Please enter your information to subscribe to the Microsoft Fabric Blog.

Thanks for subscribing to the Microsoft Fabric Blog. You’ll receive email notifications when we publish new posts.

Microsoft Fabric Updates Blog

  1. Updates
  2. March 2025

The next evolution of OneLake security (Preview)

OneLake security features have always worked together with the robust security features inside each of Fabric’s analytical engines to provide comprehensive end to end security. We are thrilled to announce the next evolution of this security model—OneLake security. These new capabilities build on the existing model, by allowing granular security definitions like row and column level security to now be defined directly in OneLake alongside your data. With the granular security now stored in OneLake, Fabric engines like Spark, SQL Endpoint and Power BI in Direct Lake mode will automatically follow the same security rules rather than requiring additional rules in each individual engine.

This evolution of OneLake security is still in development. Over the next few months, we will be expanding OneLake security’s integration across the platform, adding even more robust capabilities, and boosting performance. Customers wishing to get an early look at these capabilities and provide feedback before the broad public preview, can sign up for the early access preview. Once we’ve enabled your workspaces, these new features will show up as new capabilities within OneLake data access roles.

OneLake security – early access signup form

OneLake security features

OneLake security provides the following capabilities:

  • Create roles in OneLake to grant access to data.
  • Define the tables and/or folders reach role can access.
  • Restrict tables further using row or column level security.
  • Easily manage assignment of your roles with a new user interface.

Fabric workload support for OneLake security

As part of OneLake security, Fabric workloads now support enforcing OneLake security. Newly created items will default to using OneLake security for access enforcement, and existing items can be left in the current delegated mode or migrated to use OneLake security. The sections below give a quick overview of how OneLake security works in each engine.

Spark

Spark notebooks in Fabric now support OneLake security enforcement, including row and column level security. Any OneLake security role set on data are automatically enforced when querying through a notebook.

SQL Analytics Endpoint

SQL Analytics Endpoints now support ‘user identity’ mode, allowing them to directly enforce OneLake security. Newly created endpoints will start in user’s identity mode, while existing endpoints maintain their delegated mode behavior. However, all endpoints can be easily switched to running in user’s identity mode for enforcing OneLake security. To simplify security management, SQL engine security is not permitted on tables when running in user’s identity mode. This ensures that OneLake security is the source of truth for all access through SQL endpoints.

Semantic models

Semantic models using Direct Lake on OneLake storage mode now fully support OneLake security! When accessing data through a Direct Lake semantic model, OneLake security is seamlessly enforced to ensure users only see the data they are allowed to when building reports or editing the semantic model. Getting started is now even easier, with Direct Lake semantic model creation and editing available in Power BI Desktop. Learn more on the Power BI March 2025 Updates blog

OneLake security new UI

To enable the new features of OneLake security, we are launching a new user interface. The new UI simplifies many of the role management components, while adding new features like row and column level security.

  • New role creation is consolidated to a single step for both granting access and assigning members.
  • New views for understanding what data were assigned by a role and viewing and editing the role membership.
  • All new experiences for row and column level security:
    • Easily secure your tables by writing T-SQL to limit access to certain rows.
    • Remove column access using column level security.

Sign up for OneLake security

If you are interested in trying out OneLake security on your workspaces, you can sign up for OneLake security – early access form. As part of the early access program, you can simply provide us with a list of workspaces you want OneLake security enabled on, and we will enable them in the coming weeks. We’d love to hear what you think of this new experience, and you can opt out at any time.

Next steps:

Learn more about OneLake security in the documentation: OneLake, the OneDrive for data.

Related blog posts

The next evolution of OneLake security (Preview)

Blog's featured image

New in OneLake: Access your Delta Lake tables as Iceberg automatically (Preview)
July 10, 2025 by Matthew Hicks

Effortlessly read Delta Lake tables using Apache Iceberg readers Microsoft Fabric is a unified, SaaS data and analytics platform designed for the era of AI. All workloads in Microsoft Fabric use Delta Lake as the standard, open-source table format. With Microsoft OneLake, Fabric’s unified SaaS data lake, customers can unify their data estate across multiple … Continue reading “New in OneLake: Access your Delta Lake tables as Iceberg automatically (Preview)”

Read more
Blog's featured image

Announcing Shortcut Transformations: from files to Delta tables. Always in sync, no pipelines required.
July 10, 2025 by Miquella de Boer

Shortcut transformations is a new capability in Microsoft Fabric that simplifies the process of converting raw files, starting with .CSV files, into Delta tables. This feature eliminates the need for traditional ETL pipelines, enabling users to transform data directly on top of files with minimal setup. Why use Shortcut transformations Shortcut transformations help users: What … Continue reading “Announcing Shortcut Transformations: from files to Delta tables. Always in sync, no pipelines required.”

Read more