In this post I want to share my thoughts about the latest Microsoft Fabric security white paper updates.
Due to the fact that the security white paper has been updated since my previous post back in May. Where I shared my first impressions of the Microsoft Fabric security white paper.
Which included the below diagram to help explain the end-to-end security scenario that was covered in the white paper.
In the latest updates to the security white paper some sections have had minor updates or restructuring to make the text more accurate. Which I am glad about. However, in this post I want to focus on the below significant updates.
- Add Fabric and Power BI URLs to your allowlist
- New Copilot section
- Secure data section
- Customer-managed key (CMK) encryption in the end-to-end scenario
By the end of this post, you will know my thoughts about the latest Microsoft Fabric security white paper updates. Along the way I share plenty of links.
Add Fabric URLs and Power BI URLs to your allowlist
In the network security section, there are two new sub-sections. One that covers adding Fabric URLs to your allowlist and another that covers adding Power BI URLs to your allowlist.
To clarify, you can add these URLs to a Firewall allowlist to allow connectivity between a network and Microsoft Fabric.
Microsoft has dedicated seven pages of the white paper to both sub-sections. Which highlights how detailed they are.
Add Fabric URLs to your allowlist
This section contains two categories of URLs. One category for URLs that are required for Microsoft Fabric to work properly and another for optional ones for specific features that might not be used.
You need to read this if you intend to work with Private Links and keep working with Microsoft Fabric properly. Due to the number of URLs that are in the required category.
Such as connecting to the Fabric portal and working with data pipelines.
Add Power BI URLs to your allowlist
Just like with the Fabric URLs in the previous sub-section the Power BI URLs are split between required and optional categories.
It is interesting to see the purposes for different URLs listed in this list. Including the URLs required for various backend APIs and the service telemetry.
It also highlights the fact that the details do not apply to Power BI China or Power BI for the US Government.
New Copilot section in the Microsoft Fabric Security Whitepaper updates
In the original Microsoft Fabric security white paper there was no mention of Copilot. Now, there is an entire section dedicated to the privacy, security and responsible use for Copilot in Microsoft Fabric.
At the start of the section, it highlights some important points you need to be aware of. Including the clear statement that trial SKUs are not supported.
Personally, I think that this is a shame because it means that those working with the trial cannot test this vital piece of functionality. However, I do understand that that it would require additional compute.
One thing that I am particularly impressed with in this section is the amount of detail that is included. Especially the insights about how Copilot works within Microsoft Fabric.
Even more so since it makes sure everybody is aware that Copilot features work with the Azure Open AI service and that it can only access data that the current user has permission to access. Which I know is an area of concern these days.
Plus, some people will find the definitions and additional tips helpful in this section. Since it provides tips for working with multiple workloads in Microsoft Fabric. Including Power BI, Data Warehouses and Real-Time Intelligence.
Be aware that there is a small amount of repetition in this section. However, it is about points you need to be aware of when working with Copilot so it might be for the best.
In addition, it reiterates a few important points relating to responsible AI. Such as checking Copilot outputs.
Personally, I think this section was needed to provide clarity in multiple areas relating to working with Copilot in Microsoft Fabric. To help gain insights into the internals and to help put peoples minds at rest about a few topics.
Secure data in Microsoft Fabric
In the latest version of the security white paper the secure data section has been significantly restructured. In addition, it now goes into more depth about data security.
Now the secure data section contains two distinct sub-sections. Which cover Fabric data security and shortcut security.
Fabric data security
This sub-section includes the workspace roles, item permissions, OneLake permissions and authentication topics that were included in the original white paper. Plus, a brief section about shortcut security. Even though there is a new section in the white paper dedicated to this topic.
However, the data security sub-section now contains additional details including topics such as compute permissions and private links. Note that the private links section literally consists of one line.
In addition, it now lists an order of operation when evaluating Fabric security for a user. Along with a diagram to make sure it is clear for everybody.
One thing I should point out is that even though the structure is different the examples in this sub-section are the same as in the original version of the white paper. Albeit some slight rewording to make it more readable. So those who configured security based on these examples in the past do not need to panic.
Shortcut security
As I mentioned, there is now a new shortcut security sub-section in the secure data section. Which goes into depth about various security aspects relating to shortcuts.
Including the permissions required to create and delete shortcuts. Plus, the shortcut-related permissions required to perform reads and writes.
One thing I do like about the new shortcut security sub-section is the fact that it highlights what happens when accessing shortcuts through a Power BI semantic model or T-SQL
Customer-managed key (CMK) encryption in the end-to-end scenario
In my original post about the Microsoft Fabric security white paper, I went into a reasonable amount of detail about the end-end scenario covered towards the end of the white paper. Plus, I created the diagram that I showed earlier in this post to help visualize it better.
Which is why I was so curious to see how much it changed. It appears that the only main difference in the latest version of the white paper is that there is a new section relating to customer-managed key (CMK) encryption and Microsoft Fabric.
Within the new section there are recommendations relating to encrypting data-at-rest. Plus, what is required to access encrypted data when it is stored in a variety of sources. Accompanied by a nice diagram showing how the encrypted sources can work with shortcuts.
With this in mind, here is an updated diagram from my previous post. Which shows the scenario of working with shortcuts to encrypted sources in the bronze layer of a medallion architecture.
Of course, you can work with shortcuts elsewhere within the medallion architecture depending on your requirements.
One thing I like about this section is that it includes the recommendation to enable audit for Microsoft Fabric when connecting to encrypted data sources.
Final words about the latest Microsoft Fabric security white paper updates
I hope my thoughts about the latest Microsoft Fabric security white paper updates makes for interesting read. Because I want to highlight some key updates to the white paper in this post.
Plus, I want to raise awareness about the fact that the Microsoft Fabric security white paper has gained some updates. Because in my opinion knowing the contents of this white paper benefits anybody working with Microsoft Fabric.
Of course, if you have any comments or queries about this post feel free to reach out to me.
Be First to Comment