← Back to Interview Hub

Microsoft Fabric Governance Interview Questions (2026 Guide)

40 questions across the governance hierarchy, security layers, Purview compliance, capacity administration, lineage, and real-world scenarios. Verified June 2026 — includes OneLake Security GA, the Purview Hub retirement, and new DLP, Insider Risk Management, and DSPM for AI capabilities.

The governance stack — and the layer that now cuts across all of it
TenantEntra ID-bound root
DomainFederated business-unit grouping
WorkspaceSecurity + billing boundary
ItemLakehouse, Warehouse, Report
OneLake Security — GA, FabCon 2026

Row-level, column-level, folder-level, masking, predicate RLS. One model, follows the data across Spark, T-SQL, and Power BI — regardless of which layer above enforces access.

AI Snapshot

Senior governance interviews test whether you know the 2026 consolidation: OneLake Security reaching GA (unifying what used to be separate per-engine security configs), the Purview Hub’s retirement in favor of the OneLake catalog’s Govern tab, and three new Purview capabilities reaching GA — Data Loss Prevention, Insider Risk Management, and (arriving) Data Security Posture Management for AI. Candidates still describing “OneLake Data Access Roles” as the current state of the art are a full generation behind.

Verified: June 2026 40 questions · 6 modules By A.J., UIG Data Lab Fabric Governance docs
Module A · Q1–Q7

The Microsoft Fabric Governance Hierarchy

Tenant, Domain, Workspace, Item — the cascading structure every governance decision sits on top of, plus the new Database Hub for multi-database estates.

Domains & Hierarchy
Q1
Foundation
What is the Microsoft Fabric Governance hierarchy from Tenant to Item?
Quick Answer

Tenant (top level, bound to Entra ID) → Domain (logical business-unit grouping) → Workspace (security and billing boundary) → Item (Lakehouse, Warehouse, Report, etc.). Every governance policy — tenant settings, capacity limits, sensitivity labels — cascades through this structure.

The hierarchy also determines where OneLake Security’s unified access rules attach: a role can be scoped at the Item level (a specific table’s folder) while still inheriting broader Workspace and Domain policies above it. Understanding which layer “wins” when settings conflict is a common follow-up.

What the interviewer is testing

Whether you can draw this hierarchy without hesitation and immediately connect it to where policy enforcement actually happens, not just recite the four names.

Q2
Intermediate
Why use Domains in Microsoft Fabric Governance rather than flat workspaces?
Quick Answer

Domains enable federated governance (Data Mesh) — group workspaces by business unit (Finance, HR) and delegate Domain Admin rights to business owners instead of centralizing every workspace decision in IT. Departments manage their own workspace creation and policy while still adhering to tenant-wide baseline settings.

Without Domains, a 500-workspace tenant forces IT to be the bottleneck for every access request. With Domains, the Finance Domain Admin handles Finance workspace requests directly, and IT retains oversight only at the tenant policy level — a scale requirement for any organization beyond a few dozen workspaces.

What the interviewer is testing

Whether you can name the scale problem Domains solve (central IT bottleneck) rather than describing them as just an organizational nicety.

Q3
Advanced
Tenant settings vs. Capacity settings — where does delegation apply?
Quick Answer

Tenant Settings apply globally (e.g., “Allow creating Fabric items”). Capacity Settings apply to specific compute infrastructure (e.g., an F64’s Spark configuration). Some tenant settings can be delegated for override at the Domain or Capacity level, enabling granular control over features like Copilot or export permissions per business unit.

What the interviewer is testing

Whether you know delegation is selective — not every tenant setting can be overridden downstream, and knowing which ones can is what separates surface knowledge from admin experience.

Workspace Strategy
Q4
Intermediate
Best practices for Microsoft Fabric Governance workspace design.
Quick Answer

Avoid one workspace per user. Align workspaces with projects or lifecycle stages (Sales_Dev, Sales_Prod). Separate data workspaces (Lakehouses) from reporting workspaces (Power BI Apps) to enforce a “Golden Dataset” architecture with stricter security on the data layer than on the consumption layer.

What the interviewer is testing

Whether you can name the specific anti-pattern (per-user workspaces) that causes governance sprawl, and the specific mitigation (data/reporting separation).

Q5
Advanced
What is Workspace Identity and why does it matter for pipeline resilience?
Quick Answer

Workspace Identity is a managed identity feature letting the workspace itself authenticate against trusted Azure services (ADLS Gen2, Key Vault) without depending on a specific user’s credentials. Pipelines keep running reliably even if the original creator’s account is disabled or leaves the organization.

What the interviewer is testing

Whether you connect Workspace Identity to the operational risk it mitigates — pipeline failure on employee offboarding — rather than describing it as a generic authentication feature.

Q6
Intermediate
Should Personal Workspaces (“My Workspace”) ever hold production content?
Quick Answer

No. “My Workspace” is a personal sandbox that cannot be assigned to a Fabric Capacity (except in Trial) and lacks collaborative and governance features. Enterprise Microsoft Fabric Governance strategy should explicitly prohibit production content in personal workspaces via tenant policy.

What the interviewer is testing

A confident, unqualified “no” — hedging on this question signals uncertainty about a governance fundamental.

Q7
Architect2026
What is the Database Hub and how does it extend governance beyond Fabric-native items?
Quick Answer

Database Hub (announced FabCon 2026) is a unified surface for managing Azure SQL, Cosmos DB, PostgreSQL, and on-premises databases via Arc — all from within Fabric, with AI-assisted management surfacing what changed, why it matters, and recommended next steps. It extends governance visibility beyond Fabric-native items into the broader database estate.

This matters for organizations where data governance conversations previously stopped at the Fabric workspace boundary — databases outside Fabric were invisible to Fabric admins. Database Hub closes that gap for the specific database types it supports, giving a single governance surface for hybrid database + analytics estates.

What the interviewer is testing

Whether you know Database Hub exists as a 2026 addition and can explain the specific problem it solves — visibility into non-Fabric databases from the Fabric admin experience.

Module B · Q8–Q14

Security Layers in Microsoft Fabric Governance

RBAC, item-level sharing, the Viewer role trap, and the single biggest 2026 update — OneLake Security reaching general availability.

Access Control (RBAC)
Q8
Intermediate
Explain the four Workspace roles and where the security risk hides.
Quick Answer

Admin (full control including deletion), Member (create/edit/share), Contributor (create/edit, no sharing), Viewer (read-only report access). The risk: Viewers may still query underlying data via SQL Endpoints if workspace settings allow it — “read-only” doesn’t always mean what it sounds like.

What the interviewer is testing

Whether you volunteer the Viewer SQL Endpoint risk unprompted — this is the detail that separates candidates who’ve configured production security from those reciting role definitions.

Q9
Advanced
Item-level sharing vs. Workspace roles — the least-privilege argument.
Quick Answer

Workspace roles grant access to every item in the workspace. Item-level sharing grants access to a single report or Lakehouse without adding the user to the workspace at all — the correct choice when someone needs one specific artifact and nothing else, adhering to least-privilege.

What the interviewer is testing

Whether you default to item-level sharing for external or narrow-scope access requests rather than reflexively adding users as workspace Members.

Q10
Advanced
The “Viewer” role security trap — how do you actually close it?
Quick Answer

If “Users can view artifacts” is enabled at the workspace level, Viewers can connect directly to a Lakehouse’s SQL Endpoint and query tables — well beyond viewing a report. Close this gap with SQL DENY commands or, as of 2026, OneLake Security roles that enforce access consistently regardless of entry point.

What the interviewer is testing

Whether your fix references OneLake Security as the current best-practice closure — SQL DENY alone is the 2023-era answer; OneLake Security is the 2026 answer.

OneLake Security — GA 2026
Q11
ArchitectGA 2026
What is OneLake Security and how is it different from the older OneLake Data Access Roles?
Quick Answer

OneLake Security reached GA at FabCon Atlanta 2026 — a unified RBAC model with row-level, column-level, and folder-level controls, including column masking and predicate row-level security, all enforced through a single model that follows the data across Spark, T-SQL, and Power BI. It supersedes the narrower, folder-only OneLake Data Access Roles.

CapabilityOneLake Data Access Roles (prior)OneLake Security (GA 2026)
GranularityFolder-level onlyRow, column, and folder-level
Column maskingNot supportedSupported
Predicate RLSNot supportedSupported
Cross-engine consistencyHonored by Spark and T-SQLFollows data across Spark, T-SQL, and Power BI uniformly
Ownership modelPer-Lakehouse role definitionDistributed ownership by workspace, consistent lake-level control
What the interviewer is testing

Whether you know this is a GA capability, not a preview feature, and can name the specific new capabilities (masking, predicate RLS) that didn’t exist in the folder-only predecessor. This is the single highest-signal question in the entire interview.

Q12
Intermediate
RLS in Warehouse vs. Lakehouse — does OneLake Security close the Spark bypass gap?
Quick Answer

Warehouse RLS via T-SQL policies only protects SQL-routed queries — Spark reading the underlying Delta files directly has historically bypassed it. OneLake Security closes this gap by enforcing row and column rules at the OneLake layer itself, so the same restriction applies regardless of whether Spark, T-SQL, or Power BI reads the data.

The architectural fix, precisely stated

Before OneLake Security: SQL-layer RLS = application-layer security, bypassable by any engine with direct OneLake permissions. After OneLake Security GA: security enforced at the storage layer itself = protected regardless of access path. This is the exact distinction to draw in an architect-level answer.

What the interviewer is testing

Whether you can precisely state that OneLake Security moves enforcement from the application layer to the storage layer — the architectural reason it closes the historic Spark bypass gap.

Q13
Advanced
How does Shortcut security work — delegated vs. passthrough identity?
Quick Answer

Shortcuts typically use delegated authorization — the reading user’s access is evaluated using the shortcut creator’s identity or a bound credential. For ADLS Gen2 shortcuts specifically, you can configure passthrough identity so the end-user’s own ACLs are checked at the source instead.

What the interviewer is testing

Whether you know passthrough identity as an explicit configuration option for ADLS Gen2 shortcuts, not the universal default across all shortcut types.

Q14
Architect
Column masking and predicate RLS via OneLake Security — walk through a concrete implementation.
Quick Answer

Define a OneLake Security role scoped to a table or folder, attach a column mask (e.g., partial redaction on a phone number column) and a predicate condition (e.g., row visible only where Region = user's assigned region). The role, once defined, enforces identically whether the table is queried via Spark, the SQL Endpoint, or Power BI Direct Lake.

The practical benefit over the old per-engine approach: previously, achieving equivalent protection meant configuring T-SQL Dynamic Data Masking separately, Spark-side filtering separately, and Power BI RLS separately — three configurations to keep in sync, with drift risk every time one was updated without the others. OneLake Security collapses this into one definition.

What the interviewer is testing

Whether you can name the specific operational pain (three-way config drift) that unified OneLake Security eliminates — this is the practitioner-level answer versus a textbook feature description.

Module C · Q15–Q22

Purview Integration in Microsoft Fabric Governance

Sensitivity labels, the Purview Hub retirement, and three major GA announcements from FabCon 2026 — Data Loss Prevention, Insider Risk Management, and DSPM for AI.

Information Protection
Q15
Foundation
How do Sensitivity Labels work in Microsoft Fabric Governance?
Quick Answer

Fabric integrates with Microsoft Purview Information Protection (MIP). Apply labels (e.g., “Highly Confidential”) to items, and they travel with the data — export a labeled Lakehouse’s data to Excel and the resulting file is automatically encrypted and labeled to match.

What the interviewer is testing

Whether you can give the concrete downstream example (Excel export inheriting encryption) rather than an abstract “labels apply protection” answer.

Q16
IntermediateLate 2025
What changed in the sensitivity label schema in late 2025?
Quick Answer

Microsoft replaced parent labels with label groups, offering more flexible organization of label hierarchies. Tenants created after October 2025 use the new schema automatically; older tenants may still be on the legacy parent-label structure and should verify before assuming label group functionality is available.

What the interviewer is testing

Whether you know the specific cutover date (October 2025) and would check the tenant’s creation date before assuming new-schema behavior — a precision signal.

Q17
AdvancedMarch 2026
How can sensitivity labels now be managed programmatically?
Quick Answer

As of March 2026, sensitivity labels are accessible via public APIs. List Items and Get Item API responses now include the Sensitivity Label ID, and the Create Item API accepts a label ID so new items are created pre-labeled. This enables infrastructure-as-code governance pipelines and partner tooling to manage labeling at scale without manual per-item intervention.

Why this matters for automation

Before this API surface existed, labeling at scale meant either manual application per item or brittle UI automation. Now a provisioning pipeline that creates a new Lakehouse can specify the required sensitivity label in the same API call — labeling becomes part of the deployment definition, not a follow-up manual step that’s easy to forget.

What the interviewer is testing

Whether you know this API surface exists and can immediately connect it to infrastructure-as-code governance patterns — a forward-looking answer that signals platform engineering maturity.

Auditing & the Govern Tab
Q18
IntermediateJan 2026
Where do you now find security and governance insights, since the Purview Hub retired?
Quick Answer

Security insights previously in the Microsoft Purview Hub have moved to the Govern tab of the OneLake catalog, consolidated into an enhanced Admin Report. The Purview Hub report was fully removed by the end of January 2026 — any documentation or muscle memory pointing to “Purview Hub” for Fabric governance reporting is now stale.

The Govern tab organizes insights into three areas: Manage your data estate (inventory, capacities, domains), Protect, secure & comply (sensitivity label coverage, DLP policy status), and recommended remediation actions with direct links to fix identified gaps — a more action-oriented experience than the old static Purview Hub reports.

What the interviewer is testing

Whether you know the exact new location (Govern tab, OneLake catalog) and the retirement timeline (Purview Hub removed end of January 2026) — candidates still directing people to “the Purview Hub” are giving deprecated guidance.

Q19
Intermediate
What actions are captured in Fabric’s audit trail?
Quick Answer

Nearly every interaction: viewing reports, running Spark jobs, executing SQL queries, exporting data, and modifying permissions. For OneLake specifically, data access events (reading a file) are also logged, giving a complete trail for compliance investigations, accessible via the Microsoft Purview audit log.

What the interviewer is testing

Whether you specifically mention OneLake data access events (file reads) as a logged category — a detail many candidates omit, focusing only on report/query-level auditing.

Purview Data Security — GA 2026
Q20
ArchitectGA 2025-2026
What is Purview Data Loss Prevention (DLP) for Fabric, and what’s currently in scope?
Quick Answer

Purview DLP policies on structured data in OneLake reached GA (announced FabCon Vienna, September 2025), covering lakehouses, warehouses, and KQL/SQL databases. Policies detect uploads of sensitive data (credit card numbers, SSNs) into OneLake and can trigger policy tips for users or enforce access restrictions on classified assets.

DLP Restrict Access scopeStatus (June 2026)
Fabric WarehouseGA (policy tip triggering GA as of FabCon Atlanta, March 2026)
KQL Database / SQL DatabasePreview
Lakehouses / Semantic ModelsExpected GA June 2026
What the interviewer is testing

Whether you know the specific rollout status per asset type — DLP restrict access is not uniformly GA across every Fabric item type as of this date, and knowing the gaps (KQL/SQL DB still Preview) shows real currency.

Q21
AdvancedGA
What is Purview Insider Risk Management for Fabric, and how does it improve on manual export monitoring?
Quick Answer

Purview Insider Risk Management (IRM) is GA for Fabric, extending built-in risk indicators to Power BI user activities — viewing, downloading, exporting, and managing sensitivity labels. These indicators feed directly into data theft and data leak policies, correlating signals across activities to surface potential insider threats like unauthorized data sharing.

This is a significant upgrade from manually watching for “ExportReport” events in raw audit logs (the pre-2025 approach). IRM correlates patterns automatically — a user who exports unusually large volumes, downloads from multiple Highly Confidential reports in a short window, and recently changed roles gets flagged as a composite risk signal rather than requiring an analyst to manually cross-reference separate log entries.

What the interviewer is testing

Whether you know IRM is now GA and can articulate the correlation advantage over manual audit log review — the difference between “logging exists” and “risk is actively surfaced.”

Q22
ArchitectPreview → GA ~May 2026
What is DSPM for AI and why does it matter specifically for Fabric’s agentic features?
Quick Answer

Data Security Posture Management (DSPM) for AI began public preview in December 2025, with GA expected around May 2026. It flags sensitive data appearing in AI agent prompts and responses — a governance layer specifically for AI interactions, distinct from traditional data-at-rest protections. It also ingests third-party signals from partners like Varonis, BigID, Cyera, and OneTrust for multi-cloud visibility.

As Fabric Data Agents and other agentic features (covered in the Data Engineering and Architecture modules of this series) become more prevalent, the risk surface shifts: sensitive data doesn’t just sit in a table anymore, it can flow through a natural-language prompt or an agent’s generated response. DSPM for AI is the governance answer to that shift — monitoring the AI interaction layer itself, not just the underlying storage.

What the interviewer is testing

Whether you connect DSPM for AI to the broader agentic AI trend across Fabric — showing you understand governance must evolve alongside new AI-native surfaces, not just extend existing data-at-rest controls.

Module D · Q23–Q28

Capacity Administration for Microsoft Fabric Governance

Smoothing, bursting, the Capacity Metrics App, and the 2025 change that removed F64 as the Copilot access gate.

Q23
Foundation
What is an F-SKU and how does it differ from Power BI Premium P-SKUs?
Quick Answer

F-SKUs are the unified compute units for all Fabric workloads — Spark, SQL, Power BI — ranging from F2 to F2048. Unlike P-SKUs, F-SKUs support pay-as-you-go billing via Azure and can be paused and resumed to control cost.

What the interviewer is testing

Whether you know the pause/resume capability as a specific F-SKU advantage over the P-SKU model, not just a naming difference.

Q24
Intermediate
Explain Smoothing and how it prevents immediate throttling.
Quick Answer

Fabric doesn’t throttle immediately on a usage spike. Interactive usage (reports) smooths over 5 minutes; background usage (ETL) smooths over 24 hours. This lets you burst temporarily without penalty, as long as average usage stays within capacity limits over the smoothing window.

What the interviewer is testing

Whether you know the two different smoothing windows (5 minutes vs. 24 hours) precisely — conflating them is a common and telling mistake.

Q25
Advanced
Bursting vs. Smoothing — what happens when bursting debt accumulates?
Quick Answer

Bursting lets a job use more CUs than purchased, borrowing against future idle capacity. Smoothing averages that usage over time. Sustained bursting accumulates a CU “debt” — eventually Fabric applies Interactive Delay (throttling) until idle time repays the debt.

What the interviewer is testing

Whether you can explain bursting debt as a genuine constraint, not an unlimited free resource — a common misconception among candidates who’ve only read the marketing description of bursting.

Q26
Intermediate
What does the Capacity Metrics App show and how do you spot a “noisy neighbor”?
Quick Answer

The Capacity Metrics App shows CU consumption by item, workspace, and operation. A “noisy neighbor” — a poorly written Spark job or query consuming a disproportionate share of capacity — is identified by comparing per-item consumption against total capacity, then either optimizing or moving the offending workload.

What the interviewer is testing

Whether you offer both remediation paths (optimize in place vs. move to isolated capacity) rather than just one.

Q27
Intermediate
Pausing a capacity — what stops and what keeps running?
Quick Answer

Pausing an F-SKU stops compute billing entirely, but data and reports become inaccessible. OneLake storage costs continue regardless of pause state. Ideal for Dev/Test capacities only needed during business hours.

What the interviewer is testing

Whether you clarify that storage costs persist through a pause — candidates who imply pausing eliminates all cost are giving an incomplete answer.

Q28
Intermediate2025
Does Fabric Copilot still require an F64 capacity?
Quick Answer

No. As of 2025, Fabric Copilot and AI capabilities became accessible to all paid SKUs, not just F64 and above. Tenant admins must still explicitly enable the relevant AI settings, but F64 is no longer the access gate it originally was.

Why this matters for governance sizing conversations

Earlier Fabric guidance (including in some older interview prep material) states F64 as a Copilot prerequisite. That’s outdated as of 2025 — governance and capacity sizing conversations should no longer treat F64 as mandatory purely for Copilot access. Smaller organizations on lower SKUs can now enable Copilot without an F64 upgrade.

What the interviewer is testing

Whether you catch and correct this specific outdated assumption — a candidate who states “F64 is required for Copilot” without qualification is repeating stale 2024 guidance.

Module E · Q29–Q34

Lineage & Discovery in Microsoft Fabric Governance

Impact analysis, the Scanner API, endorsement, and how the OneLake catalog’s Govern tab consolidated what used to be scattered across the Purview Hub and Admin Monitoring workspace.

Q29
Intermediate
What is Impact Analysis and when do you run it?
Quick Answer

Impact Analysis shows every downstream item affected by a proposed change. In Lineage View, selecting a Lakehouse reveals all Semantic Models and Reports depending on it — run this before any schema change to avoid breaking production dashboards.

What the interviewer is testing

Whether you volunteer “before any schema change” as standard practice, not just describe the feature mechanically.

Q30
Advanced
What is the Scanner API and how does it relate to the OneLake catalog?
Quick Answer

The Admin APIs (Scanner API) programmatically extract tenant-wide metadata — workspaces, items, users, access rights — used to build custom catalogs or audit compliance questions like “find all reports shared with external users.” The Scanner API remains the programmatic layer beneath the OneLake catalog’s UI-level Govern tab reporting.

What the interviewer is testing

Whether you distinguish the Scanner API (programmatic, custom tooling) from the Govern tab (UI-level, built-in reporting) as two complementary but distinct surfaces.

Q31
Intermediate
Certified vs. Promoted endorsement — what’s the governance distinction?
Quick Answer

Promoted: any content owner can self-promote an item as “ready for use.” Certified: a restricted status controlled by governance settings, used by central IT to designate “Golden Data” that has passed formal quality checks. Certified items rank higher in the OneLake Data Hub / catalog.

What the interviewer is testing

Whether you know Certified requires restricted permission (not self-service like Promoted) — this distinction is often blurred by candidates.

Q32
Advanced
Does lineage cross tenant boundaries with External Data Sharing?
Quick Answer

Lineage typically breaks at the tenant boundary. With External Data Sharing (in-place sharing) from another Fabric tenant, the external data source appears in the lineage view, but detailed upstream lineage inside the other tenant is usually hidden for security reasons.

What the interviewer is testing

Whether you know lineage visibility is partial (source visible, upstream detail hidden) rather than either fully broken or fully transparent across tenants.

Q33
Intermediate
Domains and Sub-Domains — how do they improve data discoverability?
Quick Answer

Sub-Domains (nested domains) mirror complex org structures — e.g., Finance → Tax — with Domain Admins assignable at each level. This improves discoverability in the OneLake catalog, letting users filter by “Finance” or drill into “Finance → Tax” specifically.

What the interviewer is testing

Whether you can give the concrete nesting example (Finance → Tax) rather than describing Sub-Domains only abstractly.

Q34
Intermediate2026
Where did the “Admin Monitoring” workspace reporting go?
Quick Answer

The Admin Monitoring workspace still exists and provides feature usage and adoption reports, but the security and compliance-specific insights that used to require cross-referencing the Purview Hub are now consolidated into the OneLake catalog’s Govern tab alongside it — reducing the number of places an admin needs to check for a complete governance picture.

What the interviewer is testing

Whether you know Admin Monitoring workspace and the Govern tab are complementary (not one replacing the other) — usage/adoption reporting stays in Admin Monitoring, security/compliance reporting moved to Govern.

Module F · Q35–Q40

Real-World Microsoft Fabric Governance interview questions

Network security, cross-tenant sharing, CMK, disaster recovery, and delegated administration — architectural decisions for regulated and enterprise-scale environments.

Q35
Advanced
Private Endpoints and Trusted Workspace Access — how do they differ?
Quick Answer

Private Endpoints secure access to the Fabric portal and OneLake from your Azure VNet, keeping traffic off the public internet but requiring careful DNS configuration and blocking public access entirely. Trusted Workspace Access instead lets Fabric Pipelines in specific workspaces reach firewall-protected Azure resources (like ADLS Gen2) using Workspace Identity as a trusted Microsoft service credential, without needing a VNet Gateway at all.

What the interviewer is testing

Whether you know Trusted Workspace Access as a lighter-weight alternative to Private Endpoints for pipeline-to-resource connectivity specifically, not a replacement for the broader network security model.

Q36
Intermediate
How does Conditional Access integrate with Microsoft Fabric Governance?
Quick Answer

Fabric integrates with Entra ID Conditional Access, enforcing policies like mandatory MFA or geo-blocking for Fabric users. This adds identity-layer security on top of Fabric’s internal permission model — the two layers are complementary, not substitutes for each other.

What the interviewer is testing

Whether you frame Conditional Access as additive to Fabric’s own RBAC rather than redundant with it.

Q37
Advanced2026
Cross-tenant sharing — what’s the current state of External Data Sharing and Mirroring interoperability?
Quick Answer

External Data Sharing (in-place sharing) lets you share a Lakehouse or KQL Database with a user in another tenant without copying data — they see it directly in their own OneLake. Separately, Mirroring interoperability expanded significantly in 2026: Oracle and SAP Datasphere mirroring reached GA, SharePoint lists and Dremio are in Preview, and Databricks Unity Catalog can now read OneLake data natively (Public Preview), with Snowflake interoperability GA.

The governance implication of expanded interoperability

Every new interoperability path (Databricks reading OneLake, Snowflake reading Fabric-managed Iceberg tables) is also a new potential data exfiltration or exposure path if not governed. As the interoperability surface grows, so does the surface area OneLake Security and Purview DLP need to cover — this is a natural follow-up an interviewer may probe.

What the interviewer is testing

Whether you can name the specific 2026 interoperability expansions and, ideally, proactively raise the governance implication of a growing cross-platform surface area.

Q38
Advanced
Customer Managed Keys (CMK) — what does revocation actually do?
Quick Answer

CMK lets regulated organizations bring their own encryption key (stored in Key Vault) to encrypt OneLake data at rest. Revoking the key makes the data instantly unreadable to everyone — including Microsoft — providing a hard kill-switch for the most sensitive workloads.

What the interviewer is testing

Whether you emphasize “including Microsoft” as the key differentiator — CMK’s value proposition is specifically about removing the cloud provider from the trust boundary.

Q39
Advanced
Fabric BCDR — what’s Microsoft’s responsibility and what’s the customer’s?
Quick Answer

Microsoft manages OneLake storage replication (ZRS/GRS depending on region) and control-plane resiliency during a regional outage. Customers are responsible for their own recovery strategy for code artifacts (via Git) and data pipeline re-deployment — Fabric’s built-in BCDR does not cover application-level recovery.

What the interviewer is testing

Whether you draw a clean shared-responsibility line — a common failure mode is candidates assuming Fabric’s BCDR is comprehensive when it explicitly excludes code/pipeline recovery.

Q40
Architect
Delegated admin rights — how do you avoid being a single-person bottleneck?
Quick Answer

Delegate Capacity Admin rights to IT leads and Domain Admin rights to business unit leads, so routine tasks — workspace access requests, capacity monitoring — are handled locally rather than queuing through a single tenant admin. This mirrors the federated governance model Domains were designed to enable.

Closing thought for a governance architect interview

The throughline across this entire module set — OneLake Security replacing per-engine configs, the Govern tab consolidating scattered reporting, Domains delegating admin authority — is the same pattern: Fabric’s 2025-2026 governance investments consistently move toward fewer places to configure the same policy, enforced closer to the data itself. Framing your answers around that pattern, rather than listing features in isolation, is what a senior governance interview is actually listening for.

What the interviewer is testing

Whether you connect delegated admin rights back to the federated Domain model established in Module A — tying the interview’s first and last answers together with one consistent principle is a strong closing signal.

You’ve completed the series

Architecture, Data Engineering, Power BI, Warehouse, Data Factory, and Governance — the full Microsoft Fabric interview prep set.

Back to Interview Hub →

Scroll to Top