Microsoft Fabric Governance
Interview Questions

Fabric follows a strict hierarchy for governance: Tenant (Top level, tied to Entra ID) > Domain (Logical grouping for business units) > Workspace (Security and billing boundary) > Item (Artifacts like Lakehouses, Reports). Consequently, understanding this cascading structure is essential for applying policies correctly.

Domains enable Federated Governance (Data Mesh). Instead of IT managing 1,000 workspaces, you can group them into Domains (e.g., Finance, HR) and delegate “Domain Admin” rights to business users. As a result, departments can manage their own workspace creation and policies while still adhering to central tenant settings.

Tenant Settings apply globally (e.g., “Allow creating Fabric items”). Capacity Settings apply to the compute infrastructure (e.g., F64). Crucially, some tenant settings can be overridden at the Domain or Capacity level (delegation), allowing for granular control over features like Copilot or Export.

Avoid creating workspaces per user. Instead, align workspaces with Projects or Lifecycle Stages (e.g., “Sales_Dev”, “Sales_Prod”). Furthermore, separate data workspaces (Lakehouses) from reporting workspaces (Power BI Apps) to implement a “Golden Dataset” architecture with stricter security on the data layer.

Workspace Identity is a Managed Identity feature. It allows the workspace itself to authenticate against trusted Azure services (like ADLS Gen2 or Key Vault) without relying on a specific user’s credentials. Therefore, pipelines keep running reliably even if the creator leaves the organization.

“My Workspace” is a sandbox for every user. However, it cannot be assigned to a Fabric Capacity (unless it’s a Trial) and lacks collaborative features. Therefore, in an enterprise governance strategy, you should strictly discourage using My Workspace for any production content.

Fabric has four roles: Admin (Full control, including deleting workspace), Member (Can create/edit items and share), Contributor (Can create/edit items but cannot share), and Viewer (Read-only access to reports). Warning: Viewers may still query underlying data via SQL Endpoints if workspace settings allow.

Workspace Roles apply to all items in a workspace. In contrast, Item-Level Sharing allows you to grant access to a single report or Lakehouse to a user without adding them to the workspace. Consequently, this adheres to the Principle of Least Privilege.

A common misconception is that “Viewer” only sees reports. However, if the workspace setting “Users can view artifacts” is enabled, Viewers can also connect to the SQL Endpoint of a Lakehouse and query tables. To prevent this, you must secure the SQL Endpoint explicitly using SQL DENY commands or OneLake roles.

This is a feature enabling Folder-Level Security. You can define roles (e.g., “Finance_Read”) within a Lakehouse and assign permissions to specific folders in OneLake. Consequently, both Spark and T-SQL engines honor these permissions, providing granular control previously only available in ADLS Gen2 ACLs.

Warehouse: Uses standard T-SQL Row-Level Security (RLS) policies. Lakehouse: Can define RLS in the SQL Endpoint, but Spark access bypasses SQL RLS. Therefore, for universal RLS, you must implement it at the OneLake Data Access Role level or within the consuming Semantic Model.

Shortcuts typically use “Delegated Authorization.” The user reading the shortcut uses the identity of the shortcut creator (or a bound credential) to access the source. However, for ADLS Gen2 shortcuts specifically, you can configure “Passthrough” identity to ensure the end-user’s own ACLs are checked at the source.

Fabric integrates with Microsoft Purview Information Protection (MIP). You can apply labels (e.g., “Highly Confidential”) to items. Importantly, these labels travel with the data. If a user exports data from a labeled Lakehouse to Excel, the Excel file is automatically encrypted and labeled.

Admins can configure a Default Label policy. This ensures that any new item created in Fabric automatically receives a baseline label (e.g., “General”). Furthermore, you can enforce “Mandatory Labeling,” preventing users from saving content without selecting a classification.

Fabric supports downstream inheritance. If you label a Lakehouse as “Confidential,” any Semantic Model or Report created from that Lakehouse will automatically inherit the “Confidential” label. Consequently, this ensures protection persists across the lineage.

Fabric Audit Logs are unified with Microsoft 365. You can access them via the Purview Compliance Portal. Alternatively, you can use the “Admin Monitoring” workspace in Fabric, which provides pre-built Power BI reports over the audit logs for easier consumption.

Almost all interactions are logged: Viewing reports, running Spark jobs, executing SQL queries, exporting data, and modifying permissions. Crucially, for OneLake, data access events (reading a file) are also logged, providing a complete audit trail for compliance.

One of the biggest risks is data exfiltration via Export. The Audit Logs capture the “ExportReport” event. Therefore, you can set up alerts in Purview to notify security teams if a user exports massive amounts of data or exports from a “Highly Confidential” report.

F-SKUs (Fabric Capacity) are the unified compute units for all Fabric workloads (Spark, SQL, Power BI). They range from F2 to F2048. Unlike Power BI Premium (P-SKU), F-SKUs enable Pay-as-you-go billing (via Azure) and can be paused/resumed to save costs.

Fabric does not throttle immediately when usage spikes. Instead, it uses Smoothing. Interactive usage (like reports) is smoothed over 5 minutes. Background usage (ETL) is smoothed over 24 hours. Therefore, you can burst CPU usage temporarily without penalty, as long as the average usage stays within limits.

Bursting allows a job to use more CUs than purchased (borrowing from the future). Smoothing averages that usage over time. However, if you sustain bursting for too long, you accumulate a “debt” of CUs. Eventually, Fabric will initiate “Interactive Delay” (throttling) until the debt is paid off by idle time.

This is the essential monitoring tool for Admins. It shows CU consumption by Item, Workspace, and Operation. Specifically, it helps identify “Noisy Neighbors” (e.g., a poorly written Spark job consuming 80% of capacity) so you can optimize or move them.

When the Capacity Metrics App shows throttling (red bars), you have two options: 1) Optimize: Tune the heavy queries/jobs. 2) Scale: Temporarily scale up the F-SKU in Azure Portal to clear the backlog, then scale down. Or, enable Autoscale to handle spikes automatically.

F-SKUs can be paused. When paused, you pay nothing for compute, but you cannot access any data or reports. However, storage costs (OneLake) continue. This is ideal for Dev/Test environments that are only needed during business hours.

Impact Analysis allows you to see what downstream items will be affected if you change a dataset. In Lineage View, if you select a Lakehouse, you can see all Semantic Models and Reports that depend on it. Consequently, this prevents breaking production dashboards during updates.

The Admin APIs (Scanner API) allow you to programmatically extract metadata from the entire tenant (workspaces, items, users, access rights). This is used by governance tools to build custom catalogs or audit compliance (e.g., “Find all reports shared with external users”).

Promoted: Any content owner can promote their items to say “this is ready for use.” Certified: A restricted status (controlled by settings) used by Central IT/Governance to indicate “Golden Data” that has passed strict quality checks. As a result, Certified items rank higher in the OneLake Data Hub.

Lineage typically breaks at the tenant boundary. However, if you use “External Data Sharing” (in-place sharing) from another Fabric tenant, Fabric can show the external data source in the lineage view, though detailed upstream lineage in the other tenant is usually hidden for security.

Fabric supports Sub-Domains (nested domains) to mirror complex org structures (e.g., Finance -> Tax). You can assign Domain Admins at each level. This improves discoverability in the Data Hub, allowing users to filter by “Finance” content easily.

Fabric automatically creates an “Admin Monitoring” workspace for tenant admins. It contains pre-built reports on Feature Usage and Adoption. Thus, it eliminates the need to manually export audit logs and build custom Power BI reports for basic usage tracking.

Fabric supports Private Links to secure access to the Fabric portal and OneLake from your Azure VNet. When enabled, traffic does not traverse the public internet. Crucially, this requires careful DNS configuration and blocks public internet access to the tenant.

This feature allows Fabric Pipelines (in specific workspaces) to access firewall-protected Azure resources (like ADLS Gen2) without needing a VNet Gateway. It uses the Workspace Identity as a trusted Microsoft service credential.

Fabric integrates with Entra ID Conditional Access. You can enforce policies like “Require MFA” or “Block access from outside specific countries” for Fabric users. This adds a layer of identity security on top of Fabric’s internal permissions.

Fabric supports “External Data Sharing” (in-place sharing). You can share a Lakehouse or KQL Database with a user in another tenant. They see the data in their own Fabric OneLake without copying it. Consequently, this is a game-changer for B2B data products.

Guest users (B2B) can be invited to a workspace. You can control their permissions via Tenant Settings (e.g., “Allow guest users to edit content”). Best Practice: Use Entra ID Groups to manage guest access rather than inviting individuals.

For highly regulated industries, Fabric supports CMK. This allows you to bring your own encryption key (stored in Key Vault) to encrypt data at rest in OneLake. Therefore, if you revoke the key, the data becomes instantly unreadable to everyone, including Microsoft.

Fabric provides built-in Business Continuity and Disaster Recovery. OneLake data is replicated (ZRS/GRS depending on region). In a regional outage, Microsoft manages the resiliency of the OneLake storage and Fabric control plane. However, customers are responsible for designing their own recovery strategy for code artifacts (via Git) and data pipelines.

If a workspace is deleted, it enters a “Soft Delete” state. A Fabric Administrator can restore the workspace (and all its items) within the retention period (typically 30 days) from the Admin Portal. After that, it is permanently lost.

Using Git integration is a governance best practice. It provides version history, rollback capabilities, and “Code Reviews” (via Pull Requests) before changes are merged to production. This prevents unauthorized or accidental changes to critical governance policies defined in code.

To avoid bottlenecks, avoid being the only Fabric Admin. Delegate “Capacity Admin” rights to IT leads and “Domain Admin” rights to business unit leads. Thus, you ensure that routine tasks (managing workspace access, monitoring capacity) are handled locally.