Fabric Workspace Level Private Link in Public Preview.

Your feedback is essential! Let us know how we can make Fabric even more secure and flexible for your workloads by adding your comment to this blog.

Related blog posts

Introducing Workspace Outbound Access Protection for Spark  

Blog's featured image

ArcGIS GeoAnalytics for Microsoft Fabric Spark (Generally Available)
November 3, 2025 by Arshad Ali

Additional authors – Madhu Bhowal, Ashit Gosalia, Aniket Adnaik, Kevin Cheung, Sarah Battersby, Michael Park Esri is recognized as the global market leader in geographic information system (GIS) technology, location intelligence, and mapping, primarily through its flagship software, ArcGIS. Esri empowers businesses, governments, and communities to tackle the world’s most pressing challenges through spatial analysis. … Continue reading “ArcGIS GeoAnalytics for Microsoft Fabric Spark (Generally Available)”

Read more
Blog's featured image

Fabric October 2025 Feature Summary
October 29, 2025 by Adam Saxton

This month’s update delivers key advancements across Microsoft Fabric, including enhanced security with Outbound Access Protection and Workspace-Level Private Link, smarter data engineering features like Adaptive Target File Size, and new integrations such as Data Agent in Lakehouse. Together, these improvements streamline workflows and strengthen data governance for users. Contents Events & Announcements Fabric Data … Continue reading “Fabric October 2025 Feature Summary”

Read more