Fabric

Governance policies for Fabric

Domain: azure-data

Patterns

Name	Description
Fabric capacity with admin governance	Fabric capacity with limited administrators, audit logging, and cost controls

Anti-Patterns

Description	Instead
Do not over-provision Fabric capacity	Start with smallest SKU (F2 for dev, F64+ for production) and scale based on CU utilization
Do not leave tenant settings at defaults	Explicitly configure data export restrictions, guest access, and sharing controls

References

Checks (5)

Check	Severity	Description
AZ-FAB-001	Required	Deploy Microsoft Fabric capacity with managed identity and appropriate SKU sizing
AZ-FAB-002	Required	Configure Fabric tenant settings for data exfiltration prevention and guest access control
AZ-FAB-003	Required	Enable Fabric audit logging and route to Log Analytics
AZ-FAB-004	Recommended	Configure auto-pause and auto-resume for cost optimization
AZ-FAB-005	Recommended	Use managed private endpoints for secure data source connectivity

AZ-FAB-001

Deploy Microsoft Fabric capacity with managed identity and appropriate SKU sizing

Severity: Required
Rationale: Fabric capacity is the compute foundation; proper sizing prevents over-provisioning and cost overruns
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

Microsoft.Fabric/capacities

Companion Resources

Resource	Name	Purpose
Microsoft.Insights/diagnosticSettings	diag-fabric	Diagnostic settings for Fabric capacity operation logs
Microsoft.Authorization/roleAssignments	Fabric Capacity Contributor	RBAC role assignment for Fabric capacity management — separate from workspace permissions

AZ-FAB-002

Configure Fabric tenant settings for data exfiltration prevention and guest access control

Severity: Required
Rationale: Tenant settings control data sharing, export, and external collaboration — misconfiguration leads to data leakage
Agents: cloud-architect, security-reviewer

Targets

Microsoft.Fabric/capacities

AZ-FAB-003

Enable Fabric audit logging and route to Log Analytics

Severity: Required
Rationale: Audit logs track data access, sharing, and workspace changes for compliance and security monitoring
Agents: cloud-architect, security-reviewer, monitoring-agent

Targets

Microsoft.Fabric/capacities

AZ-FAB-004

Configure auto-pause and auto-resume for cost optimization

Severity: Recommended
Rationale: Fabric capacities incur cost even when idle; auto-pause reduces spend during off-hours
Agents: terraform-agent, bicep-agent, cloud-architect, cost-analyst

Targets

Microsoft.Fabric/capacities

AZ-FAB-005

Use managed private endpoints for secure data source connectivity

Severity: Recommended
Rationale: Managed private endpoints eliminate public exposure of on-premises and Azure data sources
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

Microsoft.Fabric/capacities

Governance Policies Azure Data Fabric - Azure/az-prototype GitHub Wiki

Fabric

Patterns

Anti-Patterns

References

Checks (5)

AZ-FAB-001

Targets

Companion Resources

AZ-FAB-002

Targets

AZ-FAB-003

Targets

AZ-FAB-004

Targets

AZ-FAB-005

Targets

⚠️ GitHub.com Fallback ⚠️

Governance Policies Azure Data Fabric - Azure/az-prototype GitHub Wiki

Fabric

Patterns

Anti-Patterns

References

Checks (5)

AZ-FAB-001

Targets

Companion Resources

AZ-FAB-002

Targets

AZ-FAB-003

Targets

AZ-FAB-004

Targets

AZ-FAB-005

Targets

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️