Extend your data security to Microsoft Fabric

Mechanics Team
8 min readMar 27, 2024

A unified solution for comprehensive data protection with Microsoft Fabric and Microsoft Purview. Extend the security measures of Microsoft 365 to your schematized data, ensuring consistent protection across your entire data estate. From detecting insider risks to mitigating data loss and unauthorized sharing, leverage advanced visibility and control to safeguard sensitive information effectively.

Daniel Hidalgo, Microsoft Purview Product Manager, shares how to simplify your security strategy and gain deeper insights into data risks.

Automatically inherit data sensitivity labels across platforms.

Consistent protection wherever data is accessed or moved. Check out the combined power of Microsoft Fabric and Microsoft Fabric.

Define access controls to safeguard data.

Ensure only authorized users or groups can view or edit sensitive information. Get started with Microsoft Fabric and Microsoft Purview.

Detect and respond to potential data threats.

Algorithmically monitor risky activities over your data by internal users that could lead to data theft. See how insider risk management now works with Microsoft Fabric.

Watch our video here:


00:00 — Unified solution to prevent data loss and detect data risk
01:36 — Microsoft Fabric experience
02:53 — Confidential labels are automatically inherited
03:16 — Detect sensitive information with DLP policies
04:03 — Create and publish a label
04:59 — Define protections
05:50 — Data Loss Prevention experience in Microsoft Purview
06:57 — Insider Risk Management with Microsoft Fabric
07:39 — Visibility of sensitive data with Microsoft Purview
08:19 — Wrap Up

Link References:

Check out https://aka.ms/PurviewforFabric

Watch our shows on Insider Risk Management, check out https://aka.ms/IRMMechanics

Unfamiliar with Microsoft Mechanics?

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Keep getting this insider knowledge, join us on social:

Video Transcript:

-Does the schematized data in your data stores have the same level of protections, policies, and controls as your files in Microsoft 365? Getting the right data security foundation in place with mitigations for data loss, unauthorized sharing, and insider risks is now more important than ever, especially as the volume of data inside your organization continues to grow, along with the need to access it. Whether that’s for operational analytics and reporting, or new generative AI workloads requiring quality data to ground responses. To solve for this, until now, you would need to use multiple disparate tool sets.

-Today, I’ll show you a better way with the combination of Microsoft Fabric, a single data and analytics platform to help you optimize the quality of data inside your organization and unify access for the people and workloads that need it, and Microsoft Purview for more advanced visibility and protection over your sensitive data and one engine to classify and protect both your schematized data in Microsoft Fabric as well as files in Microsoft 365, along with surfacing indicators of data theft resulting from risky insider activity.

-And the protections flow as everyone from your engineers, data analysts to your business users work with data in the Fabric workspace. This single control plane provides the basis for a unique and unified solution to prevent data loss and detect data risk across your data estate. Let me show you with the experience from Microsoft Fabric. Here I have a workspace where a number of users from both the sales and the fulfillment teams in my company have access. In the lineage view, I can see that I don’t have any classifications on my data. I’m going to open the central lakehouse feeding everything else.

-Here you’ll see a list of all my tabular data. On top, I’m notified that there is no label and the data isn’t classified, and I can directly classify my lakehouse from here. And in the sensitivity dropdown, I can choose a label. I’m working on a confidential data set with my team of engineers, analysts, and business users, so I’ll use Highly Confidential and then choose Internal only. And I can see a description of how the data will be protected. In this case, only internal users on the sales team can view and edit. Now I can see that all of the items in the lineage view connected to the lakehouse are labeled and protected.

-In fact, if I open this report, you’ll see on top that the label has been applied. Now if someone outside of the team happens to have the link to the report, even if they previously had permission to view it, you’ll see that the report permissions are now restricted and the data is protected. Let’s try something else. Let’s look at what happens when someone with permissions tries to move the data. Back in the Power BI report, we’re going to export the data into an Excel file, and since the data is sensitive, we’d expect the same protection to apply.

-So now I’ll open the Excel file and you can see the Highly Confidential label has been automatically inherited. Additionally, data loss prevention policies can discover sensitive information automatically as you work in Microsoft Fabric. Here I’m in my Fabric workspace and I want to import some local data into my lakehouse as new customer data. I happen to have a CSV file with related data, so I’ll navigate to the file location and choose that.

-Now I will load the CSV file to a table and then confirm. Now in the workspace view, I can see that there is an information marker on the item, and when I click on that, the data loss prevention policy tip pops up. And if I click into that message, I’m given more details about the type of information discovered and the policy restrictions. So what makes this all possible?

-Let me give you an overview of the admin experience in Microsoft Purview, which gives you a single engine for policy definition. I’ll start with a labels view under information protection, and you can see that I already have a few labels published. Data classification is a key part of the protections we’ll apply. If you’ve done this before in Microsoft 365, the basic steps to create labels have not changed. After you’ve filled in the label details, you can define the scope of the label, and this is something brand new.

-Under data, we’ve extended this files option to include Microsoft Fabric items, and here there are more access controls than before. I can assign permissions, access expiration, and offline access, and I can also now choose specific users and groups for more granular control. Next, once you’ve created and published your label, you will define protections for the corresponding content, like we saw before when access was restricted to the Power BI report. These are new policies found under information protection, so I’ll create a protection policy.

-After the basics, I need to define what it’s trying to detect. In our case, we want to protect items in Microsoft Fabric that have the label we just created. For where to apply, these locations are all new, and in my case, I’ll choose Microsoft Fabric. Next, in access control settings, you can grant users or groups view access in the controls on top and full edit access with the controls on the bottom. Anyone not in scope will be restricted from accessing data protected by this policy. And I can also use labels in combination with data loss prevention, just like we saw earlier with the policy tips.

-Let me show you. This is the new data loss prevention experience in Microsoft Purview. If I head over to policies, you can see that I have a couple already defined here. I will create a new one. For data sources like Microsoft Fabric, you’ll need to start a custom category and custom policy for regulations. We’ve added Microsoft Fabric as a location for where you can apply your policy, and you can apply this to specific workspaces or all workspaces and define policy settings. Next, rules work like your other DLP policies.

-In my case, I’ll add content containing sensitivity labels so that I can select the label I just created. To display the policy tips like we saw before, you’ll see that we’ve expanded the options from Microsoft 365 to also include Microsoft Fabric where you can add your custom policy tip text, as you can see here. The rest is what you’re used to for any DLP policy.

-Additionally, insider risk management now also works with Microsoft Fabric. This gives you a way to algorithmically monitor risky activities over your data by internal users that could lead to data theft. When you define your policies at the bottom of the screen, you’ll see the new Microsoft Fabric indicators across various user actions with potential risk.

-And once a policy is running, you’ll see how these translate into user activity views, which now gives you insights into potential risk from a user that spans multiple locations and workloads. You can check out aka.ms/IRMMechanics for deeper dives on insider risk management. Finally, as an admin or data owner, Microsoft Purview gives you visibility over your sensitive data so that you can better protect it.

-Here in information protection reports, protection coverage is delineated by type and I can see a breakdown from Microsoft Fabric, Microsoft 365 and others. There are also insights for the top sensitivity labels in use, whether that’s for my items in Fabric or other workloads and locations. It’s also easy to see the top data locations with sensitivity labels in a tree map view, and you can get a detailed breakdown per label by location in the data explorer.

-So that was an overview of the combined power of Microsoft Fabric and Microsoft Purview, which together gives you a unified solution for more comprehensive data protection, whether that’s in schematized data in your data stores or files in Microsoft 365. To learn more, check out aka.ms/PurviewforFabric, and thank you for watching.