Enter your search text in the box above

Select a result to preview

Leveraging Governance inside your Microsoft Fabric Tenant and Workspace

#fabcon2026 #session #learning #microsoft #fabcon2026-session

Description

Microsoft Fabric's tenant and workspace settings are powerful governance tools often used in isolation. Discover overlooked Microsoft Fabric settings that collectively create a robust governance solution. Learn how to implement a strong data mesh architecture enabling business departments to self-manage governance and minimize IT dependencies. See live demonstrations of these powerful features.

Key Takeaways

My Notes

Action Items

Slides

Leveraging Governance
inside your Microsoft
Fabric Tenant and
Workspace
Martin Catherall
Heidi Hasting
Agenda
• What is Governance
• Why it fails
• Governance Foundations in Fabric
• Data Mesh
• Fabric Settings and functionality to aid governamce
• Tenant
• Domain
• Workspace
• Auditing and Monitoring
What is governance
• Data governance is the framework of policies, processes, and standards that organizations use to
manage their data assets effectively. It ensures data is accurate, consistent, secure, and accessible
to the right people at the right time. A strong data governance strategy defines who owns data, how
it's collected, stored, and used, and who is accountable for its quality. It helps organizations comply
with regulations like GDPR and HIPAA, reduces risks associated with data breaches, and builds trust
among stakeholders. As data volumes grow, good governance becomes essential for making
informed business decisions and maintaining a competitive edge in the digital age.
Why it fails?
Data Chaos
• Settings Configured in Isolation
• Fabric Tenant settings are configured
reactively instead of proactively
• IT lockdown vs free for all
• Shadow IT
• Nobody knows who owns it
• Workspaces
• without naming conventions
• no owner or purpose
Governance Foundations in Fabric
Tenant
Guardrails
Workspace
Domain
Tags
Process, Change Management, Naming Conventions
Layered Security
Governance Foundations in Fabric – Security Layers
Tenant
Network
Capacity
Workspace
App
Item
In Item
•Lakehouse
•Warehouse
•Event House
•Folder/Files
Governance
Documentation
Process
Change Management
Security
Audit
Task Flows
Define
Owners
Item level
Sensitivity
Standards
Design
Row Level, Column Level,
Object level
Access
Request
Approve/Reject
Who/What/When/Where/Why
Monitor
Action
Automate
Data Mesh
• Data Mesh empowers domains to own, model, and publish high-quality data products.
• Data Governance provides the guardrails—policies, lineage, quality, security, and lifecycle controls.
• Microsoft Fabric unifies both, enabling domain-driven data products governed by a central,
consistent foundation (OneLake, Purview, security, cataloguing).
Result: Scalable, federated data architecture with enterprise-grade governance.
Preview /
General Availability
Tenant-Level settings – The Overlooked Ones
• Fabric Item creation
• Copilot and AI settings
• Publish to Web
• Domains
• Information Protection / Sensitivity Labels
• External sharing and guest access
Walk through with the lens of:
• who does this protect,
• who does this empower,
• what does this prevent
• Management of Tenant Settings
• Tracking changes
• Keeping track of the 100+ settings (and growing…)
Rule of thumb: every setting should have a documented "why" behind it, not just an on/off state
Domains – Your Data Mesh Backbone
• Way to define a logical grouping
• Finance
• HR
• Sales
• Operations
• Audit
• Defined at Tenant
• Default security….
• Attached to workspace
• Demo 1
Workspace Settings – Governance at the Coal Face
• What Workspace Admins CAN Control
• Who has access and at what role — Admin,
Member, Contributor, Viewer
• Endorsement nominations — they can promote
content to Promoted status themselves
• OneDrive integration and Git integration (if
enabled at tenant)
• Contact list — who gets notified when
something goes wrong
• What Workspace Admins CANNOT Control
• They cannot override tenant-level sharing
restrictions
• They cannot certify content — certification
requires a designated certifier set at tenant level
• They cannot change the domain their workspace
belongs to
• They cannot disable mandatory sensitivity
labelling if enforced at tenant
• They cannot grant themselves more permissions
than their own role allows
Demo 2
Putting it All Together – A Governance Blueprint
Process and Change Management
creating sensitivity labels in purview
setting tenant settings to allow them
creating domains at tenant
creating workspaces associated to domains
associating information protection labels to items
showing different users views
Audit
Who
When
Why
Need to who’s account(s) are being used
and whether it is individual staff, service
accounts, managed identities.
Understand when the events occurred
such as;
Does the change relate to an authorised
ticket?
When a security permission was changed/
Was the change authorised?
When data was accessed.
Was the change in error?
Was it a bad actor?
What
Where
What has occurred;
Where in Fabric; Tenant, Capacity,
Workspace, Item, In
Lakehouse/Warehouse/Eventhouse
(KQLDatabase)