Building The Fabric Well-Architected Framework
Description
What is the best way to architect Fabric workspaces? How should your network and security models be built? In this session you will learn about best practices across Fabric for naming, deployment, capacity management, security and more.
Key Takeaways
- Azure WAF is mature — Fabric is still the Wild
- Fabric collapses compute, storage, and services
- Governance patterns that work in Azure don't
- Brief reminder of how these apply in Azure
- Role-based access control (RBAC)
- Capacities should be segmented by business unit, function, and environment (Dev / Test /
- Performance isolation: a runaway Spark job in
My Notes
Action Items
- [ ]
Resources & Links
Slides
Building the WellArchitected Framework
for Microsoft Fabric
Joey D’Antoni
Joeydantoni.com
joey@joeydantoni.com
Why This Talk?
• Azure WAF is mature — Fabric is still the Wild
West
• Fabric collapses compute, storage, and services
into a single platform — different architectural
thinking required
• Governance patterns that work in Azure don't
translate 1:1
Azure Well-Architected Framework (WAF) Refresher: The Five
Pillars
•
Reliability, Security, Cost Optimization,
Operational Excellence, Performance Efficiency
• Brief reminder of how these apply in Azure
• Resource groups
• Management Groups
• Subscriptions
• Policy
• Role-based access control (RBAC)
Pillar 1: Operational
Excellence
Capacity as the New Subscription
In Azure you segment by subscriptions and resource groups — in Fabric, the capacity is your
primary unit of isolation
Capacities should be segmented by business unit, function, and environment (Dev / Test /
Prod)
Example topology: Sales-Analytics-Prod, Finance-ETL-Dev, Marketing-Reporting-Test
Why Multi-Dimensional Capacity Segmentation Matters
• Performance isolation: a runaway Spark job in
Dev shouldn't throttle Prod dashboards
• Cost attribution: chargeback/showback per
business unit becomes possible
• Governance boundary: permissions and
workspace assignment scoped per capacity
Naming Conventions
Establish a standard
early: {BU}-{Function}{Env}-{Region} (e.g., findw-prod-eus)
Apply consistently across
capacities, workspaces,
lakehouses, warehouses,
and pipelines
Fabric has no policy
engine to enforce naming
— discipline and
automation are your only
tools
Tagging
Tag capacities and
workspaces with: Owner,
Cost Center,
Environment, Data
Classification
Use tags to drive
automation (e.g., autopause Dev capacities
after hours)
Challenge: tagging
support in Fabric is
limited compared to
Azure Resource Manager
— supplement with a
CMDB or metadata
catalog
The Governance Gap: No Azure Policy for Fabric
•
Azure Policy can't enforce rules inside Fabric
workspaces today
• No built-in guardrails for workspace creation,
lakehouse proliferation, or configuration drift
• Mitigations: Fabric REST APIs + automation,
admin monitoring APIs, and organizational
process
Pillar 2: Security
RBAC: The Fabric Reality Check
• Azure has hundreds of granular built-in roles —
Fabric has a handful (Admin, Member,
Contributor, Viewer)
• Workspace-level RBAC is coarse; item-level
permissions are limited and inconsistent across
item types
• Plan for this: use workspace segmentation as a
proxy for fine-grained access control
Identity and Access Patterns
Entra ID (Azure AD) is your identity
plane — leverage Conditional Access
and PIM, it’s all you’ve got.
Service principals for automation and
CI/CD, but be aware of current Fabric
SP limitations
Minimize personal accounts in
production workspaces
Private Networking & Data Exfiltration
Fabric supports Managed Private Endpoints and Private Link for inbound connectivity
Configure VNet data gateways for secure access to on-prem and IaaS data sources
Disable public access to capacities where compliance requires it
Challenge: not all Fabric experiences support private networking equally — know the gaps
Audit & Compliance Shortfalls
Azure has Activity Log, Diagnostic Settings, Defender for
Cloud — Fabric has the Admin Monitoring workspace
and activity log APIs
Audit footprint is narrower: limited event types, no native
SIEM integration out of the box
Recommendation: export Fabric activity logs to Log
Analytics or Sentinel and build custom detection rules
Pillar 3: Reliability
Capacity Reliability Considerations
Fabric capacities can throttle and even suspend under sustained
overload — understand the smoothing and throttling model
Separate workloads by criticality: don't run exploratory
notebooks on the same capacity as mission-critical reporting
This reinforces the BU / Function / Environment segmentation
argument
Disaster Recovery & Business Continuity
Fabric is region-pinned
— understand your
BCDR story for regional
outages
Maintain pipeline
definitions and
semantic model
metadata in source
control (Git
integration) as your
recovery baseline
OneLake data
replication options
and workspacelevel BCDR are still
maturing
Pillar 4: Cost Optimization
Understanding the Fabric Cost Model
Capacity Units (CUs) are your currency — consumed differently by Spark, SQL, Power BI, Data
Pipelines
Segmented capacities make cost attribution straightforward via Azure Cost Management
Right-size capacities per environment: Prod might be F64, Dev might be F2
Cost Controls & Automation
Auto-pause / auto-scale strategies for nonproduction capacities
Monitor CU consumption with the Fabric
Capacity Metrics app (or use FUAM)
Set budgets and alerts at the Azure resource
level (the capacity itself is an ARM resource)
Pillar 5: Performance Efficiency
Workload Isolation = Performance Predictability
Co-located workloads compete for the same CU pool — isolation by capacity is
your primary lever
Use capacity segmentation to guarantee SLAs for Prod analytics
Monitor for background operations (OneLake indexing, table maintenance)
consuming capacity
Use Surge Protection to set a maximum capacity unit (CU) spend per
workspace, expressed as a percentage, within a rolling 24-hour window.
Lakehouse & Warehouse Design Patterns
Medallion architecture
(Bronze/Silver/Gold) as an
organizational best practice
V-Order and file compaction for
read-optimized performance
Choose Warehouse vs.
Lakehouse based on query
pattern, not just habit
Bringing It All Together
What's Missing and What's
Coming
Honest assessment: Fabric governance
is still catching up to Azure
Key gaps to watch: granular RBAC,
enhanced auditing, BC/DR maturity
Gaps to ask for: Azure Policy, Azure
Monitor
The framework you build now positions
you to adopt these features as they ship
It only took three years to get identity
fixed
Key Takeaways
Treat capacities like subscriptions — segment deliberately by BU, function, and environment
Don't assume Azure governance patterns work in Fabric — know the gaps
Compensate with naming standards, tagging, automation, and monitoring
Build the framework now; the platform will grow into it
Q&A
Sound off.
The mic is all yours.
Influence the product roadmap.
Join the Fabric User Panel
Join the SQL User Panel
Share your feedback directly with our
Fabric product group and researchers.
Influence our SQL roadmap and ensure
it meets your real-life needs
https://aka.ms/JoinFabricUserPanel
https://aka.ms/JoinSQLUserPanel
Sound off.
The mic is all yours.
Influence the product roadmap.
Join the Fabric User Panel
Join the SQL User Panel
Share your feedback directly with our
Fabric product group and researchers.
Influence our SQL roadmap and ensure
it meets your real-life needs
https://aka.ms/JoinFabricUserPanel
https://aka.ms/JoinSQLUserPanel
How was
the session?
Complete Session Surveys in
for your chance to WIN
PRIZES!