| Users can create Fabric items |
Microsoft Fabric |
Users can use production-ready features to create Fabric items |
On – all users |
On – scoped to capacity/security groups |
Yes |
High |
Uncontrolled creation leads to sprawl; restrict to licensed/approved groups |
| Users can create Ontology items (preview) |
Microsoft Fabric |
Users can create ontologies for enterprise semantics |
On |
On only for early adopters / pilot group |
No |
Low |
Preview feature; low risk if left broad but no urgency |
| User can create Graph (preview) |
Microsoft Fabric |
Visualise data with a Graph for richer context |
On |
On for approved data teams |
No |
Low |
Preview; limited blast radius |
| Users can create Digital Twin Builder items (preview) |
Microsoft Fabric |
Users can create digital twin builder items |
Off |
Off until production-ready |
No |
Low |
Preview only; not needed for most orgs |
| Users can discover and create org apps (preview) |
Microsoft Fabric |
Let users create org apps as items |
Off |
Off until GA |
No |
Low |
Preview — enable when stable |
| Product Feedback |
Microsoft Fabric |
Microsoft can prompt users for in-product survey feedback |
On |
On (opt-in surveys are voluntary) |
No |
Low |
No data risk; improves product quality |
| Users informed of upcoming conferences |
Microsoft Fabric |
Inform users of conferences featuring Microsoft Fabric |
On |
Off (reduces noise for users) |
Yes |
Low |
Cosmetic — no security risk; disable to reduce distraction |
| ML models serve real-time predictions (preview) |
Microsoft Fabric |
Users can create real-time predictions from model endpoints |
Off |
Off until ML ops readiness confirmed |
No |
Medium |
External-facing ML endpoints need governance before enabling |
| Detect anomalies in Real-Time Intelligence (Preview) |
Microsoft Fabric |
Use statistical algorithms to detect real-time anomalies |
Off |
On for RTI/KQL workloads |
No |
Low |
Feature flag; enable when using Eventstream/KQL |
| Users can create dbt job items (preview) |
Microsoft Fabric |
Import, author and execute dbt projects in Fabric |
Off |
On for data engineering teams |
No |
Low |
Preview; safe to enable for engineering |
| Enable Operations Agents (Preview) |
Microsoft Fabric |
Create operations agents using Azure OpenAI |
Off |
Off — review data boundary requirements first |
No |
High |
Processes data via Azure AI Bot Service; potential EU Data Boundary implications |
| All Power BI users can see 'Set alert' button |
Microsoft Fabric |
All Power BI users see Set alert button in reports |
Off |
On if Fabric Activator licensed |
No |
Low |
UI visibility only; actual creation needs Fabric license |
| Users can create Plan items (preview) |
Microsoft Fabric |
Create integrated planning items in Fabric |
Off |
Off until GA |
No |
Low |
Preview — evaluate when stable |
| Publish 'Get Help' information |
Help and support |
Users can go to internal help/support from Power BI menu |
Off |
On — point to internal wiki/helpdesk |
Yes |
Medium |
Without internal help links users go to public forums; increases support ticket volume |
| Receive email/Teams notifications for service outages |
Help and support |
Mail-enabled groups receive outage/incident notifications |
Off |
On — assign to BI ops/admin group |
Yes |
High |
Missing incident notifications causes blind-spot during outages |
| Users can try Microsoft Fabric paid features |
Help and support |
Users can try Fabric paid features free for 60 days |
On |
Off or scoped to approved pilots |
Yes |
Medium |
Uncontrolled trials generate capacity costs and data sprawl |
| Show custom message before publishing reports |
Help and support |
Users see a custom message before publishing a report |
Off |
On — add governance reminder |
Yes |
Medium |
Reduces accidental sharing of sensitive reports; cheap governance win |
| Allow tenant/domain admins to override workspace assignments |
Domain management |
Admins can reassign workspaces between domains |
Off |
On for multi-domain organisations |
No |
Low |
Useful for large tenants with domain governance |
| Create workspaces |
Workspace settings |
Users can create app workspaces to collaborate |
On – all users |
Restrict to specific security group |
Yes |
High |
Unrestricted workspace creation is the top cause of Power BI sprawl |
| Use semantic models across workspaces |
Workspace settings |
Users can use semantic models across workspaces via Build permission |
On |
On — enables reuse and single source of truth |
No |
Medium |
Good practice; turning off breaks shared model architectures |
| Block users from reassigning personal workspaces |
Workspace settings |
Prevent users reassigning My Workspace from Premium to shared |
Off |
On if Premium capacity is licensed |
Yes |
Medium |
Prevents personal workspaces from silently moving off Premium SKU |
| Define workspace retention period |
Workspace settings |
Define retention period before deleted workspaces are permanently removed |
Off (7-day minimum) |
On — set 90 days for business-critical workspaces |
Yes |
Medium |
7 days is too short to recover from accidental deletion |
| Auto-convert reports to PBIR format (preview) |
Workspace settings |
Automatically convert reports to PBIR format after editing |
Off |
On for teams using Git integration |
No |
Medium |
Enables source control-friendly format; no risk if using PBIR workflow |
| Fabric item recovery |
Workspace settings |
Deleted items are retained for a defined period |
Off |
On — set 30–90 days retention |
Yes |
High |
Without this, deleting items is permanent; critical for DR |
| Allow users to apply sensitivity labels |
Information protection |
Sensitivity labels from Purview can be applied to content |
Off |
On — prerequisite: Purview labels published |
Yes |
High |
Core GDPR/compliance control; governs data classification across exports |
| Apply sensitivity labels from data sources |
Information protection |
Sensitivity labels from supported data sources are inherited |
Off |
On — inherits labels from certified sources |
Yes |
Medium |
Reduces manual labelling burden; propagates governance automatically |
| Auto-apply sensitivity labels to downstream content |
Information protection |
Labels are applied to downstream content when source changes |
Off |
On — reduces labelling gaps |
Yes |
High |
Without this, downstream reports lose classification when source changes |
| Allow workspace admins to override auto-applied labels |
Information protection |
Workspace admins can change/remove auto-applied sensitivity labels |
Off |
Off — preserve label integrity |
No |
High |
Allowing override weakens automated governance chain |
| Restrict protected labels from org-wide link sharing |
Information protection |
Prevent content with protection settings being shared org-wide via link |
Off |
On — prevents org-wide link sharing of sensitive content |
Yes |
High |
Gaps in this allow confidential data to reach all internal users unintentionally |
| Domain admins can set default sensitivity labels (preview) |
Information protection |
Domain admins can set default sensitivity labels for their domains |
Off |
On for multi-domain organisations |
No |
Low |
Useful governance tool; low risk to enable |
| Allow Microsoft Purview to secure AI interactions |
Information protection |
Purview can access/process prompts and responses for compliance |
Off |
On if Purview DLP licensed |
No |
High |
Required for AI prompt/response auditing; critical for compliance orgs |
| External data sharing |
Export and sharing |
Users can share read-only links to OneLake data externally |
Off |
Off or restricted to approved teams |
No |
High |
Sharing OneLake data externally with no controls risks data leakage |
| Users can accept external data shares |
Export and sharing |
Users can accept read-only links to data from other tenants |
Off |
Off by default; whitelist use-cases |
No |
High |
Unrestricted inbound external shares = unvetted external data in tenant |
| Guest users can access Microsoft Fabric |
Export and sharing |
Guest users in Entra directory can access Fabric |
Off |
On if B2B collaboration is needed; restrict via Entra |
No |
Medium |
Needed for B2B; but align with Entra external collaboration policy |
| Users can invite guest users to collaborate |
Export and sharing |
Users can collaborate with external people by sharing Fabric items |
On |
Restrict to specific security groups |
Yes |
High |
Any user inviting external guests creates shadow IT and Entra noise |
| Guest users can browse and access Fabric content |
Export and sharing |
Users can invite guests to browse and request access to content |
Off |
On only after guest governance policy defined |
No |
Medium |
Enables browsing without explicit invite; moderate risk |
| Users can see guest users in suggested people lists |
Export and sharing |
Users see both org and guest users in suggested-people lists |
On |
Off — reduce inadvertent external sharing |
Yes |
Low |
Prevents accidental sharing to guest by autocomplete |
| Publish to web |
Export and sharing |
People can publish public reports accessible without authentication |
Off |
Off — keep disabled unless specific public-dashboard use case |
No |
High |
Publicly accessible reports with no auth; high risk if enabled broadly |
| Copy and paste visuals |
Export and sharing |
Users can copy visuals and paste as static images externally |
On |
On |
No |
Low |
Standard usability feature; no significant risk |
| Export to Excel |
Export and sharing |
Users can export data from visualisations to an Excel file |
On |
On — can restrict to specific groups if sensitive data |
No |
Medium |
Excel export can extract full underlying data; consider RLS adequacy |
| Export to .csv |
Export and sharing |
Users can export data from a tile, visual or paginated report to .csv |
On |
On — same consideration as Excel |
No |
Medium |
CSV strips all access controls; underlying data fully exposed |
| Download reports |
Export and sharing |
Users can download .pbix files and paginated reports |
On |
Restrict to report owners / specific group |
Yes |
Medium |
Downloaded .pbix files contain embedded data and M/DAX logic |
| Work with semantic models in Excel via live connection |
Export and sharing |
Users can use Analyze in Excel and XMLA live connections |
On |
On — enables Analyze in Excel; valuable for self-service |
No |
Low |
Live connection; data stays server-side |
| Export reports as PowerPoint or PDF |
Export and sharing |
Users can export reports as PowerPoint files or PDF documents |
On |
On — standard business need |
No |
Low |
Snapshot exports; no model exposure |
| Export reports as MHTML documents |
Export and sharing |
Users can export paginated reports as MHTML documents |
On |
On |
No |
Low |
Paginated only; low risk |
| Export reports as Word documents |
Export and sharing |
Users can export paginated reports as Word documents |
On |
On |
No |
Low |
Paginated only; low risk |
| Export reports as XML documents |
Export and sharing |
Users can export paginated reports as XML documents |
On |
On |
No |
Low |
Paginated only; low risk |
| Export reports as image files |
Export and sharing |
Users can use the API to export reports as image files |
On |
On |
No |
Low |
Image export; no underlying data |
| Print dashboards and reports |
Export and sharing |
Users can print dashboards and reports |
On |
On |
No |
Low |
Standard usability |
| Certification |
Export and sharing |
Specific groups can certify items as trusted sources |
Off |
On — assign certified reviewers group |
Yes |
High |
Without certification, users can't distinguish trusted from untrusted content |
| Endorse master data |
Export and sharing |
Specific groups can endorse items as core data sources |
Off |
On — assign data stewards group |
Yes |
Medium |
Governs master data discoverability; reduces duplication |
| Users can set up email subscriptions |
Export and sharing |
Users can create email subscriptions to reports and dashboards |
On |
On |
No |
Low |
Subscriptions deliver snapshots; low risk |
| B2B guest users can set up email subscriptions |
Export and sharing |
B2B guest users can set up and be subscribed to email subscriptions |
Off |
Off unless B2B is active use case |
No |
Low |
Limited exposure; review alongside B2B policy |
| Users can send email subscriptions to external users |
Export and sharing |
Users can subscribe external users to email subscriptions |
Off |
Off — prevent data leaving tenant via email |
No |
High |
Sending report snapshots externally with no DLP controls |
| Featured content |
Export and sharing |
Users can promote their published content to Power BI Home Featured section |
On |
On |
No |
Low |
Promotes visibility of quality content |
| Allow connections to featured tables |
Export and sharing |
Users can access and calculate data from featured tables in Excel |
On |
On — supports Excel data types |
No |
Low |
Read-only connection; low risk |
| Allow shareable links to everyone in organisation |
Export and sharing |
This setting grants access to anyone in the organisation with the link |
On |
On — standard internal sharing |
No |
Low |
Internal only; acceptable for most orgs |
| Enable Microsoft Teams integration |
Export and sharing |
People can access features associated with Teams and Power BI integration |
On |
On — standard collaboration |
No |
Low |
Valuable integration; no significant risk |
| Install Power BI app for Teams automatically |
Export and sharing |
Power BI app for Teams installed automatically for users |
Off |
On for Teams-heavy organisations |
No |
Low |
Improves adoption; no security risk |
| Enable Power BI add-in for PowerPoint |
Export and sharing |
People can embed Power BI data into PowerPoint presentations |
On |
On |
No |
Low |
Live embed; no data copy |
| Allow DirectQuery connections to Power BI semantic models |
Export and sharing |
DirectQuery connections allow users to build on existing semantic models |
On |
On — enables composite models |
No |
Low |
Controlled by Build permission on source model |
| Guest users work with shared semantic models in their tenants |
Export and sharing |
Authorized guest users can work with shared datasets in their own tenants |
Off |
Off — restrict cross-tenant model access |
No |
High |
External parties querying internal models; high data-exposure risk |
| Allow specific users to turn on external data sharing |
Export and sharing |
Controls whether users can turn on external data sharing option |
On |
Off or restrict to data owners group |
Yes |
High |
Effectively controls whether cross-tenant data sharing is possible |
| Users with read/write permission can download notebook data |
Export and sharing |
Users with read/write permission can download data from notebook outputs |
On |
Restrict to specific groups |
Yes |
Medium |
Notebook data download bypasses report-level export controls |
| Make promoted content discoverable |
Discovery |
Users who promote content can make it discoverable without access |
On |
On |
No |
Low |
Improves self-service findability |
| Make certified content discoverable |
Discovery |
Users who certify content can make it discoverable without access |
On |
On |
No |
Low |
Drives adoption of governed content |
| Discover content |
Discovery |
Allow users to find and request access to discoverable content |
On |
On |
No |
Low |
Enables access requests; positive governance behaviour |
| Create template organisational apps |
App settings |
Users can create template apps that use semantic models |
Off |
On for Centre of Excellence team |
No |
Low |
Useful for deploying governed app templates |
| Push apps to end users |
App settings |
Users can share apps directly with end users without AppSource install |
Off |
On for IT/BI team distributing governed apps |
No |
Low |
Reduces friction for standard app rollout |
| Publish apps to entire organisation |
App settings |
Users can publish apps to the entire organisation |
On |
Restrict to BI governance team |
Yes |
Medium |
Any workspace admin can publish to all users; risk of ungoverned apps |
| Allow XMLA endpoints and Analyze in Excel with on-prem models |
Integration settings |
Users can use Excel with on-premises Power BI semantic models |
On |
On — required for XMLA tooling (Tabular Editor, DAX Studio) |
No |
Low |
XMLA read is essential for BI development toolchain |
| Semantic Model Execute Queries REST API |
Integration settings |
Users can query semantic models via DAX through REST APIs |
Off |
On for CoE / DevOps pipelines |
No |
Low |
Enables programmatic DAX queries; low risk with proper SP governance |
| Users can use Power BI MCP server endpoint (preview) |
Integration settings |
Users can connect MCP clients to Power BI |
Off |
On for Copilot/AI development scenarios |
No |
Medium |
MCP exposes model metadata to AI clients; needs SP governance |
| Use ArcGIS Maps for Power BI |
Integration settings |
Users can use Esri ArcGIS Maps visualisation |
On |
On if Esri is used; Off otherwise |
No |
Low |
Third-party data; low risk if not using Esri |
| Use global search for Power BI |
Integration settings |
Users can use the global search bar at the top of the page |
On |
On |
No |
Low |
Standard usability |
| Users can use Azure Maps visual |
Integration settings |
Users can create and view the Azure Maps visual |
On |
On |
No |
Low |
Azure Maps; data processing by Microsoft |
| Azure Maps data processed outside tenant geography |
Integration settings |
Data sent to Azure Maps can be processed outside tenant region |
Off |
Off for EU Data Boundary tenants |
No |
High |
EU compliance — data processed outside boundary violates residency |
| Map and filled map visuals |
Integration settings |
Allow people to use the map and filled map visualisations |
On |
On |
No |
Low |
Standard built-in visual |
| Integration with SharePoint and Microsoft Lists |
Integration settings |
Users can launch Power BI from SharePoint and Microsoft Lists |
On |
On |
No |
Low |
Standard M365 integration |
| Snowflake SSO |
Integration settings |
Enable SSO capability for Snowflake |
Off |
On if Snowflake is in data stack |
No |
Low |
SSO improves security over shared credentials |
| Google BigQuery SSO |
Integration settings |
Enable SSO capability for Google BigQuery |
Off |
On if BigQuery is in data stack |
No |
Low |
SSO improves security over shared credentials |
| Microsoft Entra SSO for data gateway |
Integration settings |
Users can use Entra SSO to authenticate to on-premises data gateways |
Off |
On — replaces stored credentials |
Yes |
Medium |
Stored gateway credentials are a security anti-pattern; Entra SSO is best practice |
| Users can view Power BI files in OneDrive/SharePoint (preview) |
Integration settings |
Users can view Power BI files saved in OneDrive/SharePoint |
On |
On |
No |
Low |
Improves collaboration; no extra data exposure |
| Enable granular access control for all data connections |
Integration settings |
Enforce strict access control for all data connection types |
Off |
On — enforces least-privilege data access |
Yes |
High |
Without this, shared items may use another user's data connection credentials |
| Semantic models can export data to OneLake |
Integration settings |
Semantic models configured for OneLake integration can export import tables |
Off |
On for Lakehouse-integrated architectures |
No |
Medium |
Enables OneLake integration; review data classification before enabling |
| Semantic model owners can auto-update from OneDrive/SharePoint |
Integration settings |
Semantic models can auto-update from OneDrive/SharePoint .pbix files |
On |
On — enables lightweight CI/CD |
No |
Low |
Source controlled via OneDrive; low risk |
| Allow visuals created using Power BI SDK |
Power BI visuals |
Users can add, view, share and interact with custom visuals |
On |
On — needed for custom visuals |
No |
Low |
Standard; certified visuals setting governs trust |
| Add and use certified visuals only (block uncertified) |
Power BI visuals |
Users can only add and use certified visuals |
Off |
On for high-security organisations |
No |
Medium |
Uncertified visuals can exfiltrate data to external endpoints |
| Allow downloads from custom visuals |
Power BI visuals |
Custom visuals can download information available to the visual |
Off |
Off unless explicitly needed |
No |
Medium |
Custom visual downloads = uncontrolled data export path |
| AppSource Custom Visuals SSO |
Power BI visuals |
Enable SSO for AppSource custom visuals; Entra tokens sent to visual |
Off |
Off unless vetted AppSource visuals need Entra token |
No |
Medium |
Access tokens sent to third-party visual publishers |
| Allow access to browser's local storage by custom visuals |
Power BI visuals |
Custom visuals can store information in the user's browser local storage |
Off |
Off |
No |
Low |
Local storage by visuals is an uncommon need; disable by default |
| Interact with and share R and Python visuals |
R and Python visuals |
Users can interact with and share visuals created with R or Python scripts |
On |
On for data science teams; Off for non-technical orgs |
No |
Low |
R/Python visuals run server-side; no client risk |
| Usage metrics for content creators |
Audit and usage |
Users can see usage metrics for content they have permission to |
On |
On |
No |
Low |
Essential for governance and adoption tracking |
| Per-user data in usage metrics |
Audit and usage |
Usage metrics expose display names and email addresses of users |
On |
On — required for user-level adoption analysis |
No |
Low |
PII in metrics; acceptable for internal BI governance |
| Show user data in Fabric Capacity Metrics app |
Audit and usage |
Active user data including names/emails shown in Capacity Metrics app |
On |
On |
No |
Low |
Needed for capacity management |
| Azure Log Analytics connections for workspace admins |
Audit and usage |
Workspace admins can configure Azure Log Analytics connections |
Off |
On for mature BI ops teams |
No |
Medium |
Enables detailed audit logging per workspace; requires Log Analytics workspace |
| Workspace admins can turn on workspace monitoring (preview) |
Audit and usage |
Workspace admins can turn on monitoring for their workspaces |
Off |
On for ops maturity |
No |
Low |
Preview; useful for activity auditing |
| Microsoft can store query text to aid support |
Audit and usage |
Query text stored securely for use during support investigations |
On |
On — aids incident resolution |
No |
Low |
Disabling harms Microsoft's ability to support; recommend leaving on |
| Web content on dashboard tiles |
Dashboard settings |
Users can add and view web content tiles on Power BI dashboards |
On |
Off — security risk |
Yes |
High |
Malicious web content can be embedded in dashboards visible to all users |
| Embed content in apps |
Developer settings |
Users can embed Power BI dashboards and reports in web applications |
On |
On if ISV/embedded analytics in use |
No |
Low |
Embed tokens required for ISV scenarios |
| Service principals can create workspaces, connections, pipelines |
Developer settings |
Service principals can create workspaces, connections, and deployment pipelines |
Off |
On — needed for CI/CD and automation |
No |
Low |
Required for DevOps/ALM pipelines; govern via security group |
| Service principals can call Fabric public APIs |
Developer settings |
Service principals can call Fabric public APIs with appropriate roles |
Off |
On for automation/CI-CD scenarios |
No |
Low |
Needed for programmatic Fabric management; govern via SG |
| Allow service principals to create and use profiles |
Developer settings |
Service principals can create and use profiles |
Off |
On for ISV multi-tenant architectures |
No |
Low |
ISV-specific; enable only if multi-tenant embedding is in scope |
| Block ResourceKey Authentication |
Developer settings |
Block resource key based authentication for streaming semantic models |
Off |
On — disables insecure streaming resource keys |
Yes |
Medium |
Resource key auth on streaming datasets is a weaker auth method |
| Service principals can access read-only admin APIs |
Admin API settings |
Web apps can use service principals to authenticate to read-only admin APIs |
Off |
On for governance/CoE tooling (restrict to SG) |
No |
Low |
Required for automated tenant scanning and governance tools |
| Service principals can access admin APIs for updates |
Admin API settings |
Web apps can use service principals to authenticate to admin APIs for updates |
Off |
Off unless automation requires write admin access |
No |
High |
Write access to all admin APIs via SP is very high privilege |
| Enhance admin APIs with detailed metadata |
Admin API settings |
Admin API responses include detailed metadata (table/column names) |
Off |
On for CoE/governance tooling |
No |
Low |
Needed for tenant scanning (table/column names in scan results) |
| Enhance admin APIs with DAX and mashup expressions |
Admin API settings |
Admin API responses include DAX and M query expressions |
Off |
Off unless lineage/documentation automation is in scope |
No |
Medium |
Exposes DAX/M expressions — IP and logic in reports/models |
| Create and use Gen1 dataflows |
Gen1 dataflow settings |
Users can create and use Gen1 dataflows |
On |
On — legacy workloads may depend on this |
No |
Low |
Gen2 is preferred but Gen1 still needed for compatibility |
| Publish template apps |
Template app settings |
Users can publish template apps for external distribution |
Off |
Restrict to ISV/partner scenarios |
No |
Low |
Publishing to AppSource; ISV-specific |
| Install template apps |
Template app settings |
Users can install template apps created outside the organisation |
On |
On |
No |
Low |
Standard for consuming certified template apps |
| Install template apps not listed in AppSource |
Template app settings |
Users with permission can install template apps not in AppSource |
Off |
Off — only allow vetted AppSource apps |
No |
Medium |
Unlisted template apps bypass AppSource security review |
| Review Q&A questions |
Q&A settings |
Semantic model owners can review questions asked about their data |
On |
On |
No |
Low |
Helps improve NLP model accuracy |
| Synonym sharing |
Q&A settings |
People can share Q&A synonyms with the organisation |
On |
On |
No |
Low |
Useful for Q&A model improvement |
| Users with view permission can launch Explore |
Explore settings |
Users with view permission can do ad hoc analysis via Explore |
On |
On — drives self-service analytics |
No |
Low |
View-only ad hoc analysis; no model change risk |
| Block republish and disable package refresh |
Semantic Model Security |
Disable package refresh; only model owner can publish updates |
Off |
On for certified/production models |
Yes |
High |
Without this, any workspace member can overwrite a production model |
| Tenant-level Private Link |
Advanced networking |
Increase security by using a Private Link to access Fabric tenant |
Off |
On for high-security / regulated industries |
No |
High |
Without private link, Fabric is accessible over public internet |
| Block Public Internet Access |
Advanced networking |
Block access to Fabric tenant via the public internet |
Off |
On only after Private Link configured |
No |
High |
Locks out all public access; must configure Private Link first |
| Configure workspace-level inbound network rules |
Advanced networking |
Workspace admins can configure inbound private link access protection |
Off |
On for data-sensitive workspace isolation |
No |
Medium |
Granular network control per workspace; useful in regulated tenants |
| Configure workspace-level outbound network rules |
Advanced networking |
Workspace admins can configure outbound access protection |
Off |
On for DLP on data egress |
No |
Medium |
Controls outbound traffic from workspaces |
| Configure workspace-level IP firewall rules (preview) |
Advanced networking |
Workspace admins can configure IP firewall rules and trusted resource instances |
Off |
On for IP-restricted access environments |
No |
Medium |
Granular IP control; useful in regulated tenants |
| Apply customer-managed keys |
Encryption |
Users can configure workspace level encryption using customer-managed keys |
Off |
On for regulated industries requiring BYOK |
No |
High |
Default Microsoft-managed keys are acceptable; CMK required for some compliance frameworks |
| Create and use Scorecards |
Scorecards settings |
Users can create and use Scorecards |
On |
On |
No |
Low |
Standard KPI tracking feature |
| Help Power BI optimise your experience (UX experiments) |
User experience |
Users get minor UX variations the Power BI team is experimenting with |
On |
Off — avoid unpredictable UI changes in production |
Yes |
Low |
Preview UX experiments can confuse end users; disable for stability |
| Share Fabric data with Microsoft 365 services |
Share with M365 |
Fabric data can be stored and displayed in Microsoft 365 services |
On (if same geo) |
On if same geography; review for cross-geo tenants |
No |
Medium |
Fabric metadata used in M365 search/Copilot recommendations; review for privacy policy alignment |
| Receive notifications for top insights (preview) |
Insights settings |
Users can enable notifications for top insights in report settings |
Off |
On for self-service teams |
No |
Low |
Passive notification; no risk |
| Show entry points for insights (preview) |
Insights settings |
Users can use entry points for requesting insights inside reports |
Off |
On |
No |
Low |
UI feature; low risk |
| Create Datamarts (preview) |
Datamart settings |
Users can create Datamarts |
On |
On for SQL-first analytics teams |
No |
Low |
Standard Fabric feature |
| Users can edit semantic models in Power BI service |
Semantic model settings |
Users can edit semantic models in the service (non-DirectLake) |
Off |
On for advanced self-service; Off for governed central models |
No |
Medium |
In-service editing bypasses Desktop/Git workflow; assess governance maturity |
| Scale out queries for large semantic models |
Scale-out settings |
Queries distributed across replicas when volume is high |
Off |
On for Premium/large model workloads |
No |
Low |
Performance feature; no security risk |
| Users can access OneLake data with external apps |
OneLake settings |
Users can access OneLake data with apps external to Fabric |
On |
On — needed for Databricks, custom apps, File Explorer |
No |
Medium |
External app access to OneLake; enforce item-level permissions |
| Use short-lived user-delegated SAS tokens |
OneLake settings |
OneLake SAS tokens enable apps to access data via Entra identity |
Off |
On — more secure than long-lived tokens |
No |
Low |
SAS tokens expire in <1hr; low risk; enables secure integrations |
| Authenticate with OneLake user-delegated SAS tokens |
OneLake settings |
Allow applications to authenticate using a OneLake SAS token |
Off |
On if SAS token auth is needed by apps |
No |
Low |
Tied to above; enable together |
| Users can sync data with OneLake File Explorer app |
OneLake settings |
Users can use OneLake File Explorer to sync OneLake items to Windows |
On |
On |
No |
Low |
Desktop sync tool; data stays within tenant permissions |
| Include end-user identifiers in OneLake diagnostic logs |
OneLake settings |
OneLake diagnostic logs capture end user identifiable information |
On |
On for audit/compliance; Off for strict privacy |
No |
Low |
PII in logs; assess against data retention policy |
| Users can synchronise workspace items with Git |
Git integration |
Users can import/export workspace items to Git repositories |
Off |
On for mature DevOps teams |
No |
Low |
Enables ALM/source control; best practice for governed development |
| Users can export items to Git repos in other geographies |
Git integration |
Workspace and Git repository may reside in different geographies |
Off |
Off for EU Data Boundary tenants |
No |
High |
Cross-geo data export may violate data residency requirements |
| Users can export items with sensitivity labels to Git |
Git integration |
Users can export items with applied sensitivity labels to Git repos |
Off |
Off — sensitivity labels should not leave tenant boundary |
No |
High |
Sensitivity-labelled content exported to external Git repos loses protection |
| Users can sync workspace items with GitHub |
Git integration |
Users can select GitHub as their Git provider |
Off |
On for GitHub-using engineering teams |
No |
Low |
GitHub as Git provider; needs cross-geo export setting review |
| Users can use Copilot and Azure OpenAI features |
Copilot and Azure OpenAI |
Users can access Fabric features powered by Azure OpenAI including Copilot |
Off |
On for licensed users; review data boundary |
No |
High |
AI features send data to Azure OpenAI; EU Data Boundary compliance critical |
| Users can access standalone cross-item Power BI Copilot (preview) |
Copilot and Azure OpenAI |
Users access a Copilot experience to find and analyse Fabric items |
Off |
On if Copilot is licensed and enabled |
No |
Low |
Dependent on parent Copilot setting |
| Azure OpenAI data processed outside capacity geography |
Copilot and Azure OpenAI |
Data sent to Copilot can be processed outside capacity region |
Off |
Off for EU-boundary tenants |
No |
High |
EU Data Boundary violation risk; keep Off unless capacity is US/non-EU |
| Capacities can be designated as Fabric Copilot capacities |
Copilot and Azure OpenAI |
Capacity admins can designate capacities as Fabric Copilot capacities |
Off |
On for Copilot billing consolidation |
No |
Low |
Billing/admin feature; no security risk |
| Azure OpenAI data stored outside capacity geography |
Copilot and Azure OpenAI |
Data sent to Azure OpenAI can be stored outside capacity region |
Off |
Off for EU-boundary tenants |
No |
High |
Storage of prompts/responses outside EU boundary — compliance risk |
| Only show approved items in standalone Copilot (preview) |
Copilot and Azure OpenAI |
Only items marked as 'approved for Copilot' shown in standalone Copilot |
Off |
On — reduces AI surfacing of ungoverned items |
Yes |
Medium |
Without this, Copilot may surface ungoverned/uncertified items to users |
| Users can use Azure Maps services |
Azure Maps services |
Users can access features powered by Azure Maps services |
On |
On |
No |
Low |
Azure Maps in Fabric; Microsoft-managed |
| Azure Maps data processed outside capacity geography |
Azure Maps services |
Data sent to Azure Maps can be processed outside capacity region |
Off |
Off for EU tenants |
No |
Medium |
Same as integration version; data residency risk for EU tenants |
| Users can use Azure Maps Weather Services (Preview) |
Azure Maps services |
Users can access weather data from Azure Maps Weather (AccuWeather) |
Off |
On if weather data needed |
No |
Low |
AccuWeather data via Azure Maps; low risk |
| Workspace admins can add/remove additional workloads (preview) |
Additional workloads |
Workspace admins can add/remove workloads in their workspaces |
Off |
Off — workload partners not validated by Microsoft |
No |
Medium |
Third-party workloads receive user tokens; vet publishers carefully |
| Capacity admins can add/remove additional workloads |
Additional workloads |
Capacity admins or contributors can add/remove workloads in capacities |
Off |
Off unless specific certified workloads needed |
No |
Medium |
Same concern as workspace-level; capacity scope is broader |
| Workspace admins can develop partner workloads |
Additional workloads |
Workspace admins can develop partner workloads with local dev environment |
Off |
Off for production; On for dev/sandbox only |
No |
Low |
Development scenario; not for production tenants |
| Users can see workloads not validated by Microsoft |
Additional workloads |
Users can see and work with additional workloads not validated by Microsoft |
Off |
Off — keep disabled until partner is vetted |
No |
High |
Unvalidated third-party workloads = uncontrolled data access by external publishers |