Hardening Fabric Warehouse Security
Description
Learn how to secure Fabric Data Warehouse from the ground up. This session covers end-to-end practices—from secure connectivity and authentication to auditing, monitoring, and governance—highlighting new features that strengthen compliance, visibility, and trust at scale.
Key Takeaways
- Warehouse Security
- Our mission is to “make sure you never make the news—for the wrong reasons”
- “To build a truly secure and compliant Warehouse; security must be approached in layers”
- The Stakes Have Never Been Higher
- IBM Cost of a Data Breach Report 2025
- breaches escalate because access is broader than necessary.
- Root Cause Category
My Notes
Action Items
- [ ]
Resources & Links
Slides
Hardening Fabric
Warehouse Security
Building Layered Defense from Authentication to Governance
About your Speakers
Freddie Santos
Senior Product Manager
Fabric Warehouse
Sam Debruyn
Freelance Data Platform Architect
MVP Microsoft Fabric
Our mission is to “make sure you never make the news—for the wrong reasons”
Session Roadmap
“To build a truly secure and compliant Warehouse; security must be approached in layers”
▪ Cybersecurity Threats, Risks, and Impacts on Fabric Data Warehouse
▪ Layers of Protection
2.1
▪ Identity is the
Foundation
2.2
▪ Network
Restricted:
Reducing Attack
Surface
2.3
Data Protection:
Continuous
Encryption
2.4
2.5
Policy Enforcement:
Limiting Data
Exposure
Fully Observable &
Governed
The Stakes Have Never Been Higher
3,322
Data Breaches Tracked in 2025 in the US alone — An All-Time High
About $34 billion dolars
In financial loses – US only.
$10.22M*
246 days
average cost of a single data breach
breaches due to incorrect security
configurations of cloud
components
needed on average to
identify and contain the
breach
Attackers are no longer breaking in —they're simply logging in with stolen credentials, making identity
and configuration hardening your first line of defense
- IBM Cost of a Data Breach Report 2025
Where Breaches Actually Start
What the Data is Telling us:
Data Breach Root Causes by Category
▪ Weak Identity Hygiene (~27%)
o Stale credentials, no MFA, unmanaged service principals, shared
accounts. Identity remains the easiest initial entry point.
Percentage of Breaches (%)
▪ Phishing (~15%)
o Users are still the front door. Credential theft and token replay
bypass perimeter defenses.
▪ Inconsistent Access Controls (~27%)
o Roles applied unevenly, no least-privilege model, ad-hoc grants,
security policies exist — but are not consistently enforced.
▪ Excessive Permissions (~31%)
o Overprivileged users and service accounts expand blast radius,
breaches escalate because access is broader than necessary.
Weak identity hygiene
Phishing
Inconsistent access controls
Root Cause Category
Sources:
Excessive permissions
▪ Supply Chain & Indirect Access Risk
o Modern attacks don’t always start inside — they propagate
through connected systems.
50 Identity And Access Security Stats You Should Know...
Identity Security: Cloud’s Weakest Link in 2025 | CSA
Weak Authentication
Target accounts with poor password hygiene or no
MFA
How would attackers break Into
Your Warehouse?
Open Network
Exploit public endpoints and unrestricted access
paths
Understanding the attack surface helps prioritize our defense layers
▪ Every security layer creates a barrier attackers must overcome, exponentially
increasing difficulty
Data Ingestion
Inject malicious data through uncontrolled COPY
operations
▪ Stolen credentials remain the primary entry vector, making authentication the
critical first line
▪ Network restrictions force attackers to build complex infrastructure, raising costs
Bypass Policies
Access sensitive data without row or column
restrictions
and detection risk
▪ Data-level policies ensure compromised accounts cannot access all sensitive
information
▪ Comprehensive monitoring provides observability to detect and respond to
Avoid Detection
anomalous behavior patterns
Operate below monitoring thresholds to remain
invisible
Level 5 Observable
Full audit logging and traceability
Level 4b Data Policy Enforced
Defining clear permissions to
enforce Data Protection
Six Layers of Defense
Level 4a Ingestion
Control
▪ Each maturity level builds upon the previous layer, creating defense in
depth that prevents single points of failure
Secure data loading
Level 3 Encryption
▪ Organizations typically progress through levels sequentially, though some
controls can be implemented in parallel based on risk assessment
Protect Data at Rest
▪ Level 1 provides the essential foundation—without strong authentication, all
other controls become less effective
Level 2
Network
Restriction
▪ Mature organizations operate at Level 4-5, where policies are enforced
automatically and all access is continuously monitored
Set boundary
limits and access
control
▪ The goal is not perfection but continuous improvement, moving up the
maturity curve with each implementation
Level 1
Identity
Management
Strong
identity
foundation
Layer 1: Identity Management
Identity Management -Verify Every Identity
● Microsoft Entra Integration: Fabric Warehouse leverages
Microsoft Entra ID as the primary authentication mechanism,
Zero Trust Policy
eliminating username-password vulnerabilities and enabling
centralized identity management
● Service Principal Authentication: Service principals provide
MFA Support
application identities with managed secrets and certificates,
enabling automated processes without storing credentials in
code or configuration files
Fine-Grained Control
● Workspace Identity (Coming Soon): support for workspace-
scoped managed identities will allow secure, keyless
authentication for data access scenarios such as COPY INTO
and external integrations — eliminating secret management for
automation workflows.
Identity Hardening Best Practices
Conditional Access
Proper Housekeeping
▪ Enable Service Principal Access:
Use application identities for automation and CI/CD instead of user accounts to eliminate shared credentials and reduce lateral risk.
▪ Enforce Conditional Access:
Require MFA, compliant devices, and location restrictions through Microsoft Entra policies.
▪ Rotate Service Principal certificates:
Implement proactive certificate rotation to prevent expired credentials and minimize operational disruption.
▪ Apply Least Privilege:
Grant only required workspace and object-level permissions to service principals and users.
▪ Audit Identity Activity:
Regularly review identity usage, last sign-in times, and privileged role assignments to detect stale or overprivileged accounts.
▪ Leverage Privileged Identity Management:
Assign permissions to Entra ID Groups and provide just-in-time and restricted access to data.
Demo
Identity Management
Layer 2: Network Isolation and Controls
The Blast Radius: Why We Need "Internal Locks"
There are risks in a flat network architecture
▪ Risk of a Flat Network Architecture: Without internal segmentation, a single compromised entry point grants an
attacker unrestricted lateral movement across the entire data estate.
▪ The 62-Minute* Window: In non-isolated environments, attackers can move from an initial breach and perform a
lateral move (e.g., your Production Warehouse) in an average of just 62 minutes.
▪ Containment via Micro-segmentation: Implementing internal "locks" ensures that security failures are localized,
protecting the core Data Warehouse from the broader impact and costs of a breach.
*CrowdStrike 2024 Global Threat Report
Network Isolation
Defining the right boundaries ensures data traffic never traverses
the imposed limits
Protect Inbound Connections
Protect Outbound Connections
▪ Inbound Protection: Use Private Links and Workspace Firewalls to block the
public internet and define strict access boundaries.
▪ Outbound Protection: Data Warehouse exfiltration vectors are minimal,
leveraging on Outbound Access Protection will prevent exfiltration techniques
on Warehouse.
▪ Identity Integration: Apply Entra ID Conditional Access to add AI-driven,
context-aware validation to every connection.
Entra ID - Conditional Access Policies
Restrict all inbound access to Fabric to compliant networks, devices, etc.
Examples of CA Policy Configurations:
Entra Users
and Groups
Compliant
Network Location
Deny
Public Network
Allow
Corporate Network
(IP Ranges)
Entra Conditional
Access Policies
(OR)
(Tenant Level)
Inbound
Trusted
Applications
Fabric Users
and Groups
Allow
OneLake
Deny
Unknown
Device
Any Network
MFA
Compliant
Device
Any Network
(Zero Trust Approach)
Fabric Users
and Groups
Microsoft Fabric
Compliant
Devices
(OR)
Deny
Allow
MFA
Compliant
Device
Public
Network
Corporate Network
(IP Ranges)
Fabric Users
and Groups
Tenant level Private Link (TPL) for Fabric
Perimeter Network Security for your tenant
What it means:
On-prem
ExpressRoute
/ VPN
- Fabric is disconnected from
the public internet
Azure VNets
Peering - Every users needs to connect to
the private network to get access
on every device
Azure Private Link (Tenant
Level)
Private
Endpoint
Customer VNet1
Inbound - No longer able to load resources
locally (slower reports)
OneLake
Microsoft Fabric - Increases ExpressRoute bandwidth
and added costs for Private Links
Disabled - Several product limitations
(like on-prem data gateway)
Public Access
Workspace level Private Link for Fabric
Perimeter Network Security for your workspace
On-prem
ExpressRoute
/ VPN
Azure VNets
Fabric Tenant
Workspace A
Peering
Azure
Private Link
Private
Endpoint
Lakehouse
Warehouse
Notebook
Workspace B
Private Data
Access
Semantic
Model
Entra Conditional
Access Policies
Report
(Tenant Level)
(Workspace Level)
OneLake
Spark Job Definition
Pipeline
KQL Database
Customer VNet1
Disabled
Enabled (with
Entra Conditional
Access Policies)
Public Access
Outbound Access Protection
Sealing the Vault
Fabric Workspace
▪ Complete Exfiltration Prevention: OAP ensures
that even if a system is compromised, data
cannot be leaked to unauthorized public
endpoints or non-whitelisted external tenants.
Outbound Rules
▪ Granular Trusted Routing: You maintain strict
control by explicitly allowing connections only to
validated resources, such as trusted Fabric
Workspaces or specific ADLS Gen2 paths.
Outbound Rules
▪ Operational Integrity: By blocking unauthorized
COPY INTO or OPENROWSET attempts by
default, you ensure that data movement only
occurs between pre-approved, secure
environments.
Lakehouse
COPY INTO
COPY INTO
Warehouse
OPENROWSET
Denial List Rules
Allowed List Rules
Extreme Network Protection
Outbound Access Protection +
Workspace Private Link
Outbound Access Protection (OAP): Blocks
unauthorized data export from the Data
Warehouse.
Workspace Private Link: Ensures inbound
access is limited to private, secure network
boundaries.
Together: They create a zero-trust boundary
around your workspace, preventing sensitive
data from leaking in or out.
Whether you use TPL or WS PL or use Firewall Rules to access Fabric over
public endpoint, Entra Conditional Access is a must !
Layer 3: Encryption
The Ransomware Crisis - Network Protection as Foundation
Ransomware Attack Growth 2023-2025
10.0
9.0
Victims (thousands)
8.0
44%
75%
$5M+
of breaches
involve
ransomware
of attacks are
identity-based
average
recovery cost
7.0
▪ Network breaches are initial entry points—phishing (16%) and
credentials (12-14%) bypass perimeter defenses
6.0
5.0
▪ Credential theft surged 800% in 2025: 1.8B credentials stolen
via infostealer malware post-compromise
4.0
3.0
2.0
▪ Attackers stay hidden for months (63% for 6+ months),
mapping cloud resources and stealing credentials
1.0
0.0
Year
▪ Once inside, attackers conduct reconnaissance to identify
cloud connections and privileged accounts
Source: The State of Ransomware in the U.S.: Report and Stati...
▪ Attack chain: network breach → credential theft → cloud access
→ encryption
Fabric Customer Managed Keys (CMK)
Create Keys
Generate and manage keys in Azure Key Vault with full
lifecycle control
▪ Fabric encrypts all data by default with Microsoft-managed keys, providing strong
baseline security across workspaces
Connect Workspace
Link Fabric workspace to Key Vault for encrypted key
access
▪ CMK adds encryption layer via envelope encryption—your Key Vault key encrypts
Microsoft's data encryption keys
▪ Keys stay in your Key Vault—Fabric accesses via secure APIs with logged, policyvalidated calls
▪ Workspace-level granularity lets you apply enhanced encryption selectively to sensitive
environments
Automatic Encryption
OneLake data and metadata encrypted using your
keys automatically
Control Access
Manage permissions, rotation, and revocation
independently
Audit Everything
Monitor all key usage via Azure Key Vault logs
CMK Implementation in Fabric Warehouse
OneLake Data
All persisted data encrypted with your
CMK including tables, Delta Parquet
files, and analytics datasets
Encryption
Layers
Zero
Performance
Impact
Ephemeral
Compute
Auto-clearing caches
Warehouse Metadata
Table definitions, stored procedures,
functions, and schema information
encrypted with your key
Protection depth
No speed reduction
▪ SQL frontend encrypts all metadata including table definitions, views, and
functions using your key to protect schema information
▪ All OneLake data uses your Azure Key Vault key through envelope encryption,
providing comprehensive protection for persisted information
Backend Compute
Ephemeral caches use Microsoftmanaged keys and auto-clear after
sessions, no data persists
▪ Backend compute processes queries in ephemeral cache environments that
auto-evict content after use, with no data at rest
▪ Once enabled, both existing and new Warehouse items automatically use your
encryption keys without manual configuration
Demo
CMK
Layer 4: Limiting Data Exposure
Why Ingestion Must Be Controlled
Arbitrary storage path access
Silent data exfiltration risk
Threat Vectors
▪ COPY INTO & OPENROWSET
Only 2 SQL commands with external access in Data Warehouse
▪ Abuse - Arbitrary Storage Paths
Attackers specify external storage locations as data sources,
bypassing access controls and reading unintended files
▪ High-Bandwidth Attack Channel
Ingestion processes large volumes rapidly, enabling significant data
movement without triggering monitoring
▪ Privilege Escalation Vector
COPY INTO runs with elevated permissions, making it attractive for
unauthorized data access
Corrupted analytical datasets
Complex incident response
Real Harm Impact
▪ Silent Data Exfiltration to Attacked-Controlled Warehouses
Sensitive data copied to attacker-controlled storage without
detection, appearing as legitimate operations
▪ Compliance Violations
Unauthorized data movement creates regulatory failures, legal
penalties, and breach notification requirements
▪ Dataset Corruption and Integrity Loss
Malicious data injection undermines analytical integrity, leading to
incorrect business decisions
▪ Loss of Trust and Incident Response Complexity
Discovered abuse erodes stakeholder trust and requires complex
forensic investigations
Hardening Ingestion in Warehouse
Fabric Warehouse implements defense layers to control ingestion operation
Validated OneLake paths only
System-controlled staging
Outbound Access Protection
Identity-scoped permissions
▪ Source Validation: Only validated OneLake paths from trusted workspaces
eliminating arbitrary storage access.
▪ Network Protection: Private Link limits inbound access while Outbound
Access Protection prevents data exfiltration.
ADLS gen2
▪ Identity Checks: COPY INTO evaluated under Entra identity with least
Warehouse table
privilege (Granular Insert Permission).
Google Cloud Storage
▪ Audit Trail: All operations logged with staging and execution tracing for
OneLake Storage
forensics-ready compliance reporting.
AWS S3
Layer 4: Data Protection – Tight Permission Controls
Fine-Grained Data Protection
GRANT/DENY Columns
Masking Functions
● Column-Level Security (CLS): Use GRANT and DENY statements to control access
to columns with sensitive information
● Dynamic Data Masking (DDM): Apply functions that obfuscate sensitive data,
showing 'XXX-XX-1234' instead of full social security numbers
● Row Level Security: Choose Role-Based Filtering to define filter conditions based
on user identity, role membership, or attributes to automatically restrict rows
● Prevent Elevated Access: Designate groups, roles and permission to the
granular level, avoiding granting more access than users should have.
● Layered Approach: Combine RLS, CLS, and DDM to create multiple barriers
against attacks
Don't Ignore SQL Security: The Principle of Least Privilege
▪ Move Beyond "All or Nothing": Avoid granting high-level administrative roles to general users.
▪ Precision Control: Use explicit GRANT, DENY, and REVOKE statements at the object level (Tables, Views, Stored Procedures).
▪ Layered Defense: Apply Row-Level Security (RLS) and Column-Level Security (CLS) to protect sensitive data cells within a
shared table.
T-SQL Security – Best Practices
CRITICAL!
SQL Security is enforced exclusively via TDS Endpoints. Accessing the underlying file
system through Direct Lake or Shortcuts bypasses these SQL-level permissions entirely.
*Sneak Peak: We have a say about this later
Layer 5: Monitoring and Detection
Monitoring & Detection: The "Assume Breach" Foundation
Correlating Control Plane & Data Plane telemetry to validate Zero Trust.
Control Plane
Data Plane
▪ Full SQL Audit: Capture comprehensive T-SQL
▪ Workspace Lifecycle: Trace all creation, deletion,
and configuration changes of the workspace.
command text, execution parameters, and precise
▪ Security Controls: Audit who enabled Customer
▪ Access Forensics: Enable deep "Who, When, and
Managed Keys (CMK) or modified any workspace
What" tracing for every granular data interaction.
timestamps.
setting.
▪ Integrity Validation: Verify that data access aligns
with the governance and security controls.
Control Plane: Fabric & Purview Governance
Governing the Fabric Ecosystem
▪ Platform Activity Strategy: Track high-level operations such as
CreateWorkspace, UpdateCapacity, and DeleteArtifact (Lakehouses,
Pipelines, Warehouses) to maintain environment integrity.
▪ Metadata Traceability: Utilize the Microsoft Fabric Operation List to
capture the "Who" and "When" for structural changes, such as
moving artifacts or changing workspace permissions.
▪ Purview & Label Governance: Monitor sensitivity label changes
(upgrading/downgrading) and Data Loss Prevention (DLP) policy
triggers to ensure data remains classified correctly.
▪ Administrative Forensics: Audit "Power User" actions, including
capacity setting modifications and tenant-level configuration drifts
that could bypass lower-level security testing) that precede targeted
data extraction
SQL Audit Logs– From
Configuration to Forensics
Knowing the questions help you find the answers
▪ Capture Strategy: Focus on "high-signal" Action Groups—
BATCH_COMPLETED, SCHEMA_OBJECT_CHANGE—to
bridge the gap between Control Plane metadata and Data
Plane execution.
▪ The Forensic Result: Leverage sys.fn_get_audit_file_v2 to
extract the Who (server_principal_name), When
(event_time), What (statement), and How (session_id) for
every data interaction.
▪ Retention Policy: Implement a tiered retention strategy:
30–90 days in hot storage for immediate forensic response
and 1–7 years in cold storage (Azure Archive) to satisfy longterm compliance and "Assume Breach" look-back
requirements.
Demo
SQL Audit Logs
Best Practices: Incident Investigation & Replay
Closing the Loop – From Logs to Actionable Forensics
▪ Reconstruction Strategy:
Identify compromised accounts and unusual access patterns by
cross-referencing authentication logs with specific query
execution histories.
▪ Detecting Malicious Intent
Detect lateral movement by tracking GRANT operations, role
membership changes, and subsequent attempts to access
previously restricted resources.
▪ Systematic Timeline Analysis:
Query audit logs chronologically to map the entire attack chain,
from initial unauthorized access through privilege escalation to
final data exfiltration.
▪ Beyond Native Queries:
Use Semantic Link (SemPy) to export audit files into a dedicated
Fabric Lakehouse to bypass standard log retention limits and
create a permanent, queryable "Forensic Vault.“
▪ Pattern Recognition:
Perform query pattern analysis on captured T-SQL text to
identify reconnaissance activities, such as schema enumeration
or permission testing, that precede an attack.
▪ Root Cause & Scope Assessment
Trace malicious activity back to the initial entry point, whether it
was a compromised credential, a misconfigured permission, or a
vulnerable application.
.
*Determine the exact scope of data exposure by correlating query
logs with table sensitivity classifications and data volume metrics
Closing
Building Comprehensive Warehouse Security - Recap
▪ Identity as Foundation:
Strong authentication reduce the risk of credential-based attacks that
represent the primary breach vector
▪ Network Isolation Reduces Attack Surface:
Create zero-trust boundaries that force attackers through monitored
chokepoints and prevent data exfiltration
▪ Data Policies Limit Blast Radius:
Ensure that even compromised accounts cannot access all sensitive
data, containing damage from successful breaches
▪ Monitoring Enables Detection and Response:
Comprehensive audit logging with provides visibility to detect
anomalous behavior and respond before significant data loss
▪ Defense in Depth Philosophy:
Each security layer compounds difficulty for attackers
If you are starting today, plan for a zero-trust architecture. Prioritize
Layer 1 (Identity) with strict Least Privilege and Layer 5 (Monitoring)
as your non-negotiable pillars. These ensure that no identity has
more permission than necessary and the network has the right
controls in place—no exceptions
What's Next: Security Roadmap
Continuous innovation in security capabilities to address evolving threat landscape
Granular Data Lineage
Column-level lineage showing sensitive data flow
OneLake Security for DW
Support OneLake Security with Fabric DW
Improved SQL Security Experience
Improved experience, and traceability for security
management on Fabric DW
SQL Audit Logs Improvements
Improved navigation experience, introducing predicate
filtering and more.
COPY INTO support Workspace Identity
Support COPY INTO operations to support the Workspace
Identities
..and more
Quick Survey:
Tell us what works — and what does
not — in Fabric Data Warehouse!
https://aka.ms/fabric-data-warehouse-survey
It’s your time!
Sound off.
The mic is all yours.
Influence the product roadmap.
Join the Fabric User Panel
Join the SQL User Panel
Share your feedback directly with our
Fabric product group and researchers.
Influence our SQL roadmap and ensure
it meets your real-life needs
https://aka.ms/JoinFabricUserPanel
https://aka.ms/JoinSQLUserPanel
References
[1] Microsoft Entra Authentication in Fabric Data Warehou...
[2] About private Links for secure access to Fabric - Mic...
[3] 50 Identity And Access Security Stats You Should Know...
[4] Identity Theft Resource Center 2025 Annual Data Breac...
[5] Identity Security: Cloud’s Weakest Link in 2025 | CSA
[6] Connect to your most sensitive data with end-to-end n...
[7] Workspace-Level Private Link in Microsoft Fabric (Gen...
[8] Track user activities in Power BI - Microsoft Fabric | Microsoft Learn
[9] Frequently Asked Questions (FAQ) · microsoft/semantic-link-labs Wiki