| Users can create Fabric items |
Microsoft Fabric |
Users can use production-ready features to create Fabric items |
On – all users |
On – scoped to capacity/security groups |
Yes |
High |
Uncontrolled creation leads to sprawl; restrict to licensed/approved groups |
| Users can create Ontology items (preview) |
Microsoft Fabric |
Users can create ontologies for enterprise semantics |
On |
On only for early adopters / pilot group |
No |
Low |
Preview feature; low risk if left broad but no urgency |
| User can create Graph (preview) |
Microsoft Fabric |
Visualise data with a Graph for richer context |
On |
On for approved data teams |
No |
Low |
Preview; limited blast radius |
| Users can create Digital Twin Builder items (preview) |
Microsoft Fabric |
Users can create digital twin builder items |
Off |
Off until production-ready |
No |
Low |
Preview only; not needed for most orgs |
| Users can discover and create org apps (preview) |
Microsoft Fabric |
Let users create org apps as items |
Off |
Off until GA |
No |
Low |
Preview — enable when stable |
| Product Feedback |
Microsoft Fabric |
Microsoft can prompt users for in-product survey feedback |
On |
On (opt-in surveys are voluntary) |
No |
Low |
No data risk; improves product quality |
| Users informed of upcoming conferences |
Microsoft Fabric |
Inform users of conferences featuring Microsoft Fabric |
On |
Off (reduces noise for users) |
Yes |
Low |
Cosmetic — no security risk; disable to reduce distraction |
| ML models serve real-time predictions (preview) |
Microsoft Fabric |
Users can create real-time predictions from model endpoints |
Off |
Off until ML ops readiness confirmed |
No |
Medium |
External-facing ML endpoints need governance before enabling |
| Detect anomalies in Real-Time Intelligence (Preview) |
Microsoft Fabric |
Use statistical algorithms to detect real-time anomalies |
Off |
On for RTI/KQL workloads |
No |
Low |
Feature flag; enable when using Eventstream/KQL |
| Users can create dbt job items (preview) |
Microsoft Fabric |
Import, author and execute dbt projects in Fabric |
Off |
On for data engineering teams |
No |
Low |
Preview; safe to enable for engineering |
| Enable Operations Agents (Preview) |
Microsoft Fabric |
Create operations agents using Azure OpenAI |
Off |
Off — review data boundary requirements first |
No |
High |
Processes data via Azure AI Bot Service; potential EU Data Boundary implications |
| All Power BI users can see 'Set alert' button |
Microsoft Fabric |
All Power BI users see Set alert button in reports |
Off |
On if Fabric Activator licensed |
No |
Low |
UI visibility only; actual creation needs Fabric license |
| Users can create Plan items (preview) |
Microsoft Fabric |
Create integrated planning items in Fabric |
Off |
Off until GA |
No |
Low |
Preview — evaluate when stable |
| Publish 'Get Help' information |
Help and support |
Users can go to internal help/support from Power BI menu |
Off |
On — point to internal wiki/helpdesk |
Yes |
Medium |
Without internal help links users go to public forums; increases support ticket volume |
| Receive email/Teams notifications for service outages |
Help and support |
Mail-enabled groups receive outage/incident notifications |
Off |
On — assign to BI ops/admin group |
Yes |
High |
Missing incident notifications causes blind-spot during outages |
| Users can try Microsoft Fabric paid features |
Help and support |
Users can try Fabric paid features free for 60 days |
On |
Off or scoped to approved pilots |
Yes |
Medium |
Uncontrolled trials generate capacity costs and data sprawl |
| Show custom message before publishing reports |
Help and support |
Users see a custom message before publishing a report |
Off |
On — add governance reminder |
Yes |
Medium |
Reduces accidental sharing of sensitive reports; cheap governance win |
| Allow tenant/domain admins to override workspace assignments |
Domain management |
Admins can reassign workspaces between domains |
Off |
On for multi-domain organisations |
No |
Low |
Useful for large tenants with domain governance |
| Create workspaces |
Workspace settings |
Users can create app workspaces to collaborate |
On – all users |
Restrict to specific security group |
Yes |
High |
Unrestricted workspace creation is the top cause of Power BI sprawl |
| Use semantic models across workspaces |
Workspace settings |
Users can use semantic models across workspaces via Build permission |
On |
On — enables reuse and single source of truth |
No |
Medium |
Good practice; turning off breaks shared model architectures |
| Block users from reassigning personal workspaces |
Workspace settings |
Prevent users reassigning My Workspace from Premium to shared |
Off |
On if Premium capacity is licensed |
Yes |
Medium |
Prevents personal workspaces from silently moving off Premium SKU |
| Define workspace retention period |
Workspace settings |
Define retention period before deleted workspaces are permanently removed |
Off (7-day minimum) |
On — set 90 days for business-critical workspaces |
Yes |
Medium |
7 days is too short to recover from accidental deletion |
| Auto-convert reports to PBIR format (preview) |
Workspace settings |
Automatically convert reports to PBIR format after editing |
Off |
On for teams using Git integration |
No |
Medium |
Enables source control-friendly format; no risk if using PBIR workflow |
| Fabric item recovery |
Workspace settings |
Deleted items are retained for a defined period |
Off |
On — set 30–90 days retention |
Yes |
High |
Without this, deleting items is permanent; critical for DR |
| Allow users to apply sensitivity labels |
Information protection |
Sensitivity labels from Purview can be applied to content |
Off |
On — prerequisite: Purview labels published |
Yes |
High |
Core GDPR/compliance control; governs data classification across exports |
| Apply sensitivity labels from data sources |
Information protection |
Sensitivity labels from supported data sources are inherited |
Off |
On — inherits labels from certified sources |
Yes |
Medium |
Reduces manual labelling burden; propagates governance automatically |
| Auto-apply sensitivity labels to downstream content |
Information protection |
Labels are applied to downstream content when source changes |
Off |
On — reduces labelling gaps |
Yes |
High |
Without this, downstream reports lose classification when source changes |
| Allow workspace admins to override auto-applied labels |
Information protection |
Workspace admins can change/remove auto-applied sensitivity labels |
Off |
Off — preserve label integrity |
No |
High |
Allowing override weakens automated governance chain |
| Restrict protected labels from org-wide link sharing |
Information protection |
Prevent content with protection settings being shared org-wide via link |
Off |
On — prevents org-wide link sharing of sensitive content |
Yes |
High |
Gaps in this allow confidential data to reach all internal users unintentionally |
| Domain admins can set default sensitivity labels (preview) |
Information protection |
Domain admins can set default sensitivity labels for their domains |
Off |
On for multi-domain organisations |
No |
Low |
Useful governance tool; low risk to enable |
| Allow Microsoft Purview to secure AI interactions |
Information protection |
Purview can access/process prompts and responses for compliance |
Off |
On if Purview DLP licensed |
No |
High |
Required for AI prompt/response auditing; critical for compliance orgs |
| External data sharing |
Export and sharing |
Users can share read-only links to OneLake data externally |
Off |
Off or restricted to approved teams |
No |
High |
Sharing OneLake data externally with no controls risks data leakage |
| Users can accept external data shares |
Export and sharing |
Users can accept read-only links to data from other tenants |
Off |
Off by default; whitelist use-cases |
No |
High |
Unrestricted inbound external shares = unvetted external data in tenant |
| Guest users can access Microsoft Fabric |
Export and sharing |
Guest users in Entra directory can access Fabric |
Off |
On if B2B collaboration is needed; restrict via Entra |
No |
Medium |
Needed for B2B; but align with Entra external collaboration policy |
| Users can invite guest users to collaborate |
Export and sharing |
Users can collaborate with external people by sharing Fabric items |
On |
Restrict to specific security groups |
Yes |
High |
Any user inviting external guests creates shadow IT and Entra noise |
| Guest users can browse and access Fabric content |
Export and sharing |
Users can invite guests to browse and request access to content |
Off |
On only after guest governance policy defined |
No |
Medium |
Enables browsing without explicit invite; moderate risk |
| Users can see guest users in suggested people lists |
Export and sharing |
Users see both org and guest users in suggested-people lists |
On |
Off — reduce inadvertent external sharing |
Yes |
Low |
Prevents accidental sharing to guest by autocomplete |
| Publish to web |
Export and sharing |
People can publish public reports accessible without authentication |
Off |
Off — keep disabled unless specific public-dashboard use case |
No |
High |
Publicly accessible reports with no auth; high risk if enabled broadly |
| Copy and paste visuals |
Export and sharing |
Users can copy visuals and paste as static images externally |
On |
On |
No |
Low |
Standard usability feature; no significant risk |
| Export to Excel |
Export and sharing |
Users can export data from visualisations to an Excel file |
On |
On — can restrict to specific groups if sensitive data |
No |
Medium |
Excel export can extract full underlying data; consider RLS adequacy |
| Export to .csv |
Export and sharing |
Users can export data from a tile, visual or paginated report to .csv |
On |
On — same consideration as Excel |
No |
Medium |
CSV strips all access controls; underlying data fully exposed |
| Download reports |
Export and sharing |
Users can download .pbix files and paginated reports |
On |
Restrict to report owners / specific group |
Yes |
Medium |
Downloaded .pbix files contain embedded data and M/DAX logic |
| Work with semantic models in Excel via live connection |
Export and sharing |
Users can use Analyze in Excel and XMLA live connections |
On |
On — enables Analyze in Excel; valuable for self-service |
No |
Low |
Live connection; data stays server-side |
| Export reports as PowerPoint or PDF |
Export and sharing |
Users can export reports as PowerPoint files or PDF documents |
On |
On — standard business need |
No |
Low |
Snapshot exports; no model exposure |
| Export reports as MHTML documents |
Export and sharing |
Users can export paginated reports as MHTML documents |
On |
On |
No |
Low |
Paginated only; low risk |
| Export reports as Word documents |
Export and sharing |
Users can export paginated reports as Word documents |
On |
On |
No |
Low |
Paginated only; low risk |
| Export reports as XML documents |
Export and sharing |
Users can export paginated reports as XML documents |
On |
On |
No |
Low |
Paginated only; low risk |
| Export reports as image files |
Export and sharing |
Users can use the API to export reports as image files |
On |
On |
No |
Low |
Image export; no underlying data |
| Print dashboards and reports |
Export and sharing |
Users can print dashboards and reports |
On |
On |
No |
Low |
Standard usability |
| Certification |
Export and sharing |
Specific groups can certify items as trusted sources |
Off |
On — assign certified reviewers group |
Yes |
High |
Without certification, users can't distinguish trusted from untrusted content |
| Endorse master data |
Export and sharing |
Specific groups can endorse items as core data sources |
Off |
On — assign data stewards group |
Yes |
Medium |
Governs master data discoverability; reduces duplication |
| Users can set up email subscriptions |
Export and sharing |
Users can create email subscriptions to reports and dashboards |
On |
On |
No |
Low |
Subscriptions deliver snapshots; low risk |
| B2B guest users can set up email subscriptions |
Export and sharing |
B2B guest users can set up and be subscribed to email subscriptions |
Off |
Off unless B2B is active use case |
No |
Low |
Limited exposure; review alongside B2B policy |
| Users can send email subscriptions to external users |
Export and sharing |
Users can subscribe external users to email subscriptions |
Off |
Off — prevent data leaving tenant via email |
No |
High |
Sending report snapshots externally with no DLP controls |
| Featured content |
Export and sharing |
Users can promote their published content to Power BI Home Featured section |
On |
On |
No |
Low |
Promotes visibility of quality content |
| Allow connections to featured tables |
Export and sharing |
Users can access and calculate data from featured tables in Excel |
On |
On — supports Excel data types |
No |
Low |
Read-only connection; low risk |
| Allow shareable links to everyone in organisation |
Export and sharing |
This setting grants access to anyone in the organisation with the link |
On |
On — standard internal sharing |
No |
Low |
Internal only; acceptable for most orgs |
| Enable Microsoft Teams integration |
Export and sharing |
People can access features associated with Teams and Power BI integration |
On |
On — standard collaboration |
No |
Low |
Valuable integration; no significant risk |
| Install Power BI app for Teams automatically |
Export and sharing |
Power BI app for Teams installed automatically for users |
Off |
On for Teams-heavy organisations |
No |
Low |
Improves adoption; no security risk |
| Enable Power BI add-in for PowerPoint |
Export and sharing |
People can embed Power BI data into PowerPoint presentations |
On |
On |
No |
Low |
Live embed; no data copy |
| Allow DirectQuery connections to Power BI semantic models |
Export and sharing |
DirectQuery connections allow users to build on existing semantic models |
On |
On — enables composite models |
No |
Low |
Controlled by Build permission on source model |
| Guest users work with shared semantic models in their tenants |
Export and sharing |
Authorized guest users can work with shared datasets in their own tenants |
Off |
Off — restrict cross-tenant model access |
No |
High |
External parties querying internal models; high data-exposure risk |
| Allow specific users to turn on external data sharing |
Export and sharing |
Controls whether users can turn on external data sharing option |
On |
Off or restrict to data owners group |
Yes |
High |
Effectively controls whether cross-tenant data sharing is possible |
| Users with read/write permission can download notebook data |
Export and sharing |
Users with read/write permission can download data from notebook outputs |
On |
Restrict to specific groups |
Yes |
Medium |
Notebook data download bypasses report-level export controls |
| Make promoted content discoverable |
Discovery |
Users who promote content can make it discoverable without access |
On |
On |
No |
Low |
Improves self-service findability |
| Make certified content discoverable |
Discovery |
Users who certify content can make it discoverable without access |
On |
On |
No |
Low |
Drives adoption of governed content |
| Discover content |
Discovery |
Allow users to find and request access to discoverable content |
On |
On |
No |
Low |
Enables access requests; positive governance behaviour |
| Create template organisational apps |
App settings |
Users can create template apps that use semantic models |
Off |
On for Centre of Excellence team |
No |
Low |
Useful for deploying governed app templates |
| Push apps to end users |
App settings |
Users can share apps directly with end users without AppSource install |
Off |
On for IT/BI team distributing governed apps |
No |
Low |
Reduces friction for standard app rollout |
| Publish apps to entire organisation |
App settings |
Users can publish apps to the entire organisation |
On |
Restrict to BI governance team |
Yes |
Medium |
Any workspace admin can publish to all users; risk of ungoverned apps |
| Allow XMLA endpoints and Analyze in Excel with on-prem models |
Integration settings |
Users can use Excel with on-premises Power BI semantic models |
On |
On — required for XMLA tooling (Tabular Editor, DAX Studio) |
No |
Low |
XMLA read is essential for BI development toolchain |
| Semantic Model Execute Queries REST API |
Integration settings |
Users can query semantic models via DAX through REST APIs |
Off |
On for CoE / DevOps pipelines |
No |
Low |
Enables programmatic DAX queries; low risk with proper SP governance |
| Users can use Power BI MCP server endpoint (preview) |
Integration settings |
Users can connect MCP clients to Power BI |
Off |
On for Copilot/AI development scenarios |
No |
Medium |
MCP exposes model metadata to AI clients; needs SP governance |
| Use ArcGIS Maps for Power BI |
Integration settings |
Users can use Esri ArcGIS Maps visualisation |
On |
On if Esri is used; Off otherwise |
No |
Low |
Third-party data; low risk if not using Esri |
| Use global search for Power BI |
Integration settings |
Users can use the global search bar at the top of the page |
On |
On |
No |
Low |
Standard usability |
| Users can use Azure Maps visual |
Integration settings |
Users can create and view the Azure Maps visual |
On |
On |
No |
Low |
Azure Maps; data processing by Microsoft |
| Azure Maps data processed outside tenant geography |
Integration settings |
Data sent to Azure Maps can be processed outside tenant region |
Off |
Off for EU Data Boundary tenants |
No |
High |
EU compliance — data processed outside boundary violates residency |
| Map and filled map visuals |
Integration settings |
Allow people to use the map and filled map visualisations |
On |
On |
No |
Low |
Standard built-in visual |
| Integration with SharePoint and Microsoft Lists |
Integration settings |
Users can launch Power BI from SharePoint and Microsoft Lists |
On |
On |
No |
Low |
Standard M365 integration |
| Snowflake SSO |
Integration settings |
Enable SSO capability for Snowflake |
Off |
On if Snowflake is in data stack |
No |
Low |
SSO improves security over shared credentials |
| Google BigQuery SSO |
Integration settings |
Enable SSO capability for Google BigQuery |
Off |
On if BigQuery is in data stack |
No |
Low |
SSO improves security over shared credentials |
| Microsoft Entra SSO for data gateway |
Integration settings |
Users can use Entra SSO to authenticate to on-premises data gateways |
Off |
On — replaces stored credentials |
Yes |
Medium |
Stored gateway credentials are a security anti-pattern; Entra SSO is best practice |
| Users can view Power BI files in OneDrive/SharePoint (preview) |
Integration settings |
Users can view Power BI files saved in OneDrive/SharePoint |
On |
On |
No |
Low |
Improves collaboration; no extra data exposure |
| Enable granular access control for all data connections |
Integration settings |
Enforce strict access control for all data connection types |
Off |
On — enforces least-privilege data access |
Yes |
High |
Without this, shared items may use another user's data connection credentials |
| Semantic models can export data to OneLake |
Integration settings |
Semantic models configured for OneLake integration can export import tables |
Off |
On for Lakehouse-integrated architectures |
No |
Medium |
Enables OneLake integration; review data classification before enabling |
| Semantic model owners can auto-update from OneDrive/SharePoint |
Integration settings |
Semantic models can auto-update from OneDrive/SharePoint .pbix files |
On |
On — enables lightweight CI/CD |
No |
Low |
Source controlled via OneDrive; low risk |
| Allow visuals created using Power BI SDK |
Power BI visuals |
Users can add, view, share and interact with custom visuals |
On |
On — needed for custom visuals |
No |
Low |
Standard; certified visuals setting governs trust |
| Add and use certified visuals only (block uncertified) |
Power BI visuals |
Users can only add and use certified visuals |
Off |
On for high-security organisations |
No |
Medium |
Uncertified visuals can exfiltrate data to external endpoints |
| Allow downloads from custom visuals |
Power BI visuals |
Custom visuals can download information available to the visual |
Off |
Off unless explicitly needed |
No |
Medium |
Custom visual downloads = uncontrolled data export path |
| AppSource Custom Visuals SSO |
Power BI visuals |
Enable SSO for AppSource custom visuals; Entra tokens sent to visual |
Off |
Off unless vetted AppSource visuals need Entra token |
No |
Medium |
Access tokens sent to third-party visual publishers |
| Allow access to browser's local storage by custom visuals |
Power BI visuals |
Custom visuals can store information in the user's browser local storage |
Off |
Off |
No |
Low |
Local storage by visuals is an uncommon need; disable by default |
| Interact with and share R and Python visuals |
R and Python visuals |
Users can interact with and share visuals created with R or Python scripts |
On |
On for data science teams; Off for non-technical orgs |
No |
Low |
R/Python visuals run server-side; no client risk |
| Usage metrics for content creators |
Audit and usage |
Users can see usage metrics for content they have permission to |
On |
On |
No |
Low |
Essential for governance and adoption tracking |
| Per-user data in usage metrics |
Audit and usage |
Usage metrics expose display names and email addresses of users |
On |
On — required for user-level adoption analysis |
No |
Low |
PII in metrics; acceptable for internal BI governance |
| Show user data in Fabric Capacity Metrics app |
Audit and usage |
Active user data including names/emails shown in Capacity Metrics app |
On |
On |
No |
Low |
Needed for capacity management |
| Azure Log Analytics connections for workspace admins |
Audit and usage |
Workspace admins can configure Azure Log Analytics connections |
Off |
On for mature BI ops teams |
No |
Medium |
Enables detailed audit logging per workspace; requires Log Analytics workspace |
| Workspace admins can turn on workspace monitoring (preview) |
Audit and usage |
Workspace admins can turn on monitoring for their workspaces |
Off |
On for ops maturity |
No |
Low |
Preview; useful for activity auditing |
| Microsoft can store query text to aid support |
Audit and usage |
Query text stored securely for use during support investigations |
On |
On — aids incident resolution |
No |
Low |
Disabling harms Microsoft's ability to support; recommend leaving on |
| Web content on dashboard tiles |
Dashboard settings |
Users can add and view web content tiles on Power BI dashboards |
On |
Off — security risk |
Yes |
High |
Malicious web content can be embedded in dashboards visible to all users |
| Embed content in apps |
Developer settings |
Users can embed Power BI dashboards and reports in web applications |
On |
On if ISV/embedded analytics in use |
No |
Low |
Embed tokens required for ISV scenarios |
| Service principals can create workspaces, connections, pipelines |
Developer settings |
Service principals can create workspaces, connections, and deployment pipelines |
Off |
On — needed for CI/CD and automation |
No |
Low |
Required for DevOps/ALM pipelines; govern via security group |
| Service principals can call Fabric public APIs |
Developer settings |
Service principals can call Fabric public APIs with appropriate roles |
Off |
On for automation/CI-CD scenarios |
No |
Low |
Needed for programmatic Fabric management; govern via SG |
| Allow service principals to create and use profiles |
Developer settings |
Service principals can create and use profiles |
Off |
On for ISV multi-tenant architectures |
No |
Low |
ISV-specific; enable only if multi-tenant embedding is in scope |
| Block ResourceKey Authentication |
Developer settings |
Block resource key based authentication for streaming semantic models |
Off |
On — disables insecure streaming resource keys |
Yes |
Medium |
Resource key auth on streaming datasets is a weaker auth method |
| Service principals can access read-only admin APIs |
Admin API settings |
Web apps can use service principals to authenticate to read-only admin APIs |
Off |
On for governance/CoE tooling (restrict to SG) |
No |
Low |
Required for automated tenant scanning and governance tools |
| Service principals can access admin APIs for updates |
Admin API settings |
Web apps can use service principals to authenticate to admin APIs for updates |
Off |
Off unless automation requires write admin access |
No |
High |
Write access to all admin APIs via SP is very high privilege |
| Enhance admin APIs with detailed metadata |
Admin API settings |
Admin API responses include detailed metadata (table/column names) |
Off |
On for CoE/governance tooling |
No |
Low |
Needed for tenant scanning (table/column names in scan results) |
| Enhance admin APIs with DAX and mashup expressions |
Admin API settings |
Admin API responses include DAX and M query expressions |
Off |
Off unless lineage/documentation automation is in scope |
No |
Medium |
Exposes DAX/M expressions — IP and logic in reports/models |
| Create and use Gen1 dataflows |
Gen1 dataflow settings |
Users can create and use Gen1 dataflows |
On |
On — legacy workloads may depend on this |
No |
Low |
Gen2 is preferred but Gen1 still needed for compatibility |
| Publish template apps |
Template app settings |
Users can publish template apps for external distribution |
Off |
Restrict to ISV/partner scenarios |
No |
Low |
Publishing to AppSource; ISV-specific |
| Install template apps |
Template app settings |
Users can install template apps created outside the organisation |
On |
On |
No |
Low |
Standard for consuming certified template apps |
| Install template apps not listed in AppSource |
Template app settings |
Users with permission can install template apps not in AppSource |
Off |
Off — only allow vetted AppSource apps |
No |
Medium |
Unlisted template apps bypass AppSource security review |
| Review Q&A questions |
Q&A settings |
Semantic model owners can review questions asked about their data |
On |
On |
No |
Low |
Helps improve NLP model accuracy |
| Synonym sharing |
Q&A settings |
People can share Q&A synonyms with the organisation |
On |
On |
No |
Low |
Useful for Q&A model improvement |
| Users with view permission can launch Explore |
Explore settings |
Users with view permission can do ad hoc analysis via Explore |
On |
On — drives self-service analytics |
No |
Low |
View-only ad hoc analysis; no model change risk |
| Block republish and disable package refresh |
Semantic Model Security |
Disable package refresh; only model owner can publish updates |
Off |
On for certified/production models |
Yes |
High |
Without this, any workspace member can overwrite a production model |
| Tenant-level Private Link |
Advanced networking |
Increase security by using a Private Link to access Fabric tenant |
Off |
On for high-security / regulated industries |
No |
High |
Without private link, Fabric is accessible over public internet |
| Block Public Internet Access |
Advanced networking |
Block access to Fabric tenant via the public internet |
Off |
On only after Private Link configured |
No |
High |
Locks out all public access; must configure Private Link first |
| Configure workspace-level inbound network rules |
Advanced networking |
Workspace admins can configure inbound private link access protection |
Off |
On for data-sensitive workspace isolation |
No |
Medium |
Granular network control per workspace; useful in regulated tenants |
| Configure workspace-level outbound network rules |
Advanced networking |
Workspace admins can configure outbound access protection |
Off |
On for DLP on data egress |
No |
Medium |
Controls outbound traffic from workspaces |
| Configure workspace-level IP firewall rules (preview) |
Advanced networking |
Workspace admins can configure IP firewall rules and trusted resource instances |
Off |
On for IP-restricted access environments |
No |
Medium |
Granular IP control; useful in regulated tenants |
| Apply customer-managed keys |
Encryption |
Users can configure workspace level encryption using customer-managed keys |
Off |
On for regulated industries requiring BYOK |
No |
High |
Default Microsoft-managed keys are acceptable; CMK required for some compliance frameworks |
| Create and use Scorecards |
Scorecards settings |
Users can create and use Scorecards |
On |
On |
No |
Low |
Standard KPI tracking feature |
| Help Power BI optimise your experience (UX experiments) |
User experience |
Users get minor UX variations the Power BI team is experimenting with |
On |
Off — avoid unpredictable UI changes in production |
Yes |
Low |
Preview UX experiments can confuse end users; disable for stability |
| Share Fabric data with Microsoft 365 services |
Share with M365 |
Fabric data can be stored and displayed in Microsoft 365 services |
On (if same geo) |
On if same geography; review for cross-geo tenants |
No |
Medium |
Fabric metadata used in M365 search/Copilot recommendations; review for privacy policy alignment |
| Receive notifications for top insights (preview) |
Insights settings |
Users can enable notifications for top insights in report settings |
Off |
On for self-service teams |
No |
Low |
Passive notification; no risk |
| Show entry points for insights (preview) |
Insights settings |
Users can use entry points for requesting insights inside reports |
Off |
On |
No |
Low |
UI feature; low risk |
| Create Datamarts (preview) |
Datamart settings |
Users can create Datamarts |
On |
On for SQL-first analytics teams |
No |
Low |
Standard Fabric feature |
| Users can edit semantic models in Power BI service |
Semantic model settings |
Users can edit semantic models in the service (non-DirectLake) |
Off |
On for advanced self-service; Off for governed central models |
No |
Medium |
In-service editing bypasses Desktop/Git workflow; assess governance maturity |
| Scale out queries for large semantic models |
Scale-out settings |
Queries distributed across replicas when volume is high |
Off |
On for Premium/large model workloads |
No |
Low |
Performance feature; no security risk |
| Users can access OneLake data with external apps |
OneLake settings |
Users can access OneLake data with apps external to Fabric |
On |
On — needed for Databricks, custom apps, File Explorer |
No |
Medium |
External app access to OneLake; enforce item-level permissions |
| Use short-lived user-delegated SAS tokens |
OneLake settings |
OneLake SAS tokens enable apps to access data via Entra identity |
Off |
On — more secure than long-lived tokens |
No |
Low |
SAS tokens expire in <1hr; low risk; enables secure integrations |
| Authenticate with OneLake user-delegated SAS tokens |
OneLake settings |
Allow applications to authenticate using a OneLake SAS token |
Off |
On if SAS token auth is needed by apps |
No |
Low |
Tied to above; enable together |
| Users can sync data with OneLake File Explorer app |
OneLake settings |
Users can use OneLake File Explorer to sync OneLake items to Windows |
On |
On |
No |
Low |
Desktop sync tool; data stays within tenant permissions |
| Include end-user identifiers in OneLake diagnostic logs |
OneLake settings |
OneLake diagnostic logs capture end user identifiable information |
On |
On for audit/compliance; Off for strict privacy |
No |
Low |
PII in logs; assess against data retention policy |
| Users can synchronise workspace items with Git |
Git integration |
Users can import/export workspace items to Git repositories |
Off |
On for mature DevOps teams |
No |
Low |
Enables ALM/source control; best practice for governed development |
| Users can export items to Git repos in other geographies |
Git integration |
Workspace and Git repository may reside in different geographies |
Off |
Off for EU Data Boundary tenants |
No |
High |
Cross-geo data export may violate data residency requirements |
| Users can export items with sensitivity labels to Git |
Git integration |
Users can export items with applied sensitivity labels to Git repos |
Off |
Off — sensitivity labels should not leave tenant boundary |
No |
High |
Sensitivity-labelled content exported to external Git repos loses protection |
| Users can sync workspace items with GitHub |
Git integration |
Users can select GitHub as their Git provider |
Off |
On for GitHub-using engineering teams |
No |
Low |
GitHub as Git provider; needs cross-geo export setting review |
| Users can use Copilot and Azure OpenAI features |
Copilot and Azure OpenAI |
Users can access Fabric features powered by Azure OpenAI including Copilot |
Off |
On for licensed users; review data boundary |
No |
High |
AI features send data to Azure OpenAI; EU Data Boundary compliance critical |
| Users can access standalone cross-item Power BI Copilot (preview) |
Copilot and Azure OpenAI |
Users access a Copilot experience to find and analyse Fabric items |
Off |
On if Copilot is licensed and enabled |
No |
Low |
Dependent on parent Copilot setting |
| Azure OpenAI data processed outside capacity geography |
Copilot and Azure OpenAI |
Data sent to Copilot can be processed outside capacity region |
Off |
Off for EU-boundary tenants |
No |
High |
EU Data Boundary violation risk; keep Off unless capacity is US/non-EU |
| Capacities can be designated as Fabric Copilot capacities |
Copilot and Azure OpenAI |
Capacity admins can designate capacities as Fabric Copilot capacities |
Off |
On for Copilot billing consolidation |
No |
Low |
Billing/admin feature; no security risk |
| Azure OpenAI data stored outside capacity geography |
Copilot and Azure OpenAI |
Data sent to Azure OpenAI can be stored outside capacity region |
Off |
Off for EU-boundary tenants |
No |
High |
Storage of prompts/responses outside EU boundary — compliance risk |
| Only show approved items in standalone Copilot (preview) |
Copilot and Azure OpenAI |
Only items marked as 'approved for Copilot' shown in standalone Copilot |
Off |
On — reduces AI surfacing of ungoverned items |
Yes |
Medium |
Without this, Copilot may surface ungoverned/uncertified items to users |
| Users can use Azure Maps services |
Azure Maps services |
Users can access features powered by Azure Maps services |
On |
On |
No |
Low |
Azure Maps in Fabric; Microsoft-managed |
| Azure Maps data processed outside capacity geography |
Azure Maps services |
Data sent to Azure Maps can be processed outside capacity region |
Off |
Off for EU tenants |
No |
Medium |
Same as integration version; data residency risk for EU tenants |
| Users can use Azure Maps Weather Services (Preview) |
Azure Maps services |
Users can access weather data from Azure Maps Weather (AccuWeather) |
Off |
On if weather data needed |
No |
Low |
AccuWeather data via Azure Maps; low risk |
| Workspace admins can add/remove additional workloads (preview) |
Additional workloads |
Workspace admins can add/remove workloads in their workspaces |
Off |
Off — workload partners not validated by Microsoft |
No |
Medium |
Third-party workloads receive user tokens; vet publishers carefully |
| Capacity admins can add/remove additional workloads |
Additional workloads |
Capacity admins or contributors can add/remove workloads in capacities |
Off |
Off unless specific certified workloads needed |
No |
Medium |
Same concern as workspace-level; capacity scope is broader |
| Workspace admins can develop partner workloads |
Additional workloads |
Workspace admins can develop partner workloads with local dev environment |
Off |
Off for production; On for dev/sandbox only |
No |
Low |
Development scenario; not for production tenants |
| Users can see workloads not validated by Microsoft |
Additional workloads |
Users can see and work with additional workloads not validated by Microsoft |
Off |
Off — keep disabled until partner is vetted |
No |
High |
Unvalidated third-party workloads = uncontrolled data access by external publishers |
| Allow non-Entra ID auth in Eventstream |
Integration settings |
Users can enhance the security of data streaming by disabling key-based authentication in Eventstream's Custom Endpoint, ensuring that only Microsoft Entra ID (formerly Azure Active Directory) authentication is allowed. This reduces the risk of unauthorized access to Fabric Eventstream through non-Entra ID authentication methods. |
On |
Off |
Yes |
Medium |
Disabling non-Entra ID auth forces Entra-only authentication, which is the more secure posture. |
| ArcGIS GeoAnalytics for Fabric Runtime |
Integration settings |
Users in your organization can use Esri's ArcGIS GeoAnalytics for Fabric Runtime in Microsoft's Fabric Spark Runtime. ArcGIS GeoAnalytics delivers spatial analysis to your big data by extending Apache Spark with ready-to-use spatial SQL functions and analysis tools. |
Off |
Off |
No |
Low |
Third-party Esri integration extending Fabric Spark Runtime with spatial analytics. Enable only if your organisation actively uses Esri ArcGIS and has a valid licence. Safe to leave off indefinitely for non-GIS workloads. |
| Data sent to Azure Maps can be processed by Microsoft Online Services Subprocessors |
Integration settings |
Some Azure Maps visual services, including the selection tool and the processing of location names within some regions, may require mapping capabilities provided in part by Microsoft Online Services subprocessors. Microsoft shares only necessary data with these subprocessors, who may access data only to deliver the contracted functions and are prohibited from using it for any other purpose. This feature is non-regional and queries may be stored and processed in the United States or any other country where Microsoft or its subprocessors operate. |
Off |
Off |
No |
Medium |
Off by default is the correct posture. Data is non-regional and may be stored or processed in the US or any country where Microsoft subprocessors operate — a potential GDPR conflict for EU organisations if location data relates to identifiable individuals. Only enable if Azure Maps visual features requiring the selection tool or location name processing are explicitly in use, and cross-border data transfer implications have been assessed under your DPA. |
| Define maximum number of Fabric identities in a tenant |
Developer settings |
Allow admins to specify the maximum number of Fabric identities that can be created in a tenant. If this setting is disabled, up to 10,000 Fabric identities can be created in a tenant. |
Off (no cap — up to 10,000 Fabric identities permitted) |
On — set a limit appropriate to your organisation's actual automation needs |
Yes |
Medium |
Leaving this off means up to 10,000 Fabric identities can accumulate with no administrative control. Setting a cap forces periodic review of automation identities and reduces governance risk from orphaned or over-provisioned identities. Suggested limits: 50–100 for small teams, a few hundred for large enterprises. |
| Dremio SSO |
Integration settings |
Enable SSO capability for Dremio. By enabling, user access token information, including name and email, will be sent to Dremio for authentication. |
Off |
Off |
No |
Low |
Off by default is correct for organisations not using Dremio. If Dremio is in your stack, enabling SSO is actually the preferred security posture over managing separate credentials. Enabling it sends user name and email to Dremio — ensure your DPA with Dremio covers this data transfer. |
| Redshift SSO |
Integration settings |
Enable SSO capability for Redshift. By enabling, user access token information, including name and email, will be sent to Redshift for authentication. |
Off |
Off |
No |
Low |
Off by default is correct for organisations not using Redshift. If Redshift is in your stack, enabling SSO is the better security posture over shared credentials. User name and email are sent to Redshift (AWS) as part of authentication — verify your DPA covers this cross-platform transfer. For EU organisations with strict data residency requirements, confirm Redshift region before enabling. |
| Users can share links to Power BI files stored in OneDrive and SharePoint through Power BI Desktop (preview) |
Integration settings |
Users who have saved Power BI files (.pbix) to OneDrive and SharePoint can share links to those files using Power BI Desktop. |
On |
On |
No |
Low |
Sharing a link does not grant data access beyond what the recipient already has — permissions are enforced via OneDrive/SharePoint. The key consideration is import mode .pbix files, where cached data is embedded in the file and visible to anyone who downloads it without re-authenticating against the data source. RLS is not enforced in the browser viewer; reports with RLS redirect users to open in Desktop instead. No governance concern with leaving this on — the more important action is ensuring sensitive import mode files are stored in appropriately permissioned locations. |