Microsoft Fabric Updates Blog

Connect to your most sensitive data with end-to-end network security in Fabric

• Announcements
• Apache Spark
• Data Factory
• Data Warehouse
• Fabric platform
• Microsoft Fabric
• OneLake

• May 19, 2025 by Arthi Ramasubramanian Iyer 6,896 Views

The path to building a data-rich culture requires making all of your data, even sensitive data, available for analysis. But with all of this data flowing into your data platform, you need to be certain that your data is secure at every step of the data journey. Since the launch of Microsoft Fabric, we’ve released a huge set of flexible security tools, from always-on security and encryption to fine-grained security and isolation for your most sensitive data.

We are thrilled to announce another huge leap forward in Fabric’s network security offerings:

1. The preview of Azure Private Link support for workspaces to help you secure inbound traffic to specific workspaces in Fabric.
2. The preview of outbound access protection for Spark (previously called data exfiltration protection) which provides controls to ensure Spark in a Fabric workspace can only connect to specific data sources or endpoints outside of Fabric.
3. The preview of Fabric encryption with customer managed keys so you can use your own encryption key to protect your data stored in Fabric.

In this post, we’ll review the entire set of capabilities in Fabric that you can use to secure your most sensitive data and remain compliant, including the latest announcements. You can also join us on May 28 for the Ask the Experts – Securing your data in Microsoft Fabric webinar where experts from across Fabric security will join to answer all your questions live. Or you can join us on June 16th for the “Connect Securely to Your Most Sensitive Data in Fabric” webinar with Rick Xu which will go in-depth and demo these new network security capabilities.

Secure by default in Fabric

Microsoft Fabric’s software-as-a-service (SaaS) architecture and industry-leading security tools can help you simplify and accelerate security configuration while ensuring your data is protected at every step of its journey. Fabric comes with always-on, default security and a wide set of advanced tools so you can more easily manage the security needed for every scenario. Data users and security admins get specific tools designed for them so everyone can help ensure only the right people have access to the right data. All of this functionality comes in a cloud-based, pre-integrated and optimized SaaS environment—removing much of the cost and responsibility for maintaining your security.

Fabric’s SaaS security model

When we designed Microsoft Fabric, we wanted to simplify the data product experience by building a truly SaaS platform which means everything comes pre-integrated and pre-optimized so your data teams can work faster, together. This SaaS architecture simplifies how you secure your data while enabling broad access to grow a data culture.  For example, like other SaaS services, Fabric uses Microsoft Entra ID to authenticate connection requests to Fabric, allowing only authorized users to safely connect to Fabric from wherever they are working. You can even define and enforce conditional access policies based on your users’ identity, device context, location, network, and application sensitivity.

However, many organizations have strict compliance requirements or heightened security needs that necessitate isolating connections on private virtual networks. To support these scenarios, Fabric has end-to-end inbound and outbound capabilities enabled through capabilities like Azure Private Links, Managed Private Endpoints, Data Gateways and Trusted Workspace Access. Let’s take a look at the latest isolation capabilities we are bringing over the next month to the Fabric platform that enable you to connect to even the most sensitive data.

Azure Private Link support for Fabric workspaces

Azure Private Links can provide secure access to your sensitive data by providing network isolation and applying required controls on your inbound network traffic. Currently, we support Azure Private Links at the tenant-level, but coming soon, we are expanding support to the workspace-level in Fabric. With this feature enabled, you can ensure data traffic travels over private network, instead of the public internet.

This granular support will give you the ability to secure inbound traffic to specific workspaces instead of the entire tenant, which is critical to support the typical scenarios most organizations face. For example, you can isolate access to production workspaces but allow workspaces dedicated to development and testing to be accessed over the internet. This capability will be available in preview in early summer.

Outbound access protection for Spark

With both the cost and rate of security breach incidents growing every year, guarding against malicious or accidental exfiltration of sensitive data to unapproved locations is top of mind for any security team. That’s why we are announcing the preview of outbound access protection in Fabric. Outbound access protection, previously called Data Exfiltration Protection in Azure Synapse Analytics, can help you prevent exfiltration of data to unapproved locations outside of the organization. You can simply turn outbound access protection on in your Fabric settings, and Spark in a Fabric workspace will be blocked from exfiltrating data from managed virtual networks to unapproved destinations outside of your organization’s Fabric tenant.

Outbound access protection will be available in preview in early summer. We are also working to extend this feature to dataflows, data pipelines, and copy jobs in Fabric Data Factory in the near future.

Customer managed keys in Fabric

We are also giving you greater control over your data encryption keys with the preview of customer managed keys (CMK) in Fabric. Customer-managed keys are used to protect and control access to the key that encrypts your data. With CMK, users will be able to manage their own encryption keys, ensuring that their data is protected in accordance with their specific security policies and regulatory requirements.

Customer managed keys in Fabric are now available for preview in select regions. To learn more, refer to Encrypt data at rest in your Fabric workspaces using customer-managed keys.

End-to-end security in Fabric

These new features add tremendous value to our existing security story in Fabric. Over the past three years, we’ve made tremendous progress supporting all of your security needs across three areas:

1. Flexible, secure connections: simplify network security with a SaaS platform that has built-in and advanced tools to protect your Fabric tenant and enable connection to even the most sensitive data.
2. Easy-to-manage data access: take full control of your data and ensure only the right people have access to the right data with easy-to-use tools for both admins and users alike.
3. Compliance control at scale: maintain compliance with even the strictest data residency and industry standard requirements across the globe.

Flexible, secure connections

With Fabric’s end-to-end network security, you can flexibly manage security with a range of security tools from always-on security to fine-grained security for your most sensitive data. You can minimize the complexity of inbound security with interactions encrypted by default and authenticated using Microsoft Entra ID, the same security used by Microsoft 365. And, you can ensure your data is protected at every layer using end-to-end isolation capabilities on Microsoft’s private network to restrict incoming and outgoing traffic.

Check out the inbound and outbound security capabilities currently available in Fabric:

• Conditional access policies: implement conditional access policies through Microsoft Entra which restrict access based on user, group, network location, application, device, and risk detection.
• Private links: use private links to provide secure access for data traffic in Fabric including specific workspaces. Azure Private Link and Azure Networking private endpoints sends traffic privately using Microsoft’s backbone network instead of using the public internet.
• Service tags: minimize the complexity of updating network security rules using Azure service tags to group and manage IP addresses for a service.
• On-premises and V-Net data gateway support: connect to data in your on-prem and private networks using a Fabric on-premises data gateway (OPDG) or the virtual network data gateway. You can use Fabric Data Factory with both data gateways, and you can even create OneLake shortcuts using the on-prem data gateway.
• Managed private endpoints: secure and private access to data sources from certain Fabric workloads.
• Trusted workspace access: Access firewall-enabled Azure Data Lake Storage (ADLS) Gen2 accounts in a secure manner from Fabric.

Easy-to-manage data access

Managing granular data security across thousands of users, multiple applications, and different data engines is incredibly complex and often results in either excessive restrictions or accidental data exposures. In Fabric, you can establish effective federated data security with robust, tenant-wide controls for admins and easy-to-use, granular tools for end users. You can define security and manage roles at every layer of Fabric and enforce it uniformly across all Fabric engines so users only access the data they need. And you can use the built-in Purview integration to automatically classify sensitive data in Fabric, enforce restrictions, and even protect data even when its exported.

Check out the data access capabilities currently available in Fabric:

• OneLake security: Define access permissions once, and Fabric will enforce it consistently across all engines. Data owners can create security roles, refine permissions, and control access at the row and column levels to securely share data. This security propagates automatically, so whether you query the data in SQL or visualize it in a Power BI report, you can only see what has been authorized.
• Workspace security: Easily manage security in the workspace and data associated to a workspace by assigning users to workspace roles.
• Item security: Assign permissions directly to Fabric items, like warehouses and lakehouses to grant access to an individual Fabric item without granting access to the entire workspace.
• Data encryption: Encrypt your data and metadata at-rest with Microsoft-managed keys and in-transit with at least TLS 1.2 and TLS 1.3 when possible.
• Customer Lockbox: Use customer lockbox in Fabric to control how Microsoft engineers access your data.
• Dynamic data masking in Fabric Data Warehouse: Prevent unauthorized viewing of sensitive data by specifying how much sensitive data to reveal, with minimal effect on the application layer.
• Granular permissions in Fabric Data Warehouse: Use standard SQL constructs for more granular control when the default permissions provided by assignment to workspace roles or granted through item permissions are insufficient.
• Purview sensitivity labels: Manually label Fabric items with organization’s sensitivity labels, the same labels used in Microsoft 365 apps.
• Purview information protection: Define Purview Information Protection policies in Microsoft Fabric to automatically enforce access permissions to sensitive information in Fabric.
• Purview Data Loss Prevention: Automatically identify the upload of sensitive information to Fabric and trigger automatic risk remediation actions.
• Purview Data Security Posture Management: Discover data risks with Copilot in Fabric such as sensitive data in user prompts and responses and immediately take action.

Compliance control at scale

Fabric is committed to meeting industry-standard compliance standards so you can meet all of your regulatory requirements including FedRAMP, SOX, GDPR, EUDB, HIPAA, ISO certifications and more. With Fabric, you also get granular control over where your data and workspaces reside with over 54 data centers worldwide and the ability to reside data in different regions while in the same data lake. Finally, you can seamlessly support security, forensic, and internal investigations with automatically logged user activities from Microsoft Fabric in Microsoft Purview Audit and APIs.

Check out the compliance capabilities currently available in Fabric:

• Certificates and standards: Maintain compliance with industry standards including HIPPA, SOC 1 & 2, SOX, HITRUST, FedRAMP Certification on Azure commercial, PCI DSS, ISO standards (27001, 27701, 27017, 27018), DICOM, FHIR, and more.
• Multi-geo support: Store data in 54 data centers around the world and even reside different workspaces in separate regions while still being part of the same data lake.
• Microsoft Purview Audit: Preserve audit logs to meet regulatory requirements, support forensic investigations, and gain high-bandwidth access to data.
• Microsoft Purview Insider Risk Management: Ingest audit logs from Fabric in addition to millions of other signals to identify potential malicious or inadvertent insider risk.
• Resilience: Confidently design mission-critical systems on Fabric with a resilient foundation built on world-class infrastructure and built-in BCDR resilience tools.

Join our upcoming webinar to learn more!

Interesting in learning more about network security in Fabric? Join us on June 16th for the “Connect Securely to Your Most Sensitive Data in Fabric” webinar with Rick Xu. This webinar will cover how Fabric is simplifying network security and show you how to use the latest network security capabilities in Fabric such as Microsoft Entra ID, Azure Private Links, Outbound Access Protection, Managed VNets, Trusted Workspace Access, Customer Managed Keys, and more!

You can also join us on May 28 for the “Ask the Experts – Securing your data in Microsoft Fabric” webinar where experts from across Fabric security will join to answer all your network security and other security-related questions live.

And finally, we’ve created an end-to-end Fabric security whitepaper, covering details on how Microsoft secures your data by default as a SaaS service, and how you can secure, manage, and govern your data when using Fabric.