MC1070180 - Microsoft Fabric: Workspace inbound/outbound access protection will be available by default (preview)

Microsoft Fabric will introduce two Preview features called Workspace-level private links and Outbound access protection at the Fabric workspace level. At the tenant level, the corresponding settings Configure workspace level inbound network rules and Configure workspace level outbound network rules will be in the Advanced networking section of the Fabric admin portal. The new tenant-level settings will be enabled by default, which will allow the workspace admins to configure Workspace-level private links and Outbound access protection. The workspace admin will then decide whether to configure these features at the workspace level. You (the tenant admin) can switch off the tenant toggle in the Fabric admin center if you decide not to make this feature available to your workspace admins.

When this will happen:

Public Preview (Worldwide): We will begin rolling out early June 2025 and expect to complete by mid-June 2025.

We will communicate the plan for General Availability in a future post.

How this will affect your organization:

Feature 1: Workspace-level private links

• Private links provide secure inbound connectivity to Microsoft Fabric. Workspace admins can set up private links in Microsoft Azure to connect to a Fabric workspace from a specific virtual network.
• In Fabric, workspace admins can choose to block inbound public access to your data to significantly reduce the risk of unauthorized access and potential data breaches. During Preview, admins can block inbound public access with the public REST API, which does not require a workspace-level private link set up in Azure. The corresponding-level tenant admin setting Configure workspace level inbound network rules will be available in the Fabric admin portal at Tenant settings > Advanced networking:

Feature 2: Outbound access protection at the user workspace level

• Data exfiltration is a concern for many enterprises that store sensitive data in the cloud. When used with other networking features in Fabric, the Outbound access protection feature can help secure your data from exfiltration. Workspace admins will be able to block all the outbound connectivity from the workspace. Once enabled, all outbound connections made by Fabric Spark artifacts from this workspace will be blocked. The only way to enable a connection is by first establishing a managed private endpoint (MPE) from the workspace to the destination. Workspace admins can control this feature in Workspace settings > Network security > Outbound access protection > Switch on the toggle for Block outbound public access:

• In this Preview, we will support OneLake and these Fabric items: Lakehouse, Notebook, Environment, and Spark Job Definition. We will also support Cross Workspace shortcuts.
• Admin tenant-level setting for Configure workspace level outbound network rules in the Fabric admin portal at Tenant settings > Advanced networking:

What you need to do to prepare:

After we release these features, please review these settings to assess the impact on your organization and adjust them as needed.

If you have questions or need further assistance, please do not hesitate to contact our support team.

Learn more: Microsoft Fabric security - Microsoft Fabric | Microsoft Learn

We will update this post with new documentation.