Please enter your information to subscribe to the Microsoft Fabric Blog.

Thanks for subscribing to the Microsoft Fabric Blog. You’ll receive email notifications when we publish new posts.

Microsoft Fabric Updates Blog

  1. Updates
  2. March 2025

The next evolution of OneLake security (Preview)

OneLake security features have always worked together with the robust security features inside each of Fabric’s analytical engines to provide comprehensive end to end security. We are thrilled to announce the next evolution of this security model—OneLake security. These new capabilities build on the existing model, by allowing granular security definitions like row and column level security to now be defined directly in OneLake alongside your data. With the granular security now stored in OneLake, Fabric engines like Spark, SQL Endpoint and Power BI in Direct Lake mode will automatically follow the same security rules rather than requiring additional rules in each individual engine.

This evolution of OneLake security is still in development. Over the next few months, we will be expanding OneLake security’s integration across the platform, adding even more robust capabilities, and boosting performance. Customers wishing to get an early look at these capabilities and provide feedback before the broad public preview, can sign up for the early access preview. Once we’ve enabled your workspaces, these new features will show up as new capabilities within OneLake data access roles.

OneLake security – early access signup form

OneLake security features

OneLake security provides the following capabilities:

  • Create roles in OneLake to grant access to data.
  • Define the tables and/or folders reach role can access.
  • Restrict tables further using row or column level security.
  • Easily manage assignment of your roles with a new user interface.

Fabric workload support for OneLake security

As part of OneLake security, Fabric workloads now support enforcing OneLake security. Newly created items will default to using OneLake security for access enforcement, and existing items can be left in the current delegated mode or migrated to use OneLake security. The sections below give a quick overview of how OneLake security works in each engine.

Spark

Spark notebooks in Fabric now support OneLake security enforcement, including row and column level security. Any OneLake security role set on data are automatically enforced when querying through a notebook.

SQL Analytics Endpoint

SQL Analytics Endpoints now support ‘user identity’ mode, allowing them to directly enforce OneLake security. Newly created endpoints will start in user’s identity mode, while existing endpoints maintain their delegated mode behavior. However, all endpoints can be easily switched to running in user’s identity mode for enforcing OneLake security. To simplify security management, SQL engine security is not permitted on tables when running in user’s identity mode. This ensures that OneLake security is the source of truth for all access through SQL endpoints.

Semantic models

Semantic models using Direct Lake on OneLake storage mode now fully support OneLake security! When accessing data through a Direct Lake semantic model, OneLake security is seamlessly enforced to ensure users only see the data they are allowed to when building reports or editing the semantic model. Getting started is now even easier, with Direct Lake semantic model creation and editing available in Power BI Desktop. Learn more on the Power BI March 2025 Updates blog

OneLake security new UI

To enable the new features of OneLake security, we are launching a new user interface. The new UI simplifies many of the role management components, while adding new features like row and column level security.

  • New role creation is consolidated to a single step for both granting access and assigning members.
  • New views for understanding what data were assigned by a role and viewing and editing the role membership.
  • All new experiences for row and column level security:
    • Easily secure your tables by writing T-SQL to limit access to certain rows.
    • Remove column access using column level security.

Sign up for OneLake security

If you are interested in trying out OneLake security on your workspaces, you can sign up for OneLake security – early access form. As part of the early access program, you can simply provide us with a list of workspaces you want OneLake security enabled on, and we will enable them in the coming weeks. We’d love to hear what you think of this new experience, and you can opt out at any time.

Next steps:

Learn more about OneLake security in the documentation: OneLake, the OneDrive for data.

Related blog posts

The next evolution of OneLake security (Preview)

Blog's featured image

Fabric October 2025 Feature Summary
October 29, 2025 by Adam Saxton

This month’s update delivers key advancements across Microsoft Fabric, including enhanced security with Outbound Access Protection and Workspace-Level Private Link, smarter data engineering features like Adaptive Target File Size, and new integrations such as Data Agent in Lakehouse. Together, these improvements streamline workflows and strengthen data governance for users. Contents Events & Announcements Fabric Data … Continue reading “Fabric October 2025 Feature Summary”

Read more
Blog's featured image

Unlock Real-Time Intelligence with the Eventhouse Endpoint for Lakehouse
October 20, 2025 by Tzvia Gitlin Troyna

The Eventhouse Endpoint for Lakehouse is a powerful new capability in Microsoft Fabric that enables users to query Lakehouse tables with exceptional speed and ease, delivering real-time insights with high performance with large data volume, flexibility, advanced analytics capabilities, support for enhanced data formats such as strings and dynamic types and simplicity. Whether you’re working … Continue reading “Unlock Real-Time Intelligence with the Eventhouse Endpoint for Lakehouse”

Read more