This post is a part of the DP-700: Implementing Data Engineering Solutions Using Microsoft Fabric Exam Prep Hub.
This topic falls under these sections:
Implement and manage an analytics solution (30–35%)
   --> Configure security and governance
      --> Implement workspace-level access controls

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 2 practice tests with 60 questions each available from the hub's main page below the exam topics section.

Introduction

Security and governance are foundational components of any enterprise analytics platform. In Microsoft Fabric, workspaces serve as the primary organizational boundary for managing content, collaboration, and permissions. Because workspaces often contain sensitive data assets such as Lakehouses, Warehouses, Data Pipelines, Notebooks, and Reports, controlling who can access and modify these assets is critical.

Workspace-level access controls provide the first layer of security within Fabric. They determine who can view, create, modify, share, and administer workspace content. Properly configured access controls help organizations implement the principle of least privilege, improve governance, reduce security risks, and ensure compliance with organizational policies.

For the DP-700 exam, you should understand workspace roles, permission inheritance, Microsoft Entra ID integration, security best practices, and common access-control scenarios.

Understanding Fabric Workspaces

A workspace is a collaborative environment used to organize and manage Fabric assets.

Examples of assets stored within a workspace include:

• Lakehouses
• Data Warehouses
• Data Pipelines
• Dataflows Gen2
• Notebooks
• Semantic Models
• Reports
• Eventstreams
• Environments

Workspaces serve as the primary security boundary for these resources.

Why Workspace-Level Access Controls Matter

Without proper access controls:

• Unauthorized users may access sensitive data.
• Critical assets may be modified accidentally.
• Governance requirements may not be met.
• Production environments may be compromised.

Workspace-level security helps organizations:

• Restrict access
• Protect sensitive data
• Separate responsibilities
• Support auditing and compliance
• Implement least-privilege security

Microsoft Entra ID Integration

Microsoft Fabric uses Microsoft Entra ID for authentication and identity management.

Users access Fabric using their organizational accounts.

Benefits include:

• Centralized identity management
• Single sign-on (SSO)
• Multi-factor authentication support
• Group-based security management
• Conditional Access integration

Fabric does not maintain a separate user authentication system.

Workspace Roles

Workspace access is controlled through predefined roles.

The four primary workspace roles are:

Understanding these roles is extremely important for the DP-700 exam.

Admin Role

Admins have complete control over the workspace.

Capabilities include:

• Manage workspace settings
• Add or remove users
• Assign roles
• Delete workspace content
• Configure Git integration
• Configure deployment pipelines
• Manage permissions

Admins effectively own the workspace.

Use Cases

• Platform administrators
• Workspace owners
• Data engineering leads

Member Role

Members can actively participate in workspace development.

Capabilities include:

• Create content
• Modify content
• Publish content
• Collaborate with team members

However, Members do not have all administrative capabilities.

Use Cases

• Senior developers
• Data engineers
• Analytics developers

Contributor Role

Contributors can create and modify content but have fewer management capabilities than Members.

Capabilities include:

• Create notebooks
• Create pipelines
• Modify assets
• Build solutions

Contributors generally focus on development activities rather than workspace administration.

Use Cases

• Developers
• Data engineers
• ETL specialists

Viewer Role

Viewers have read-only access.

Capabilities include:

• View reports
• View data assets
• Review content

Restrictions include:

• Cannot modify content
• Cannot create content
• Cannot administer the workspace

Use Cases

• Business users
• Auditors
• Stakeholders

Workspace Permission Assignment

Permissions can be assigned to:

• Individual users
• Security groups
• Microsoft Entra ID groups

Best practice is to assign permissions through groups whenever possible.

Example:

Finance-DataEngineers → Contributor
Finance-Developers → Member
Finance-Managers → Viewer

Benefits include:

• Easier administration
• Reduced maintenance
• Improved consistency

Principle of Least Privilege

One of the most important security concepts for DP-700 is the Principle of Least Privilege.

This principle states:

Users should receive only the permissions necessary to perform their job functions.

Example:

Over-permissioning increases security risks.

Permission Inheritance

Workspace-level permissions often provide access to items contained within the workspace.

Examples include:

• Lakehouses
• Warehouses
• Notebooks
• Dataflows

A user with workspace access generally gains access to supported content based on their assigned role.

However, some Fabric items support additional item-level permissions that can supplement workspace-level controls.

Exam Tip

Workspace permissions and item-level permissions are related but not identical.

Many exam questions test your understanding of this distinction.

Workspace Access and OneLake

OneLake security is closely tied to Fabric permissions.

When users access:

• Lakehouses
• Warehouse data
• OneLake files

their permissions are generally governed through Fabric security controls.

This means workspace permissions play a significant role in determining data accessibility.

Separating Development, Test, and Production Access

Organizations commonly implement separate workspaces for:

Development
      ↓
Test
      ↓
Production

Different access controls are applied to each environment.

Example:

This reduces the risk of unauthorized production changes.

Workspace Security Best Practices

Use Security Groups

Prefer:

Sales-DataEngineers

instead of assigning permissions to individual users.

Minimize Admins

Only a small number of users should have Admin privileges.

Separate Production Access

Production workspaces should have stricter permissions.

Review Permissions Regularly

Conduct periodic audits of workspace access.

Follow Least Privilege

Assign the lowest role necessary.

Use Dedicated Service Principals

Automated processes should use service principals rather than personal accounts.

Common Security Scenarios

Scenario 1

A business analyst needs to view reports but should not modify content.

Solution:

Assign the Viewer role.

Scenario 2

A data engineer needs to build pipelines and notebooks but should not manage workspace permissions.

Solution:

Assign the Contributor role.

Scenario 3

A workspace owner needs to manage users and configure workspace settings.

Solution:

Assign the Admin role.

Scenario 4

A team lead needs to create and manage content while collaborating with developers.

Solution:

Assign the Member role.

Auditing and Governance

Workspace access controls support governance by enabling:

• Access reviews
• Compliance reporting
• Security audits
• Change tracking

Administrators should periodically verify:

• User memberships
• Group assignments
• Admin privileges
• Production access

These activities help maintain a secure Fabric environment.

DP-700 Exam Focus Areas

You should understand:

✓ Workspace roles

✓ Admin, Member, Contributor, and Viewer permissions

✓ Microsoft Entra ID integration

✓ Security group assignments

✓ Least-privilege principles

✓ Workspace permission inheritance

✓ Item-level versus workspace-level security

✓ Production environment security

✓ Service principal usage

✓ Governance and auditing practices

Practice Exam Questions

Question 1

Which workspace role provides full control over workspace settings and permissions?

A. Admin

B. Member

C. Contributor

D. Viewer

Answer: A

Explanation

Admins have complete control over workspace management, including permissions, settings, and content administration.

Question 2

A user needs read-only access to reports and data assets in a workspace.

Which role should be assigned?

A. Admin

B. Member

C. Contributor

D. Viewer

Answer: D

Explanation

The Viewer role allows users to access and view content without modifying it.

Question 3

Which Microsoft service provides identity and authentication for Fabric users?

A. Azure Data Lake Storage

B. Microsoft Entra ID

C. OneLake

D. Fabric Capacity

Answer: B

Explanation

Microsoft Entra ID provides authentication, identity management, and access control for Fabric users.

Question 4

A data engineer needs to create notebooks and pipelines but should not manage workspace permissions.

Which role is most appropriate?

A. Viewer

B. Admin

C. Contributor

D. Workspace Owner

Answer: C

Explanation

Contributors can create and modify content without having full administrative privileges.

Question 5

What is the primary goal of the Principle of Least Privilege?

A. Maximize workspace access

B. Reduce storage costs

C. Improve Spark performance

D. Grant only the permissions required to perform a job

Answer: D

Explanation

Least privilege reduces security risks by ensuring users receive only the permissions necessary for their responsibilities.

Question 6

Which approach is generally recommended for assigning workspace permissions?

A. Assign permissions directly to every user

B. Use Microsoft Entra ID security groups

C. Give all users Member access

D. Assign Admin access broadly

Answer: B

Explanation

Group-based permission management simplifies administration and improves consistency.

Question 7

A team lead needs to create content, collaborate with developers, and participate in solution management but does not require full administrative control.

Which role is most appropriate?

A. Viewer

B. Contributor

C. Member

D. Admin

Answer: C

Explanation

Members can actively manage and collaborate on workspace content without having full administrative authority.

Question 8

Why should organizations limit the number of workspace Admins?

A. To reduce Spark resource consumption

B. To simplify notebook development

C. To improve deployment speed

D. To reduce security risk and administrative exposure

Answer: D

Explanation

Admin roles have extensive privileges and should be assigned only when necessary.

Question 9

A company wants automated deployment processes that are not dependent on employee accounts.

What should be used?

A. Viewer accounts

B. Personal accounts

C. Service principals

D. Shared passwords

Answer: C

Explanation

Service principals provide stable, secure identities for automation and deployment activities.

Question 10

What is the primary benefit of separating Development, Test, and Production workspaces?

A. Increased storage capacity

B. Improved security and change control

C. Reduced OneLake storage usage

D. Faster notebook execution

Answer: B

Explanation

Environment separation helps prevent accidental production changes and supports proper testing and governance.

Exam Tip

For the DP-700 exam, many security questions can be solved by understanding the differences between the four workspace roles:

When evaluating scenarios, choose the lowest role that satisfies the requirement. Microsoft frequently tests the Principle of Least Privilege, making it one of the most important security concepts to master for the exam.

Go to the DP-700 Exam Prep Hub main page.