Governance on autopilot: The power of default domain labels in Fabric (Generally Available)
Let’s be real: expecting every data creator in your organization to manually apply the correct sensitivity label to every new Lakehouse or Warehouse is a bit like expecting everyone to use their turn signal in a parking lot—it’s the right thing to do, but people get busy, and things get missed.
Realistically, relying on every data creator in your organization to consistently assign the appropriate sensitivity label to each new Lakehouse or Warehouse is like hoping everyone always signals when driving through a parking lot—it’s best practice, but with busy schedules, some steps are inevitably overlooked.
In a sprawling data estate like Microsoft Fabric, manual governance is hard to scale. That’s why default domain labels are a total game changer for data owners.
Why default domain labels are a strategic win
Setting a sensitivity label at the Domain level ensures that any new item created within that boundary is born protected. Here is why this matters:
- Security by default: No more “oops, I forgot to label that sensitive Notebook.” As soon as an item is created in a domain (e.g., “Finance”), it inherits the domain’s default label (e.g., “Confidential”). Your security posture stays airtight without a single extra click from your users. And of course, data stays labeled even upon export from Fabric.
- Delegated authority: Not every department has the same risk profile. Default domain labels allow the Finance Domain to be “Highly Confidential” by default, while the Marketing Domain might be “Public.” It empowers domain admins to set the rules that make sense for their specific business unit.
- Frictionless compliance: Your data engineers and scientists want to build, not fill out security forms. By automating the classification at the domain level, you remove the administrative “tax” on innovation while keeping the compliance team happy.
- Scalability: As your Fabric tenant grows from 10 workspaces to 1,000, your governance remains consistent. You aren’t chasing individual items; you are managing the “container,” which is much more sustainable.
The bottom line
Default domain labels transform governance from a manual chore into an invisible infrastructure. It ensures that your most sensitive data is categorized correctly from second one, reducing the risk of data leaks and ensuring a consistent security language across your entire organization.
How-To: Setting a default sensitivity label for your Fabric domain
As a Domain Admin, you have the power to ensure every piece of data created within your business unit starts with a baseline level of protection. Follow these steps to automate your governance.
Prerequisites
- You must have Domain Admin or Fabric Admin permissions on the relevant domain.
- Sensitivity labels must already be defined and published in the Microsoft Purview compliance portal.
Step-by-step instructions
- Open the Admin Portal: In Microsoft Fabric, select the Settings (gear icon) in the top right corner and select Admin portal.
- Navigate to Domains: On the left-hand sidebar, select the Domains tab.
- Select your domain: Find the specific domain you want to configure (e.g., “Sales” or “Engineering”)
- Select Domain settings and go to the Delegated Settings tab.
- Configure sensitivity labels: In the Information protection tab, choose the appropriate sensitivity label from your organization’s list (e.g., Internal or Confidential).
- Save your changes: Select Apply. From this moment forward, any new Fabric item (Lakehouse, Report, Warehouse, etc.) created in any workspace associated with this domain will automatically receive this label.
Setting up default label for a domain
Pro-tips for admins
- Existing items: Note that setting a default label only affects newly created items. It will not retroactively change labels on items that already exist in the domain.
- User flexibility: Users can still manually change the label to a more restrictive one (e.g., upgrading an item from “Internal” to “Highly Confidential”) if the data requires it, but the default ensures they never start at “None.”
- Check your workspace association: Ensure that your workspaces are correctly assigned to the domain, or the default label won’t know where to apply!
Ready to automate your protection? Head over to the Domain settings in your Fabric Admin portal and set your first default label today. Learn more in the Domain-level default sensitivity labels in Microsoft Fabric documentation.
As always, we’d love to hear feedback on any data protection capabilities in Fabric. Contact us through this form.
