Data Security, DP-700, Microsoft Certification, Microsoft Fabric, Microsoft OneLake

Configure and implement OneLake security (DP-700 Exam Prep)

 
This post is a part of the DP-700: Implementing Data Engineering Solutions Using Microsoft Fabric Exam Prep Hub.
This topic falls under these sections:
Implement and manage an analytics solution (30–35%)
   --> Configure security and governance
      --> Configure and implement OneLake security

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 2 practice tests with 60 questions each available from the hub's main page below the exam topics section.

Introduction

Microsoft Fabric introduces OneLake, a unified and centralized data lake for the entire organization. Every Fabric tenant automatically receives a single OneLake instance, which acts as the storage foundation for Fabric workloads such as:

  • Lakehouses
  • Data Warehouses
  • Dataflows Gen2
  • Notebooks
  • Semantic Models
  • Real-Time Intelligence solutions
  • Other Fabric artifacts

Because OneLake often contains an organization’s most valuable data assets, securing access to data stored within OneLake is a critical responsibility for data engineers and administrators.

For the DP-700 exam, you must understand how OneLake security works, the different layers of security available, and how OneLake integrates with Microsoft Fabric’s broader security model.

What Is OneLake Security?

OneLake security refers to the collection of controls that govern who can:

  • Access data
  • View data
  • Modify data
  • Share data
  • Administer data assets

Security in OneLake follows a layered approach that combines:

  • Workspace permissions
  • Item-level permissions
  • OneLake data access permissions
  • Row-Level Security (RLS)
  • Column-Level Security (CLS)
  • Object-Level Security (OLS)
  • Sensitivity labels
  • Microsoft Entra ID authentication

No single security mechanism is sufficient on its own.

The OneLake Security Model

A simplified security model looks like this:

Microsoft Entra ID
Workspace Security
Item Security
OneLake Data Security
RLS / CLS / OLS
Data Access

Each layer adds additional protection.

Authentication in OneLake

OneLake relies on Microsoft’s identity platform.

Authentication is performed through:

Microsoft Entra ID

When a user attempts to access OneLake data:

User Sign-In
Entra ID Authentication
Permission Evaluation
Access Granted or Denied

Authentication verifies identity before authorization decisions occur.

Authorization in OneLake

After authentication, Fabric evaluates permissions.

Authorization determines:

  • What data users can access
  • What actions users can perform
  • Which resources are visible

Examples:

  • Read access
  • Write access
  • Delete access
  • Administrative access

Workspace Security and OneLake

Workspace permissions are often the first security layer encountered.

Common workspace roles include:

RoleCapabilities
AdminFull control
MemberCreate and modify content
ContributorCreate and update content
ViewerRead-only access

Workspace access controls determine which users can access items stored within that workspace.

Item-Level Security

Beyond workspace permissions, individual Fabric items can have their own security settings.

Examples:

  • Lakehouses
  • Warehouses
  • Reports
  • Semantic Models

Item-level permissions allow more granular control than workspace roles alone.

Example:

Finance Workspace
Finance Lakehouse
Additional Item Permissions

A user may have workspace access but still require item-specific permissions.

OneLake Data Access Roles

OneLake supports direct data access scenarios through data permissions associated with Fabric items.

For example:

  • Read data
  • Read all data
  • Build permissions
  • Access semantic models

Data engineers should understand that access to an item does not always imply unrestricted access to all underlying data.

OneLake Security and Lakehouses

Lakehouses are among the most common OneLake storage objects.

Security can be applied at multiple levels:

Workspace
Lakehouse
Tables
Rows
Columns

This layered model enables highly granular security.

Folder and File-Level Security

OneLake supports security controls at the folder and file level in supported scenarios.

Organizations may use folder-level permissions to:

  • Separate departments
  • Protect sensitive data zones
  • Isolate project data

Example:

OneLake
   ├── Finance
   ├── HR
   └── Sales

Access can be controlled to specific folders rather than the entire lake.

OneLake Security and Row-Level Security (RLS)

Row-Level Security restricts which records users can view.

Example:

Employee table:

EmployeeRegion
AliceEast
BobWest

East Manager sees:

Alice

West Manager sees:

Bob

The underlying table remains unchanged.

OneLake Security and Column-Level Security (CLS)

Column-Level Security restricts access to specific columns.

Example:

EmployeeSalary
AliceHidden

Users may see employee information while salary data remains inaccessible.

OneLake Security and Object-Level Security (OLS)

Object-Level Security hides entire database objects.

Examples:

  • Tables
  • Columns
  • Measures

Instead of masking data, the object itself becomes invisible.

Example:

Payroll Table
Hidden

OneLake Security and Dynamic Data Masking

Dynamic Data Masking (DDM) protects sensitive values while still allowing access to data.

Actual value:

123-45-6789

Displayed value:

XXX-XX-6789

This helps reduce accidental exposure of sensitive information.

OneLake Security and Sensitivity Labels

Sensitivity labels classify data based on sensitivity.

Examples:

  • Public
  • General
  • Confidential
  • Highly Confidential

Labels help users understand data handling requirements.

Example:

Financial Forecast.xlsx
Highly Confidential

Labels complement security controls but do not replace them.

OneLake Security and Data Sharing

Data sharing introduces additional security considerations.

Organizations should:

  • Use least-privilege access
  • Review permissions regularly
  • Monitor sharing activities
  • Apply sensitivity labels

Audit logs can help track sharing activities.

OneLake Security and Audit Logging

Security events should be monitored through audit logs.

Examples:

  • Access attempts
  • Permission changes
  • Sharing actions
  • Item deletions
  • Administrative activities

Audit logs support:

  • Governance
  • Compliance
  • Security investigations

Common Security Scenarios

Scenario 1

Requirement:

Only Finance users should access payroll data.

Solution:

Use workspace permissions and item-level security.

Scenario 2

Requirement:

Regional managers should only see employees within their region.

Solution:

Implement Row-Level Security.

Scenario 3

Requirement:

Analysts should not view salary information.

Solution:

Implement Column-Level Security.

Scenario 4

Requirement:

Users should see masked credit card numbers.

Solution:

Implement Dynamic Data Masking.

Scenario 5

Requirement:

Sensitive reports must be clearly classified.

Solution:

Apply sensitivity labels.

OneLake Security Best Practices

Follow Least Privilege

Grant only the permissions users require.

Use Multiple Security Layers

Combine:

  • Workspace security
  • Item permissions
  • RLS
  • CLS
  • OLS
  • Sensitivity labels

Review Permissions Regularly

Conduct periodic access reviews.

Protect Sensitive Data

Use:

  • Dynamic Data Masking
  • Sensitivity labels
  • Data classification

Monitor Activity

Review audit logs regularly.

Use Governance Processes

Establish clear ownership and approval procedures.

DP-700 Exam Focus Areas

You should understand:

✓ OneLake security architecture

✓ Authentication and authorization

✓ Microsoft Entra ID integration

✓ Workspace security

✓ Item-level security

✓ Folder and file-level security

✓ Row-Level Security

✓ Column-Level Security

✓ Object-Level Security

✓ Dynamic Data Masking

✓ Sensitivity labels

✓ Audit logging

✓ Least-privilege principles

Practice Exam Questions

Question 1

Which service provides authentication for OneLake access?

A. SQL Server Agent

B. Azure Monitor

C. Power BI Report Server

D. Microsoft Entra ID

Answer: D

Explanation

Microsoft Entra ID provides identity and authentication services for Microsoft Fabric and OneLake resources.

Question 2

What is the primary purpose of authorization in OneLake?

A. Encrypt data

B. Create workspace backups

C. Determine what resources a user can access

D. Monitor query performance

Answer: C

Explanation

Authorization determines which resources and actions are available to authenticated users.

Question 3

Which workspace role provides read-only access to Fabric content?

A. Admin

B. Contributor

C. Viewer

D. Member

Answer: C

Explanation

The Viewer role allows users to view content without modifying it.

Question 4

A company wants managers to see only employees within their assigned region.

Which security feature should be implemented?

A. Column-Level Security

B. Dynamic Data Masking

C. Sensitivity Labels

D. Row-Level Security

Answer: D

Explanation

Row-Level Security filters records based on user identity and defined rules.

Question 5

Which security feature hides specific columns while allowing access to other columns in a table?

A. Row-Level Security

B. Workspace Permissions

C. Column-Level Security

D. Audit Logging

Answer: C

Explanation

Column-Level Security restricts visibility of specific columns while allowing access to remaining data.

Question 6

What is the primary purpose of Object-Level Security?

A. Encrypt stored data

B. Hide entire objects such as tables or measures

C. Filter rows

D. Improve query performance

Answer: B

Explanation

Object-Level Security makes entire objects invisible to unauthorized users.

Question 7

A user sees “XXX-XX-6789” instead of a complete Social Security number.

Which feature is being used?

A. Sensitivity Labels

B. Dynamic Data Masking

C. Object-Level Security

D. Row-Level Security

Answer: B

Explanation

Dynamic Data Masking obscures sensitive values while allowing users to access the data.

Question 8

Which statement about sensitivity labels is correct?

A. They automatically filter rows.

B. They replace security permissions.

C. They classify and identify sensitive content.

D. They grant workspace access.

Answer: C

Explanation

Sensitivity labels classify data according to sensitivity and governance requirements.

Question 9

Which principle should guide OneLake permission assignments?

A. Maximum Access

B. Open Access

C. Shared Ownership

D. Least Privilege

Answer: D

Explanation

Least privilege reduces risk by granting only the permissions necessary to perform assigned tasks.

Question 10

An administrator needs to determine who changed permissions on a Lakehouse.

Which capability should be used?

A. Deployment Pipelines

B. Dataflows Gen2

C. Audit Logs

D. Endorsements

Answer: C

Explanation

Audit logs record permission modifications and other administrative activities, making them essential for investigations and governance reviews.

Exam Tip

Many DP-700 questions test whether you can identify the correct security layer for a requirement.

RequirementSolution
Authenticate usersMicrosoft Entra ID
Control workspace accessWorkspace Roles
Control access to specific itemsItem Permissions
Filter rowsRow-Level Security
Hide columnsColumn-Level Security
Hide tables or measuresObject-Level Security
Mask sensitive valuesDynamic Data Masking
Classify sensitive contentSensitivity Labels
Track user activityAudit Logs

When evaluating security scenarios, start by asking:

“Is the requirement about authentication, authorization, visibility, classification, masking, or auditing?”

That distinction often leads directly to the correct DP-700 exam answer.

Go to the DP-700 Exam Prep Hub main page.

Leave a comment