PowerBI.tips

Uncovering Fabric Security Whitepaper – Ep. 326

June 7, 2024 By Mike Carlo
Podcast Power BI
Uncovering Fabric Security Whitepaper – Ep. 326

This episode is a walkthrough of why the Fabric/Power BI security whitepaper matters. It’s not a fun read, but it’s the kind of document that helps admins and BI leads answer hard questions about access, governance, and risk.

News & Announcements

Main Discussion

The main theme: security conversations are hard because guidance is fragmented—this whitepaper helps consolidate the story.

Key points from the conversation:

  • Why the whitepaper matters: it brings Power BI/Fabric security concepts into one place so admins can reference a single source.
  • Skim strategy: you don’t have to memorize 75 pages, but you do need to know what sections exist and what knobs map to common org policies.
  • Enable better stakeholder conversations: BI teams need to speak the language of IT/security when discussing tenant settings, access patterns, and governance.
  • Architectural thinking: diagrams/patterns help explain how identities, groups, workspaces, and artifacts interact.
  • Practical impact: the discussion calls out how enterprise security needs (including on-prem and cross-boundary access patterns) show up in real projects.

Looking Forward

Skim the whitepaper once, then create a short internal checklist for your tenant/workspace standards. That gives your team a repeatable baseline for every new Fabric project.

Episode Transcript

0:30 good good morning and welcome back to the explicit measure podcast with Tommy Seth and Mike good morning everyone good morning gentlemen good morning morning gentlemen it is another good day we are this week has been zooming by for me seems to be it going pretty quick here our main topic today is probably going to be a bit of a bore for most people so this is this is going to be wow well I’m gonna I’m going to do this purely based off your reaction Tommy to the topic that I presented here so Tommy was like oh man what’s going on like oh I

1:03 like oh man what’s going on like oh I like oh man what’s going on like oh Tom you push back a little bit mean Tom you push back a little bit right speak for the people all right speak for the people I want to speak for all of us collectively because that’s what Tommy does for us so I’ll do it for everyone else on the podcast just kidding we’re the main topic for today is reviewing the Microsoft security white paper I know people love security but is organ organizations adopt RBI this is a very common question conversation occurrent occurrent and a lot of people are just I think are I’m very encouraged that Microsoft has

1:34 I’m very encouraged that Microsoft has taken a very I would say a very a good stance on hey look there’s a lot of security things that are happening in PBI here’s a white paper that consolidates all of them together here’s a a single thing you should read so there is a link here in the description on this video of the actual security white paper like the page or you can go download the PDF it’s quite long don’t worry we’re not going to go through every little fine green detail more of like our key observations or main things or points around the security white paper we’re

2:04 around the security white paper we’re we’re not we’re not I I thought this entire episode was just going to be me reading the white paper yes that we we need a couple episodes that one yeah maybe I should just do some side episodes where if you haven’t read the white paper you get you can go to sleep to cess sess security Story Time phase three recovery plan well let’s be real while fabric ensures that the data remains accessible for like you can also fully restore their services to the state before the

2:34 their services to the state before the incident the section let’s be real Mike how many people a about v-ets right how many people get jazzed about v-ets and no one right so yeah there there’s a conversation here like okay no one is excited to do this but this is so integral to what we do it’s important I haven’t seen I haven’t seen excitement I’ve seen massive frustration from people who do actually understand a good chunk of it talking to people who don’t yes those are fun

3:05 people who don’t yes those are fun conversations yes no that’s not how it work you don’t understand no we can’t do that that’s this is how it works and and this is a lot of these conversations that I hear around security are there there are you don’t know a couple things well we’ll get into that a little bit I think this is this is where I think the conversation will be interesting today just because there’s just so much that needs to be talked about I in the security space I think there’s a lot of opportunity here for us to continue to invest in this and learn more about it

3:35 invest in this and learn more about it and want to make sure people have the tools and the equipment like they know where to go to find this information I think this is important anyways that being said let’s do a couple intros some news if you will so a lot of things been happening Tom me you were just mentioning man there’s like so many blogs coming out recently and so many new things happening I would agree it feels like after build there’s been a wave of just net new developments or things just getting out the door Tommy what what did you find recently so one of the things I’m

4:05 recently so one of the things I’m actually personally excited about for some of the clients and actually myself too is on premise data or bringing your on- premise data into the one L experience which really is pretty important and you have a lot of organizations and a lot of systems still that are still dealing with on premise data they haven’t necessarily moved to the cloud and guess what that’s okay nothing not everything needs to be in the cloud and speaking of security there’s a lot of reasons also

4:35 there’s a lot of reasons also organizations wanted security so this is actually something that came out near the end of May actually May 23d which I can’t believe we’re already in June but just talking about the experience what it’s like to bring your on- premise data into one Lake what that experience is like I believe you can mirror now if if I’m if I’m not mistaken yep and which is really again to me that’s significant that’s pretty significant because you’re still having a lot of data that’s still on premise so

5:07 a lot of data that’s still on premise so mirroring is an interesting feature that Microsoft has been promoting here for a bit and I I’ve been I’ve been very vocal about like there’s a lot of common patterns in data engineering especially when you’re trying to get data from a source system into some Lake experience it’s very common you have tables that need to be updated they need to be as close as they can to what’s in the original system that’s what you’re trying to get to and depending on what that data does in the original system how much you can trust the different date fields in it

5:37 trust the different date fields in it determines what architecture you build or how much data you need to bring in so really think this is mirroring is very interesting because they’re they’re listenting to the change data the CDC change data data capture yeah change data capture sorry I would say catalog change dat capture which is listening to the and so I believe even if you look at the change data capture experience in mirroring Microsoft’s actually doing

6:08 mirroring Microsoft’s actually doing some of this for free for you they’re giving you some free storage that will allow you to use mirroring without actually having to pay for your own storage for that so that’s actually another advantage to try and get you into mirroring because Microsoft is going to just do it for free to a degree it’s it’s not going to be like unlimited free but there’s a a portion of it that you can just use which I think is really helpful helpful and Tommy to be clear about these on-prem sources the on-prem on leg sources are it’s starting with this thing called

6:40 it’s starting with this thing called an S3 bucket right so as long as the format is an S3 you’re going to be able to make shortcuts to data that lives on Prem but is in the S3 format so if you have storage of files or you can have a S3 storage compatible system that’s where you can go get these shortcuts from so again there’s a lot of the story around leave the data where it is don’t move it just connect to iton compatible or even Google Cloud which I guess is on Prem if it’s Google Cloud but one one feature that I noticed

7:12 Cloud but one one feature that I noticed here recently which seems interesting to me is if I think about like what happens in like a Delta table a Delta table continually changes itself it makes new log files like that describe the the parket files that are underneath the the hood of that thing the the table I think there’s this interesting thing there’s a feature where they say you can cach the data so you can connect to a source and you can turn on caching so it will keep a copy of the

7:43 so it will keep a copy of the data inside your one L but it’s like a it’s just like a it’s like a hot cache like so if you are refreshing a data set three or four or five times a day and nothing is changing on the actual data set side it will just read from the cache directly from Azure so won’t cost you more money to go back to the original source and get the data so that’s another interesting feature that I thought hm that’s a pretty I like the idea of that that makes a lot of sense that you can intelligently look at these Delta tables see if they’ve

8:13 these Delta tables see if they’ve changed if they haven’t then just use the cash instead so it really cuts down the the need to go cross Cloud when you’re accessing data which could get I think expensive if you’re refreshing things very frequently cool the only other one I had here that was relevant here is I have a post from Zoe Douglas from LinkedIn and what Zoe is doing is Zoe is explaining there’s a couple new features that have just been announced this is from the blog but she does a quick

8:43 from the blog but she does a quick little video on the model Explorer so inside desktop you have this model Explorer window where you have the measures the calculations the columns it’s a little bit of a different format but in there you’re able to make calculation groups so it’s a an editing feature where you can make calculations groups inside this model window and apparently that’s now gone GA both in desktop and in the service so that’s a big moment there for the modeling tab or modeling pane I guess

9:13 modeling tab or modeling pane I guess it would be called but now that’s both in both places and it’s now under generally generally available which is also a very interesting exciting thing as well I’ll put that link here in the description for anyone who wants to go see her her little mini video on it and also wants to check it out and that modeling view is more than just calculation groups it’s really all the metadata that was previously only available in Tabler editor or a feature like that or an external tool like Taver editor being able to see the measures

9:43 editor being able to see the measures the per set I’ve think the relationships the roles being able to see the perspectives and now that’s all available to be seen interestingly enough came out first in desktop correct I think this was actually only available desktop and then then the web usually it’s the other way around where they come out with a feature in web then it becomes a desktop but yeah the fact that they’re GA I think for a lot of people tablet editor is still something intimidating I think for maybe more the

10:13 intimidating I think for maybe more the general public I would say I’m doing a training course now actually Mike onell editor 3 and for a lot of people they like the UI is the the biggest hurdle for a lot of people it’s a technical tool it’s got a lot of things in it is right so the fact that you have the same user your experience in powerbi but some really important information here and I hope they do more with

10:35 here and I hope they do more with perspectives that’s something I I’ll put to the parking lot for another day but the fact that they now have that in desktop is now GA is pretty important the web thing it’s probably somewhere perspectives is probably somewhere in the security paper I would also Imagine as well I’m sure well no because the only way we use perspectives right now is for personalized visuals for from a powerbi point of view we’ll have to dig into this security paper and look for it or I can use contr F and find that or you can use that and try and find it

11:06 you can use that and try and find it that’s what I meant by that [Laughter] comment oh Tommy where were you going you’re going with yeah no I’m I’m this I’m curious though Mike the fact that it’s in the web and this has been your your big thing is everything available in the web from a powerbi point of view are you going to be using this in the web Oh yes most certainly I this in the web Oh yes most certainly especially if I’m I’m mean especially if I’m I’m already using a lot of experiences in the web already the modeling experience is is good in the web I believe I

11:37 is is good in the web I believe I feel like it’s fairly substantial you can make the measures and the relationships you want it feels very similar to what desktop’s doing I think they my guess here is is they’re trying to really provide parity between everything in desktop everything on web it’s going to be there so if you’re asking to me all those and this is where I think things are not necessarily always a great fit right if you if you are a company that has a lot of Mac users in it right you’re probably not a Microsoft SHOP Company in general you don’t have

12:08 SHOP Company in general you don’t have Microsoft Office you’re probably not using Microsoft products you’re probably using Google or some other tool for all your business need elements I really think there’s a two horsse race going on here it’s either your Microsoft or your Google that’s the only thing I see anymore in businesses so for those companies who want to use parbi Google doesn’t really have a great they have looker but they don’t really have a great experience of like this full-fledged Enterprise bi corporate solution that is powerbi and fabric I I don’t I don’t see it maybe maybe it’s

12:39 don’t I don’t see it maybe maybe it’s there but it’s not this comprehensive all-in-one package that I’m seeing Microsoft produce here so I don’t know I there’s there’s always been this argument of like well now it’s on the web and now you can have mac users use this I don’t really don’t know how relevant that is because I don’t think most of those other users in that company are even interested in using Microsoft products so why pick the one Microsoft product to push everyone into now that you can use it on the web I’m not quite sold on that story yet I’ve had I’ve my My Success has been very different for companies that

13:10 very different for companies that have H unless you’re using Version Control extensively in powerbi the web doesn’t make a ton of sense right because one of the first things I did after my computer in a sense reset itself well in so many words was install powerbi desktop because I have the Version Control I have some things in get but I also have a lot of things in SharePoint still too I haven’t migrated everything over as soon as I start using desk or the web for my modeling well that’s immediately not out of sync with anything I’m doing in

13:40 of sync with anything I’m doing in desktop so unless I’m using extensively my modeling and my powerbi semantic models in git in Azure devops like there maybe there’s a quick fix here but that’s not like oh good well even if my computer reset I still have the web to do everything I see what you’re saying I see your point here on this one I don’t necessarily think I agree with it I think the source of truth of where you used to keep things is starting to shift

14:11 used to keep things is starting to shift and what by that is the source of Truth was typically SharePoint with a PBX file that you would upload to that was the that was like the method for just to make sure your computer doesn’t self-destruct itself this is where you put it so you have a backup I believe the story of Truth is now shifting away from that and now moving more towards a git experience so the repo now yeah Donald you’re right on point you’re right you’re you’re going right where I’m going with this one I think the repo is now becoming the source of Truth and this is very common

14:41 source of Truth and this is very common in a lot of other products Microsoft has built data flows or sorry Azure data Factory and synapse they also have this experience of like hey I’m live editing something and I’m then connecting it to a repo and I’m keeping copies of all the information that runs that environment in a repo so I think you’re going to the repo experience inside powerbi yeah there’s a couple things that are still missing that don’t get tracked inside the git the git repos but in general I think it’s actually a really seamless experience

15:11 actually a really seamless experience and it’s actually pretty easy to use so I think the source of Truth is shifting from SharePoint and single files that are pb’s I think we’re moving more towards this get enabled easy to use experience and so to your point though Tommy like I would assume at some point the web and your desktop would just always point at whatever is in the git and that should be your source of Truth and so I will no longer download PBX files from the service to go edit them on desktop I’ll no longer store them in

15:42 on desktop I’ll no longer store them in SharePoint and then bring them down edit them and then publish them now what I’ll do is I’ll just have everything attached to the git repo and that way when I want to edit something in desktop I’m assuming my desktop is taking a copy of what is in in the service and I’m starting from there so my feeling is you shouldn’t really use your computer your local machine as the source of Truth for files well there’s nothing you said that I disagree with I know I’m just I’m not sure if I was I

16:12 know I’m just I’m not sure if I was I don’t know I just didn’t feel as you said something around the web is not going to be that that premium experience or that’s going to be the I think it’s going to be I think as they continually to add features more and more people will go there and that will be their editing and building and modeling experience that will happen in the web especially now that I’m using more notebooks I don’t like the experience of using notebooks locally I actually like using experiences inside the service so I’m getting more comfortable with just doing more and more things in the website versus on

16:42 website versus on desktop I I don’t have a specific article but I guess one of the interesting things that did strike me in looking at like the powerbi blog that I have a question around after the statement like there there are a lot of products and features that people are confused about a lot and all the time and one of those is like confusion around GA or things things being in preview forever is what I hear a lot of true yes so like one of the things

17:13 true yes so like one of the things that stands out to me is within the last less than month right on May 21st there’s co-pilot and Microsoft fabric is now generally available in the powerbi experience June 3rd the general availability of co-pilot for powerbi is roll out starting today and June 4th ask co-pilot questions against your semantic model preview like so so what what I’m what I’m driving at here the question is

17:43 I’m driving at here the question is would you rather see a play by play like there’s two things really one is if collup pilot is supposed to be the large language model L thing that we can do a bunch of stuff on do we need to change our thoughts and be like well actually it doesn’t support some of these things yet it only supports these that are now GA and there’s actually a bunch of things that are preview and we should expect to have a ga product with preview features

18:14 features indefinitely I think the confusion a l is because we have about 17 co-pilots in the fabric system right now maybe about 8 to 12 I get it right but if you’re talking semantic models you’re talking powerbi if you’re talking powerbi and GA you’re talking powerbi if you’re talking powerbi and fabric you’re talking about powerbi I think they’re they’re going from the engineered point of view there may be one powerbi that you see but there’s a semantic model co-pilot in their end from a from a model that’s

18:44 their end from a from a model that’s been trained there’s the powerbi get experience co-pilot there’s the one from looking at your visuals there’s the data flow or the power query co-pilot to Microsoft Engineers those are four separate co-pilots because they are four different mod to the end user to the end user I agree with you I’m yes WTF are we supposed to do to diagram what and this is what I’m saying like this is this is the the umbrella term of co-pilot I think is really biting people because if

19:16 think is really biting people because if if these are individualized things then then a a couple things one is help a brother out man like if you’re gonna say co-pilot for report pages is now GA that makes sense if if you’re saying there’s co-pilot for semantic models and that’s a different thing and we’ve applied it and that’s in preview then that makes sense but like it’s not co-pilot brackets feature right or feature

19:47 brackets feature right or feature co-pilot which is is how I read it knowing how the things work and your explanation which I agree with I’m just driving at like we’re we’re the origination of like the news conversation like so much information so many blogs and and at what point is it a Tipping Point of this like contest to get stuff out the door and or have like a confusing messaging which is really going to hinder people’s

20:18 which is really going to hinder people’s adoption I think of fabric because they’re not going to understand how it works it’s like TR the disent that we talked about there’s this hype of what co-pilot is but yeah I in Seth I completely agree with you if you’re going to say this co-pilot is GA the normal user is not going to go well which co-pilot which one did they train they’re going to just exp co-pilot like right now they just think co-pilot and that’s the thing across all the all the ecosystem case right but but now we’re now it appears we’re parsing it way down

20:48 now it appears we’re parsing it way down because I would argue a semantic model is part of RBI like interesting I didn’t catch that I’m not seeing the same thing there from my perspective so I didn’t I didn’t I didn’t initially pick up on that that but I do think the message of copilot has been confusing in general and I think this is man it feels like they’re trying I get it there’s probably a different something behind the scenes

21:10 different something behind the scenes that’s doing specific things around the data so I get why they’re probably calling it in preview for this specific feature I don’t think you’re going to get away from that though I think I think you’re right I think you’re going to have a product that has a lot of preview features on it and they’re looking for does it get widely adopted is it something that will if if it stays in preview what what was it in preview for a really long time the Azure Maps or the was there something the Azure Maps I think it was like four years like four years in preview or something like it was just always in preview I don’t I’m

21:41 was just always in preview I don’t I’m I’m not I’m not I’m not against like things in preview like I I guess what I’m bringing up is we we know there are many different teams working on consolidating a bunch of things in the fabric and if this is just an example of reducing the volume or getting on to the same message I think there’s some area of opportunity there where you can streamline some of this communication to the end users so that people aren’t like looking looking at 10 blogs that all say co-pilot and

22:12 at 10 blogs that all say co-pilot and they’re all in different states of something and like hey let’s it is this for this is how we name co-pilot stuff it’s co-pilot colon feature or something right the external the external conflict between engineers and marketing right because marketing is trying to say we have but the people the people generating these blogs are close to the engineers they’re the PMS sure but we’re trying to one

22:42 PMS sure but we’re trying to one co-pilot and power no I okay I’m just saying the messaging is confusing so when you when you throw in the mess like all of this stuff into these long laundry lists of blog articles that even even nerds like us actually try to keep up with even from a retrospective P like thing great I love the tags love that I can click on co-pilot not all the things are showing up there which is interesting right but

23:12 up there which is interesting right but at the same time like okay which article do I need to read what co-pilot thing am I talking about if this is co-pilot for powerbi like what why do I see multiple different articles in different states and different preview going from a security point of view Seth I see exactly what you’re saying if you’re trying to tell your boss oh no co-pilot’s GA so we can roll it out except and then except you don’t ask it this one thing don’t go to the model because that’s still in preview or don’t don’t toggle this one button you read how much is

23:43 how much is that this right this is the conversation that happens and that I’m just it’s it’s a point of observation I’m not trying to be Uber critical but I think I think in some regards if there’s opportunities to consolidate information or slow things down on a Cadence to get a message or shoot out multiple updates in the same time frame Andor clarify some specifics it it’ll help like there’s so much volume of stuff that is

24:13 there’s so much volume of stuff that is just under this fabric umbrella yeah you just under this fabric umbrella yeah that I don’t know it it’d be okay know that I don’t know it it’d be okay to slow it down a little bit that’s my [Laughter] news yeah I I I don’t I hear say I don’t think Microsoft’s going to be willing to slow anything down it’s going to be just contined like force features features features and the team’s got really large too so yeah I get it but that but it the the team being large just means lots of different groups of people working on things and you can tell that by the many

24:45 things and you can tell that by the many different PMS that are posting blogs but remember who’s who’s consuming the blog are you are you paying attention to the end audience and not just producing a feed of feature releases because if you’re just doing feature releases just create a feature release page and keep dumping into the same long scrollable thing where I can search something yes yeah no and I think this is this does go B well I think from a security point of view because to your point nothing’s going to deter there’s a lot of

25:15 going to deter there’s a lot of organizations who are very conservative in terms of when they’re going to release something until they know it’s GA and also tested and if you’re trying to push things through and you think it’s says G you’re like great now I can promote this and it’s not to your point because there’s seven other co-pilots that have yet to be tested by Microsoft well you’re G to now get to a point where you’ve not only hindered yourself but you may have blocked a feature from or delay a feature for

25:45 feature from or delay a feature for months until your organization tested because they’re not going to trust you and they’re not going to trust the the ga label right but I think this is why Microsoft does the whole releasing things in G because that way you don’t have to be feature blocked by another team I think that’s to me that’s where I’m like that’s why they’re doing it is because they want they want to be able to like okay we got to get stuff out we want people to start testing it it’s it’s close enough that it could start getting usage let’s refine the idea of it and potentially it gets better over time because they’re actually refining the experience of whatever that that

26:17 the experience of whatever that that new feature is it’s interesting maybe we should release more features on tips plus as preview I want like I want a I want a diagram of here’s here’s powerbi co-pilot coil here here are all of the feature brand like all the features that that co-pilot it’s co-pilot yep here’s all the features and you could tell me which ones are in GA and you can tell me which ones are in

26:47 and you can tell me which ones are in preview and you can tell me which ones are on the road map then I have one place and I can say Okay copilot G org but here’s here’s the features that are enabled or not instead of scrolling through pages and pages of documentation or technical doc that says look at the few things that you can do and you should expect that work in GA versus you may encounter some anomalous results and that’s called preview and that’s okay anyway let’s move on and talk about

27:19 okay anyway let’s move on and talk about an exciting part are there any other news news news news Snippets no not the ones there’s there’s probably more out there for now I would probably say this is okay okay after consuming 75 pages of security white paper gentlemen initial thoughts well let me give the Microsoft security a proper introduction and I’m GNA do this host yeah the most exciting thing

27:51 so now starting Microsoft security white paper it sounds like you’re doing like a a fight this is like a fight are you ready to no security no be like and who do we have today oh oh is that domains so yeah we’re dealing with 75 pages of security going from where the data lives where the both from from a user point of view how user can access the data all the way to

28:22 can access the data all the way to domains workspaces in our normal tenant Administration Mike I think you you put this perfectly we’re dealing with with a white paper that really puts together everything yes so much here one place on anything that has to do with your data with your users and where they’re accessing that data and the reason I bring this up and the one one of the reasons why I wanted to talk about this white paper when it came out was I think it’s under I think it’s underrated that people administrators should yes this is not a fun read yes this is probably a

28:52 not a fun read yes this is probably a long read of things that’s going on here but I think as an administrator it’s very important that you go at least read through it even skim through it and just read through the different sections because I guarantee there are probably pieces of security in this white paper that you’re not you’re probably not using or you could be using because you your company or organization would like to have that or has policies around this right so as a as a powerbi expert there’s two things you I think you need to understand I think you need to understand what is your current company policy for things and then where

29:24 company policy for things and then where does the security elements or what you does the security elements or what knobs you should turn inside know knobs you should turn inside powerbi so that the security of powerbi matches what you have a security policy in your company and I think that’s really important because why this stuff all exists to make sure people are comfortable with putting their data inside Microsoft cloud well I I think even one one step ahead or one step forward to what you said not just if you’re an administrator where if I’m I think I’m speaking more for consultant but even if I’m a the powerbi person at

29:55 but even if I’m a the powerbi person at my organization having the access to this and being able to speak to this is pretty important because you are going to have the conversations the hard conversations with your it or your stakeholder on where wait wait where’s our data where does it live or wait who has access like we we have these certain scenarios that we really want to either block or give access how do I ensure that’s the case you’re not going to find a lot of I say more liberal companies where like yeah

30:25 liberal companies where like yeah wherever the data is that’s fine it’s powerbi great release it so there’s a lot in here that I was even surprised that they put in here in terms of like for example when you when does your data actually get removed from your computer or from an app like at what point does that occur at what point is is data processing is it on your network or is it living somewhere else that to us again to matters to companies this matters a ton yeah a ton

30:55 companies this matters a ton yeah a ton so I also liked in here as well I also liked really well there there’s a lot of little diagrams in here and it’s showing you there’s some pieces here and again I just appreciate the architectural pieces because there’s all this I can see powerbi I can click on the buttons I know how it works but the the fact that there’s entra ID is like this major gateway to authenticating who the user is and then what they have access to there’s so much work that’s going under the hood there that’s doing so much provisioning of do

31:25 that’s doing so much provisioning of do you have access to this workspace do you have access to these artif facts is you’re part of a security group I think to me it really reinforces the the emphasis here of Microsoft is one of the I don’t know maybe there’s other tools out there as well for other companies but I really feel like the entra ID or the active directory what it was previously that’s really a good selling Factor here for everything that is powerbi and as I fa Fabric and and when

31:48 powerbi and as I fa Fabric and and when I look at that going back into like what did we start using we started using SharePoint online started getting comfortable there then we started using powerbi this is another very online program these two things I think there was a very big mental shift for companies to say these things are working for us it is easier for us to manage and it’s easier for us to scale to our business needs for these Cloud s sources so when I I remember when people were start starting to roll out powerbi they were like wow we don’t

32:19 out powerbi they were like wow we don’t want to we don’t want to put our data in the cloud that’s that’s not a good idea and I like well you’re using SharePoint online already so you already have a lot of data in the cloud most of your files are already stored in the cloud in SharePoint online why don’t we just use powerbi because it’s basically the same thing it’s still just Cloud it’s still in Microsoft and you can still use it are you surpris goad no just some some two two interesting points one is I would I would recommend that everybody who’s listening go check it

32:51 everybody who’s listening go check it out and if the information itself doesn’t resonate cuz it can can be dry go to page 65 and there’s they do a Microsoft fabric endtoend scenario where I think a lot of like it’s just a scenario of like how you set up security within fabric but the context of the what and why and the decisions you’re making about how to implement something I think would make a lot of sense for everybody to to get it a lot especially areas that you’re not

33:22 a lot especially areas that you’re not familiar with so almost I would say start there or at least if you’re only going to read part of it read read that part the endend scenario building right yes it’s 65 and on so it’s like it’s a few pages of the a specific scenario of how you would set up fabric for this this thing and then that almost drives back like oh hey if if you have some like you don’t know there’s an interest point and then you can drive back up in the document so that was that was one thing that stood out and the second was when I got into the

33:54 second was when I got into the powerbi section it was very it was very familiar familiar yes it was not verbatim but it is like I guess it made me feel good as well as go okay well yeah this is probably a conglomeration slash merge right of all the services into this fabric document but it was it didn’t feel disjointed right I just recognize having been the nerd I am and read through deeply the powerbi white bayod security it it is the same right so there wasn’t like it’s

34:27 the same right so there wasn’t like it’s it’s good it’s good and familiar I guess was was the point there what did you think about so the powerbi portion of security was familiar as you read through things around fabric now did that change so let me I’m gonna I’m going to give you some context then maybe ask the question when when fabric showed up I think people were very nervous about Fabric and what is happening with my powerbi ecosystem because now I have all these other artifacts that now are appearing inside inside

34:58 appearing inside inside my powerbi workspace right oh I’ve got lake houses and and pipelines and oh I’m overwhelmed there’s all lot I get it but I heard someone I think it was Matthew roach or someone who was communicating about this they were like well if you think about fabric there’s your security platform your security boundaries of what you’re able to do or not to do doesn’t really change much the the the security framework is already established by workspaces by users by enter ID and now all we’re doing is we’re just adding to that all these call

35:29 we’re just adding to that all these call them other Azure features that are being rebranded and brought directly into the powerbi and now fabric ecosystem you powerbi and now fabric ecosystem Azure data factories now know Azure data factories now pipelines you have streaming analytics which is now like event hubs showing up inside so you’re bringing all these great tools that have been around for a long time they’re now just getting added to fabric and now we have the same security boundary it’s and I thought that was very for me it was very comforting like oh okay well I had an aha moment where was like well the

35:59 aha moment where was like well the security doesn’t really change nothing’s really being different here we’re able to reuse a lot of the existing security boundaries by workspaces by users you boundaries by workspaces by users admin contributor member viewers know admin contributor member viewers like all the stuff that exist I understand we’re now just adding to everything else which I thought was very nice I I’m curious and I don’t know if you guys this struck with you guys as well the the organization of the content because we’re dealing again more than just powerbi like the first section of

36:30 just powerbi like the first section of the content is really about the v-ets the network and the outside of security domains right it’s all about how people are going to get access and how your data is Flowing whether or not you’re actually setting up a virtual Network whether or not if you actually allow that a access and I would have assumed that would have been more call it on the lower end of the spectrum but to me that that’s signifying something to me that this is one a really big deal with organizations but also for

37:00 also for Microsoft understanding where your data is living and I think I wrote down three points that Microsoft’s really focusing on where’s your data at rest in transit and when it’s getting processed real big feature of standard that’s all the old powerbi yeah that like so I I think I think that them putting that first answers the first big biggest question that people have about the

37:30 question that people have about the cloud right like that and to Mike’s Point and and I it’s still a topic around companies being nous about the cloud or not wanting their data up there and what happens to my data so like those are the pieces that I think being front and center are Hey listen we have this SAS solution it works for everybody if you’re open to the cloud and you believe in like the security and performance Etc you get everything right but we also have ways in which you can

38:01 ways in which you can disconnect fabric from the public internet and we have v-ets and we have these other you manage these pieces kind these other you manage these pieces things here are some of the of things here are some of the limitations there you’re going to be bound by specific capacity around this thing that you set up and it’s going to have all of these different pieces but it’s available to you to use the product and I think that that you have to lead with that because those were the first questions even in powerbi let alone starting to push your on Prem stuff into

38:33 starting to push your on Prem stuff into the cloud that’s where organizations instantly win well I don’t want my stuff in the cloud does it still work for me answer yes how does it work okay here and then like leaning into the explicit security around those solutions that they require I think puts you into the next level of oh okay this could work for me now what other security stuff do I need need to so so so riddle me this and again if I missed this that’s that’s my bad but nowhere in the

39:03 that’s that’s my bad but nowhere in the documentation did I find anything that has to do with mirroring and I to me I thought that would have been a major section of the white paper well miring is just newly released right that’s that’s something that’s just going review right now so it would still it would still I think fall into the protocols and ways in which power like fabric is communicating with your your Source data like M it’s just like you’re setting up the the boundaries by which can you do things

39:35 boundaries by which can you do things within this environment whether that’s at a user level even connecting into Mike’s Point Microsoft entra being part of this there are so many things your organization can do to ensure you are you outside of just a login right that like keep you out of the system completely y but I I think I think I read several like a bunch of different parts in there Tommy that would address what you’re talking security well what you’re talking about related to like the specifics ways in

40:06 related to like the specifics ways in which you can connect to internal or external data and and mirroring to me would be part of the SAS solution within within the fabric ecosystem because what what what are we able to mirror on isn’t it just Azure I don’t think we can mirror on on Prem can we or is that something just came out Out preview so it’s like but what’s required the Gateway yes right so that’s that’s part of the documentation of how you explicitly create a connection

40:36 you explicitly create a connection between these things and that’s a you between these things and that’s a that’s part of this documentation know that’s part of this documentation already that no honestly that’s a that’s a great Point without addressing features that are rapidly evolving you’re right the Gateway is a huge part of that and your second part in terms of the ways you can connect a fabric as well I think one of the largest go ahead ahe I was going to say go ahead you keep going your Point’s probably better I’m just going to random add not value on this one to to Circle to Circle back to

41:06 this one to to Circle to Circle back to I think one of the biggest shifts or things that I think this white paper did help me with although I don’t necessarily completely agree with your approach yet is on page 34 where there’s a a call out of the levels of security right and there’s this concept of control level versus data level and and at the data level it dives into item level security in a workspace right where depending on the roles that we’re

41:37 where depending on the roles that we’re assigning yes depending on the permissions that people have they Tom was recently talking about share yeah you can share content with other people within this ecosystem and I and then you talk about the control level which is you can or can’t do or see certain things yes and in my AR argument I guess it like I’m conflicted because at a data level does it make sense that everybody plays in the same ecosystem that everybody sees

42:07 the same ecosystem that everybody sees everything it well it does to a degree but at the same time I’ve opened up this ecosystem and it makes sense that Microsoft would do it this way because if if I want people to use a platform

42:21 if if I want people to use a platform and albeit we know they’re bringing Enterprise tools to this platform you get more people to build more stuff in that platform if they have access to it yes so it at the data level you’re still only going to see the things that you should within those particular areas where we’re talking about Lakehouse or pipelines or like the ADF etc etc right I still argue that an admin should be able to have control level plane

42:51 be able to have control level plane permissioning for users to just not show them certain aspects unless we’re rolling everything off of powerbi right like unless pipelines or data flows or all the things that you used to do ETL in in the service are now going to become like fabric fabricated I I okay like the argument is gone but at the same time I almost I I I think without that at the

43:21 almost I I I think without that at the control level plane I don’t have the ability as an organization to say okay folks this is fabric but there are some things there are some tools and and access that you now have that could really cost us a lot of money and or you could do some dumb stuff and and the data the data level controls I think the the dumb Factor but like I how do I train people well like I we we talk a lot about like doing training people

43:51 lot about like doing training people up and having them take a test or just to do you understand the environment that you’re working in do how to navigate it do what you’re doing blah blah blah and that’s where I think that’s where I think the control level is really useful because it’s like great enable Fabrics from an ecosystem for this level of user which is viewer or business user whatever turn off these things because I want to enable them one by one as we know people are training as I can apply groups Etc and that like

44:22 I can apply groups Etc and that like that’s the way I think about it I don’t obviously it’s not the way like Microsoft thinks about it I don’t know if I’m right or wrong it’s just like I would like that level of control in there let me I want to pick on your thought there just a bit Seth because I think I like what you’re going with this one I just want to clarify something like what you’re describing is I have a workspace I’m willing to let people play with the Lakehouse and maybe the SQL analytics endpoint but I don’t want you building a streaming job like I don’t want you building like so to your to your point like I have a fabric workspace but inside the context of that

44:52 workspace but inside the context of that workspace I don’t want everyone to get like full all the options for all the fabric workloads I’m I’m thinking you fabric workloads I’m I’m thinking hey this is a workspace that’s know hey this is a workspace that’s centered around these couple workloads like this is the data engineering workload workspace and I only want you using like I don’t want you using data flows Gen 2 I want you using pipelines and notebooks like you could set that up beforehand and then it just operates on that mode because that’s the decision the company’s made to go that direction is that what you’re saying yeah and I don’t know like

45:23 saying yeah and I don’t know like obviously say picking and choosing UI features and saying like hey great hide that I know this is a complete pain in the rear right or but like would I still like that thing to be gray out like if you want to if you want to show everything to everybody that’s fine but you don’t do that in the admin spaces like I and and the odd thing to this is like they’re already doing that in certain cases where with Microsoft entra I have

45:54 cases where with Microsoft entra I have to go in and activate my fabric administrator role in order to see some of the capacity metrics and have the clickable things in powerbi so so they can already control like my access to those things and you’re you’re showing and hiding stuff based on my role anyway so why don’t have that flexibility and the only thing I can think of is because they want everybody to have access to everything and then you just St to secure it which I I get it I just I just want the other stuff too Mike do you

46:25 want the other stuff too Mike do you have anything else on that because that raises this is a question for me but I want to see if you wanted to keep hammering this no I I do think so I’ll say it again I’ll said it a number of times I’m going to S like a broken record here for a little bit I think but that’s I think this is okay like to your point side I think this is great that you’re having this conversation this is also where you also where there is usually a gap that I know there is usually a gap that I observe between what users understand about security and how to do things and then what you actually get when you like the security can handle more things than

46:56 the security can handle more things than what the users know what I’m guess I’m trying to say right so part of us so the the technology has moved faster than our learning has been able to accommodate our users in the workspaces and I really like your point Seth around well this workspace is going to focus on these activities if we’re going to do some streaming activity maybe that’s a separate workspace let’s do that workload somewhere else where I can control it a bit more or even provide different licensing around hey I’m not going to give you a fabric production

47:26 going to give you a fabric production skew inside our development and test environments because I don’t want you taking down at any risk of having production go down and just because you’re playing with a streaming analytic something I don’t want reports not to refresh for my Executives like there’s so there’s some design so the idea is like what I see a lot of the times is people don’t necessarily know these options exist the the education’s not there yet and therefore we make decisions with security around workspaces the different artifacts and

47:57 workspaces the different artifacts and things that show up there in a uninformed way which has unintended consequences where things start failing and then you learn and you come back and say wait a minute whoops we need to come back and rethink this we should be separating these workloads between the urgency or demand of those items so I think what and this is what I really like about our community is because people like Tom Martins people that that dive into this stuff at a deep level we had Chris Webb doing a lot of like deep Dives and the technical

48:27 like deep Dives and the technical aspects of like how to get data in how data flows work all these different things at the Lakehouse people that go deeper on these topics this is the kind deeper on these topics this is the knowledge that I think we need to be of knowledge that I think we need to be able to easily put our fingers on and give more real world use cases of when and why I want to use these things in a very easy to consume way and I don’t know I don’t have the answer for this but I’m just saying pushing people through the dp600 test doesn’t give you like well I I was just talking

48:57 give you like well I I was just talking to some people they said we passed it I’m like I’m like well how did it how does it how does the dp600 test impact your daily work inside powerbi I was like well there’s some things that I knew some things I didn’t know I passed it but there were some like kind passed it but there were some like tricky questions I said I don’t feel of tricky questions I said I don’t feel like if I if I see someone go through dp600 I’m pleased that they’ve done it I they’ve definitely done the time they’ve researched things they’ve learned some things and they can take boxes on things is that person going to be an expert and do I feel like I’m going to be comfortable giving them hey make me a medall architecture and how to

49:27 medall architecture and how to do it enabling everything I I wouldn’t enable everything for that user so I really do think from organization standpoint because there’s so much to this you have to have someone who’s dedicated to spending time learning the things as well as you got to know where to find knowledge about this stuff you got to find companies who’ve been doing this or working with this or have been able to play with this before because you don’t know what you don’t know and there’s potentially other considerations here that you just need to think about anyways yeah no let me

49:59 to think about anyways yeah no let me you’re saying here exactly what you’re saying here is I want to tag on that so one there maybe needs to be more than one CER certification but I think there where the complications and I think a lot of confusion can alive for a lot of organizations without being aware of it is every product or every data plan in here has specific roles with specific features and specific restrictions it’s not Universal if I have a warehouse there’s DB owner there’s DB reader there’s DB viewer which is very different from what’s in a lake house which is very different from the roles

50:30 which is very different from the roles and aess in a pipeline so even if you’re going the route of well we’re not going to do works the control plane level access so to speak the workspace level access we’re going to do the data plane access and just give that U th those rolls out well again I need to have pretty intimate knowledge of the product that I’m giving them and those features because again you’re really expanding here the warehouse synapse yeah you here the warehouse synapse yeah what a not the abilities with a know what a not the abilities with a notebook each of these come with their

51:02 notebook each of these come with their own bells and whistles because they existed beforehand as we’ve said so many times and I think you maybe I’m not asking the question but how aware or how familiar does the admin need to be on all of that because to your point that’s a ton of information to H in a head knowledge but to me this is a lot of like I like your point there Tommy and I would I would argue like this is just where where’s the classes and maybe this is a need I don’t this is probably a need and chat let me know if this is a need in what you feel like in

51:32 this is a need in what you feel like in your organization right if we’re thinking about experiences like this right we should have real world examples of here’s how to implement this security here’s how you do it here’s the clicks here’s how you get through this part we’re going to implement Road level security in a workspace and we’re going to show you that the admin member and contributor all can see all the data but the viewer cannot like I think when people go through examples and do it once they’re like oh I see how this works it’s starting to formulate like it’s this idea of like I said

52:05 like it’s this idea of like I said this a couple times with I think Seth you and I have talked about this a number of times like way way back in the day when we were Consulting together there’s this idea of you can know how the program works but there’s a point in time where you understand how the program works and to me there’s a lot of these security pieces where I know what’s going on but until I’ve gone through and actually built an example around like one of these good things things I think is underutilized in organizations is this concept of domains a domain role so the domains allows you

52:35 a domain role so the domains allows you to think of like a collection of workspaces that are all related to finance and so someone owns the finance department or the domain of Finance therefore you’d have someone in that space handling and negotiating and doing some of the administration features for that domain that may not be

52:57 features for that domain that may not be it’s not the intenet wide Administration but it’s something specific to that domain area like who’s in The Domain which workspaces should be participating there if you’re making five or 10 workspaces that domain owner should be able to to do that and build what they need for their Department domain whatever you want to call it their area I think I think what’s interesting to me is like from an engineering level I I have no problem with any of control level control flow flow like yeah enable my my data engineers and bi devs to you

53:29 my my data engineers and bi devs to you my my data engineers and bi devs to have access to everything because know have access to everything because they at least know a bit about it yeah but we’re introducing business users to this and it’s like we’ve talked about Ed nausey I’m like how do we train people how do there are expectations around like everybody having access to all this stuff so I guess I guess that’s my I I know we’re running up on time the other the other interesting parts of this article that I I just do want to call out page 60 I think there’s a very easy but button of turn on recovery so when we’re talking about business continuity and

53:59 talking about business continuity and Disaster Recovery yep what I think that implies is taking all all of your storage from locally redundant to Geo redundant and in other services in today today’s world that doubles your cost yes so I don’t I don’t know what that’s going to do in terms of capacity but be aware right like that one yay powerbi has always had bcdr always and it’s called out in here like hey Disaster Recovery already baked into that part the tool so that’s awesome page

54:29 page 43 has recommends capacity for each workspace environment which I thought was interesting that’s true so maybe something we can talk about in the future and then I guess the one the one question that is a question you guys was I’ll also I want to also agree I want to agree with that point there before you go to the next one I do want to I do agree I think there’s with fabric I think we get a lot the capability of building more fabric capacities for what you need as opposed to having one big one that uses a lot of them which I

55:00 one that uses a lot of them which I think that’s what we’ve been traditionally trained on with the PE skues we’re dealing with two sentences here no and then but then like on also on page 42 they and I wanted to get your your your flavor of this they recommend the personal workspace concept for Dev for for development I guess I’m not opposed if it’s a solo for solo developers no if I’m solo well but like you you why do why do why do developers have

55:30 why do why do why do developers have their own local they do that’s what happened today in current G anyways and that’s that’s where I’m like okay yeah that makes sense in certain scenarios in others I’d be like well why don’t we just all build in the same yeah workspace the shared workspace so that yes if somebody’s having a problem or if somebody else needs to pick up on the project they can as opposed to something being a person workspace those are one of one of the things I would one of the things I will say is missing from this paper which I wish they’d have more of is this concept of

56:03 they’d have more of is this concept of cicd there’s not much it’s a really good point so that that to me that was there was something that was missing in this in the report or missing in the main features here is just that the continuous integration and continuous deployment and this is I think a story that has been in my opinion it’s a bit weak in the parbi ecosystem I’ve built Dev I have things and I now need to make a test and a production environment of them or even just I’m building things in Dev and I need to get something to production Dev

56:33 need to get something to production Dev prod that could also be a thing as I’m working with more organizations this is a concept that I feel like many business members don’t quite grasp and and but there’s there’s a surprising lack of how do we handle this what are patterns in that maybe this is not security maybe this maybe this is just part of security is its thing and then continuous integration deployment is something separate but I do feel there’s a very heavy overlap of what should the developer see who’s the person pushing things through Downstream environments

57:03 things through Downstream environments where do we in that scenario where should we be deploying to so if you look on the Microsoft docs and learn they do have some general guidance around how they see this working so I think it’s out there it’s just not added to this white paper so that would be another area I would say of investment that I think either leaders or Microsoft should make as well and I think that’s that actually makes a lot of sense to why we haven’t seen normal git integration it’s just only Azure devops we haven’t seen GitHub yet because maybe they’re not ready because I imagine they’re going to be preview

57:34 I imagine they’re going to be preview yeah no I don’t know I’m just saying something something whatever like everything GitHub preview yeah that was that was Article number 78 didn’t you didn’t you find oh yeah yeah that was the blog post this 117th blog post of the week yeah exactly right I I’ll finish with my final thoughts and and yeah let’s do some final thoughts here I’m gonna take this from the perspective of I’m not my tenant admin because I’m probably not my it admin of Office 365 the person who’s

58:04 admin of Office 365 the person who’s going to be reading this the most and and I think take upon yourself if you are the powerbi person or if you have a leading role in powerbi or organization y to to really speak upon this and I think the more you’re aware of the restrictions the features and the abilities that you can give I think the further you can go with with fabric in your organization because I’ll go back to the very previous point that Seth even talked about with

58:34 even talked about with co-pilot allowing extra information or allowing extra features without understanding what they can do can block a certain product coming for an organization once they realize there’s too much so going through this has actually been honestly I don’t want to use the word exciting but there’s been a lot of uncovering here too on okay I see how Microsoft’s wanting to frame this yes or understanding the questions that you’re going to get asked with conservative with an IT organization

59:04 conservative with an IT organization going wait everything’s here now hold on what does that mean yes so I think from from even if you’re just the powerbi person spend a weekend spend a few hours yes go through it and there’s down at least download the white paper put the and and if nothing else download the white paper or go point to a link where the white paper exists go put it in your community practice like to me this is something that you share with the community inside your organization say look this stuff exists here it is go point to it and honestly if you’re building policies around how your

59:35 building policies around how your company is using powerbi you should be leveraging part of the white paper and saying we’re doing domains because of these reasons and here’s some supporting information that says here’s how we’re going to use these or hey we’re going to manage workspaces this way because of the like it this security paper informs I think a good majority of your policies and how you want to build things in your organization yeah this is this this is great anyways really good topic good final thoughts Seth any final thoughts for for you I think I shared them okay I was I’m

60:05 you I think I shared them okay I was I’m temped I’m tempted to say if we get enough mailbag requests for me to read it I would read it oh man but I don’t know if I want to do that what we we if nothing else we we should have you read it Seth we should go we should put it on audible should put on Audible I’ll be the producer on that you guys going to slice it up slice and dice it into the the different chapters if you read it section yeah oh man maybe something I do that’ be hilarious actually I would

60:35 that’ be hilarious actually I would actually actually today white paper for security just BL that would be pretty funny awesome with that being said U my final thought here is just it’s it’s a great read if you are in any way administering your parb environment please go read the paper go download it there’s a lot of great information there and I love that it’s all Consolidated into one large white paper it’s all in one spot that’s great super easy to like consume it’s

61:05 great super easy to like consume it’s searchable you can search for text in it it’s a PDF it’s great so I’d highly recommend it there’s probably more conversations you need to have internally to your organization about as you digest that paper what you should be doing in all things though everything you’re learning from the white paper all the security practices I highly recommend you funnel these back down to your Community Practice fun funnel down funnel these things down into policies your organization wants to use because I think in my opinion there’s just a large lack of policy and communication about

61:35 lack of policy and communication about what is good practices in powerbi to organizations and this should be a fundamental starting point on how you start building some of that muscle memory and experience around what is security for powerbi and fabric in your organization with that thank you very much for sleeping through our episode of the security white paper there has been little to know chat in the chat window which tells me for example everyone must put this on and be like go for the Rock The Walker R they no one has comments about security they’re like yeah yeah sure it’s security so we’ve

62:05 yeah yeah sure it’s security so we’ve had like little to no conversation around it which I knew was going to happen I just wanted to point it out thought this was a good topic if you hate this topic and other topics that we have at the powerbi explicit measures podcast feel free to leave us a message at the mailbag Tommy will tell you how to get that but also please boil your friends with our podcast as well by letting them know you also fell asleep to podcast and that they may also need some sleeping medicine that is in the explicit measures podcast with that Tommy where else can you find the podcast M that sound like a threat if

62:35 podcast M that sound like a threat if you don’t share then we’re g to talk more about security if you don’t share this we’re GNA talk about security every day my you will have to listen to Seth read the entire security manual if you want to find non-security conversations you can find us on app on Spotify or wherever you get your podcast make sure to subscribe and leave a rating it helps us out a ton do you have a question an idea or a topic that you want us to talk about in future episode head over to power bi. tips podcast leave your name and a great question finally join us

63:06 and a great question finally join us live every Tuesday and Thursday a. m. Central and join the conversation on oral power. tips social media channel telling you man every time you say the word all it f it feels it feels like I’m in New York every single you should you should lean into that all you walk M yourselves excellent thank you so much and we’ll see you next time [Music]

Thank You

Thanks for listening to the Explicit Measures podcast.

#Explicit Measures #Podcast #Uncovering #Fabric #Security #Whitepaper

Previous

Data Exploration & Spin Off Projects – Ep. 325

Next

MAILBAG! Is Fabric Ready? – Ep. 327

More Posts

Mar 4, 2026

AI-Assisted TMDL Workflow & Hot Reload – Ep. 507

Mike and Tommy explore AI-assisted TMDL workflows and the hot reload experience for faster Power BI development. They also cover the new programmatic Power Query API and the GA release of the input slicer.

Feb 27, 2026

Filter Overload – Ep. 506

Mike and Tommy dive into the February 2026 feature updates for Power BI and Fabric, with a deep focus on the new input slicer going GA and what it means for report filtering. The conversation gets into filter overload — when too many slicers and options hurt more than they help.

Feb 25, 2026

Excel vs. Field Parameters – Ep. 505

Mike and Tommy debate the implications of AI on app development and data platforms, then tackle a mailbag question on whether field parameters hinder Excel compatibility in semantic models. They explore building AI-ready models and the future of report design beyond Power BI-specific features.