Gain even more trust and compliance with OneLake diagnostics immutability (Generally Available)
In October 2025, we introduced OneLake diagnostics—a powerful capability that helps teams “answer who accessed what, when, and how” across your Fabric Lakehouse environment. OneLake diagnostics streams JSON-based activity logs into a Lakehouse you choose, enabling rich analysis, governance, and compliance workflows. A powerful capability that helps teams “answer who accessed what, when, and how” across your Fabric Lakehouse environment. OneLake diagnostics streams JSON-based activity logs into a Lakehouse you choose, enabling rich analysis, governance, and compliance workflows.
We are strengthening that foundation with the introduction of immutable diagnostic logs—a new capability that ensures diagnostic events cannot be altered or deleted for a defined retention period, giving you tamper-proof data for the entire lifecycle of your logs.
What’s new?
Immutable diagnostic logs allow you to enforce a Write-Once-Read-Many (WORM) protections state on all diagnostic event files stored in the workspace you configure. Once immutability is enabled:
- Logs are locked and cannot be tampered with or removed during the specified retention period.
- Protection is built directly on Azure Blob Storage immutable storage, the same industry-compliant foundation used for financial auditing, legal holds, and regulated retention scenarios. the same industry-compliant foundation used for financial auditing, legal holds, and regulated retention scenarios.
- All diagnostic events stored in the workspace inherit the same policy, ensuring consistent governance and predictable protection.
Why immutability matters for your organization
Immutable diagnostics help organizations:
- Meet regulatory and compliance requirements, including mandates for tamper-proof logs.
- Improve data governance and risk posture by guaranteeing the integrity of operational and security event records.
- Support forensic investigations with verifiable, unaltered logs.
- Build trust that their diagnostic data is complete, accurate, and cannot be manipulated.
Getting started
To configure immutable diagnostics:
- Enable OneLake diagnostics (if not already enabled) by selecting a Lakehouse within any workspace in the same capacity to receive diagnostic events.
- Open the workspace settings for the workspace that contains the Lakehouse you just selected.
- Specify your desired immutability period in the OneLake diagnostics section.
- Press Apply to enforce the retention policy.
Note: Once an immutability period is applied, the files cannot be modified or deleted until retention has expired. The policy cannot be shortened or reversed. Apply with care.
Best practices for secure, compliant deployments
To get the most from immutability, and to align with OneLake diagnostics best practice recommendations, focus on these core patterns:
1. Use a dedicated workspace for diagnostic logs
Immutability applies to all diagnostic event files stored in the workspace. Using a dedicated workspace for your diagnostic Lakehouse isolates permissions, keeps governance clean, and prevents operational workloads from interfering with audit data.
2. Restrict workspace admin roles
Limit workspace admins to a small, trusted group responsible for configuring immutability and managing workspace level settings. This prevents any single team from generating diagnostic activity and controlling the environment that stores the logs—a key separation of duties requirement.
3. Protect against deletion of the workspace or Lakehouse
Immutability prevents file deletion, but it does not prevent someone with the right permissions from deleting the workspace or the Lakehouse itself. Keeping the admin list small reduces the risk of accidental or intentional removal. If deletion does occur, recovery is only possible for a limited period based on your tenant’s retention settings.
4. Align immutability retention with organizational policies
Choose an immutability period that fits your audit, compliance, legal, and investigation requirements. Since immutability cannot be shortened or reversed once applied, ensure the retention window reflects your true obligations.
Cost implications
Immutability does not introduce additional charges, but it does affect how long diagnostic data remains in storage. Because files cannot be modified or deleted during the immutability period, storage cost grows as new diagnostic events are written. As a result, overall cost increases in line with the volume of diagnostic files retained.
Final thoughts
OneLake diagnostics already provides flexible, powerful insight into what’s happening across your Fabric environment. With the addition of immutable diagnostic logs, organizations now have a powerful way to ensure those insights remain trustworthy, secure, and fully compliant.
If your team needs tamper-proof records, or operates under strict regulatory requirements, immutability gives you a new level of confidence in your operational visibility.
