Lesson 16 – Understanding OneLake Security

This blog is your guide to understanding how OneLake safeguards your data. This blog aims to simplify the complexities and provide you with insights into how OneLake ensures the safety of your data.

OneLake Security

OneLake ensures robust security for your data within Microsoft Fabric, using a layered approach. OneLake’s security depends on Azure Active Directory (Azure AD) authentication, confirming the identities of users, service principals, and managed identities to allow access only to authorized individuals and services.

Source: Microsoft learn

Workspace security

Microsoft Fabric’s workspace roles empower you to control access and permissions for all items within a workspace. Assigning roles like Viewer, Admin, Member, and Contributor to security groups streamlines the process, providing efficient control over access by easily adding or removing members from the group.

Item Security and permissions

Fabric items within workspaces have separate permissions. Permissions, such as reading or writing files, can be configured individually for items.

Compute-Specific Security

Different compute engines in Fabric (such as Warehouse, Spark, etc.) possess unique security models, and although compute-specific security is applied when accessing data through specific engines, this might not be the case for users in particular Fabric roles accessing OneLake directly.

Shortcut Security

Shortcuts in Microsoft Fabric simplify data management but come with security considerations.


OneLake uses Azure AD for authentication, mapping user identities to permissions set in the Fabric portal.


Data stored in OneLake is automatically encrypted at rest using Microsoft-managed keys. Microsoft-managed keys undergo regular rotation, aligning with compliance requirements. This default encryption method provides a robust layer of security for data stored in OneLake.

Private Links and External Access

Fabric doesn’t currently support private link access to OneLake data via non-Fabric products and Spark. Administrators can control data access from applications outside Fabric environments through settings in the tenant admin portal.

Here are some general guidelines to keep your data safe in OneLake:

Write Access – If someone needs to add or change data, they should be in a special group for that. Keep this access just for a team of data experts.

Lake Access – For just reading data directly from OneLake, people should be in certain groups like Admin, Member, or Contributor. Or, you can share the data with ReadAll access.

General Data Access – If you have Viewer permissions, you can look at data using tools like warehouses, models, or the SQL analytics endpoint for the Lakehouse.

Object level security – To keep private info safe, let people access it using the Viewer role through a warehouse or lakehouse SQL analytics endpoint. Use a special code, known as SQL DENY statements, to block access to specific parts, like certain tables.