Category: DP-600

Analytics, BI Administration, Business Intelligence, Business Intelligence (BI) Development, Business Intelligence Platform, Data Analysis, Data Development, Data Integration, Data Integration (ETL), Data Modeling, Data Munging, Data Quality Assurance, Data Security, Data Strategy, Data Visualization, Data Warehousing, Data Wrangling, DP-600, Microsoft Certification, Microsoft Fabric, Power BI December 28, 2025

Improve DAX performance

This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections: 
Implement and manage semantic models (25-30%) 
    --> Optimize enterprise-scale semantic models 
        --> Improve DAX performance

Effective DAX (Data Analysis Expressions) is essential for high-performance semantic models in Microsoft Fabric. As datasets and business logic become more complex, inefficient DAX can slow down query execution and degrade report responsiveness. This article explains why DAX performance matters, common performance pitfalls, and best practices to optimize DAX in enterprise-scale semantic models.

Why DAX Performance Matters

In Fabric semantic models (Power BI datasets + Direct Lake / Import / composite models), DAX is used to define:

Measures (dynamic calculations)
Calculated columns (row-level expressions)
Calculated tables (derived data structures)

When improperly written, DAX can become a bottleneck — especially on large models or highly interactive reports (many slicers, visuals, etc.). Optimizing DAX ensures:

Faster query execution
Better user experience
Lower compute consumption
More efficient use of memory

The DP-600 exam tests your ability to identify and apply performance-aware DAX patterns.

Understand DAX Execution Engines

DAX queries are executed by two engines:

Formula Engine (FE) — processes logic that can’t be delegated
Storage Engine (SE) — processes optimized aggregations and scans

Performance improves when more computation can be done in the Storage Engine (columnar operations) rather than the Formula Engine (row-by-row logic).

Rule of thumb: Favor patterns that minimize work done in the Formula Engine.

Common DAX Performance Anti-Patterns

1. Repeated Calculations Without Variables

Example:

Total Sales + Total Cost - Total Discount

If Total Sales, Total Cost, and Total Discount all compute the same sub-expressions repeatedly, the engine may evaluate redundant logic multiple times.

Anti-Pattern:

Repeated expressions without variables.

2. Nested Iterator Functions

Using iterators like SUMX or FILTER on large tables many times in a measure increases compute overhead.

Example:

SUMX(
    FILTER(FactSales, FactSales[SalesAmount] > 0),
    FactSales[Quantity] * FactSales[UnitPrice]
)

Filtering inside iterators and then iterating again adds overhead.

3. Large Row Context with Filters

Complex FILTER expressions that operate on large intermediate tables will push computation into the Formula Engine, which is slower.

4. Frequent Use of EARLIER

While useful, EARLIER is often replaced with clearer, faster patterns using variables or iterator functions.

Best Practices for Optimizing DAX

1. Use Variables (VAR)

Variables reduce redundant computations, enhance readability, and often improve performance:

Measure Optimized =
VAR BaseTotal = SUM(FactSales[SalesAmount])
RETURN
IF(BaseTotal > 0, BaseTotal, BLANK())

Benefits:

Computed once per filter context
Reduces repeated expression evaluation

2. Favor Storage Engine Over Formula Engine

Use functions that can be processed by the Storage Engine:

SUM, COUNT, AVERAGE, MIN, MAX run faster
Avoid SUMX when a plain SUM suffices

Example:

Total Sales = SUM(FactSales[SalesAmount])

Over:

Total Sales =
SUMX(FactSales, FactSales[SalesAmount])

3. Simplify Filter Expressions

When possible, use simpler filter arguments:

Better:

CALCULATE([Total Sales], DimDate[Year] = 2025)

Instead of:

CALCULATE([Total Sales], FILTER(DimDate, DimDate[Year] = 2025))

Why?
The simpler condition is more likely to push to the Storage Engine without extra row processing.

4. Use TRUE/FALSE Filters

When filtering on a Boolean or condition:

Better:

CALCULATE([Total Sales], FactSales[IsActive] = TRUE)

Instead of:

CALCULATE([Total Sales], FILTER(FactSales, FactSales[IsActive] = TRUE))

5. Limit Column and Table Scans

Remove unused columns from the model
Avoid high-cardinality columns in calculations where unnecessary
Use star schema design to improve filter propagation

6. Reuse Measures

Instead of duplicating logic:

Total Profit =
[Total Sales] - [Total Cost]

Reuse basic measures within more complex logic.

7. Prefer Measures Over Calculated Columns

Measures calculate at query time and respect filter context; calculated columns are evaluated during refresh. Use calculated columns only when necessary.

8. Reduce Iterators on Large Tables

If SUMX is needed for row-level expressions, consider summarizing first or using aggregation tables.

9. Understand Evaluation Context

Complex measures often inadvertently alter filter context. Use functions like:

ALL
REMOVEFILTERS
KEEPFILTERS

…carefully, as they affect performance and results.

10. Leverage DAX Studio or Performance Analyzer

While not directly tested with UI steps, knowing when to use tools to diagnose DAX is helpful:

Performance Analyzer identifies slow visuals
DAX Studio exposes query plans and engine timings

Performance Patterns and Anti-Patterns

Pattern	Good / Bad	Notes
VAR usage	Good	Makes measures efficient and readable
SUM over SUMX	Good if applicable	Leverages Storage Engine
FILTER inside SUMX	Bad	Forces row context early
EARLIER / nested row context	Bad	Hard to optimize, slows performance
Simple CALCULATE filters	Good	More likely to fold

Example Before / After

Before (inefficient):

Measure = 
SUMX(
    FILTER(FactSales, FactSales[SalesAmount] > 1000),
    FactSales[Quantity] * FactSales[UnitPrice]
)

After (optimized):

VAR FilteredSales =
    CALCULATETABLE(
        FactSales,
        FactSales[SalesAmount] > 1000
    )
RETURN
SUMX(
    FilteredSales,
    FilteredSales[Quantity] * FilteredSales[UnitPrice]
)

Why better?
Explicit filtering via CALCULATETABLE often pushes more work to the Storage Engine than iterating within FILTER.

Exam-Focused Takeaways

For DP-600 questions related to DAX performance:

Identify inefficient row context patterns
Prefer variables and simple aggregations
Favor Storage Engine–friendly functions
Avoid unnecessary nested iterators
Recognize when a measure should be rewritten for performance

Summary

Improving DAX performance is about writing efficient calculations and avoiding patterns that force extra processing in the Formula Engine. By using variables, minimizing iterator overhead, simplifying filter expressions, and leveraging star schema design, you can significantly improve query responsiveness — a key capability for enterprise semantic models and the DP-600 exam.

Practice Questions:

Here are 10 questions to test and help solidify your learning and knowledge. As you review these and other questions in your preparation, make sure to …

Identifying and understand why an option is correct (or incorrect) — not just which one
Look for and understand the usage scenario of keywords in exam questions to guide you
Expect scenario-based questions rather than direct definitions

Question 1

You have a DAX measure that repeats the same complex calculation multiple times. Which change is most likely to improve performance?

A. Convert the calculation into a calculated column
B. Use a DAX variable (VAR) to store the calculation result
C. Replace CALCULATE with SUMX
D. Enable bidirectional relationships

Correct Answer: B

Explanation:
DAX variables evaluate their expression once per query context and reuse the result. This avoids repeated execution of the same logic and reduces Formula Engine overhead, making variables one of the most effective performance optimization techniques.

Question 2

Which aggregation function is generally the most performant when no row-by-row logic is required?

A. SUMX
B. AVERAGEX
C. SUM
D. FILTER

Correct Answer: C

Explanation:
Native aggregation functions like SUM, COUNT, and AVERAGE are optimized to run in the Storage Engine, which is much faster than iterator-based functions such as SUMX that require row-by-row evaluation in the Formula Engine.

Question 3

Why is this DAX pattern potentially slow on large tables?

CALCULATE([Total Sales], FILTER(FactSales, FactSales[SalesAmount] > 1000))

A. FILTER disables relationship filtering
B. FILTER forces evaluation in the Formula Engine
C. CALCULATE cannot push filters to the Storage Engine
D. The expression produces incorrect results

Correct Answer: B

Explanation:
The FILTER function iterates over rows, forcing Formula Engine execution. When possible, using simple Boolean expressions inside CALCULATE (e.g., FactSales[SalesAmount] > 1000) allows the Storage Engine to handle filtering more efficiently.

Question 4

Which CALCULATE filter expression is more performant?

A. FILTER(Sales, Sales[Year] = 2024)
B. Sales[Year] = 2024
C. ALL(Sales[Year])
D. VALUES(Sales[Year])

Correct Answer: B

Explanation:
Simple Boolean filters allow DAX to push work to the Storage Engine, while FILTER requires row-by-row evaluation. This distinction is frequently tested on the DP-600 exam.

Question 5

Which practice helps reduce the Formula Engine workload?

A. Using nested iterator functions
B. Replacing measures with calculated columns
C. Reusing base measures in more complex calculations
D. Increasing column cardinality

Correct Answer: C

Explanation:
Reusing base measures promotes efficient evaluation plans and avoids duplicated logic. Nested iterators and high cardinality columns increase computational complexity and slow down queries.

Question 6

Which modeling choice can indirectly improve DAX query performance?

A. Using snowflake schemas
B. Increasing the number of calculated columns
C. Removing unused columns and tables
D. Enabling bidirectional relationships by default

Correct Answer: C

Explanation:
Removing unused columns reduces memory usage, dictionary size, and scan costs. Smaller models lead to faster Storage Engine operations and improved overall query performance.

Question 7

Which DAX pattern is considered a performance anti-pattern?

A. Using measures instead of calculated columns
B. Using SUMX when SUM would suffice
C. Using star schema relationships
D. Using single-direction filters

Correct Answer: B

Explanation:
Iterator functions like SUMX should only be used when row-level logic is required. Replacing simple aggregations with iterators unnecessarily shifts work to the Formula Engine.

Question 8

Why can excessive use of EARLIER negatively impact performance?

A. It prevents relationship traversal
B. It creates complex nested row contexts
C. It only works in measures
D. It disables Storage Engine scans

Correct Answer: B

Explanation:
EARLIER introduces nested row contexts that are difficult for the DAX engine to optimize. Modern DAX best practices recommend using variables instead of EARLIER.

Question 9

Which relationship configuration can negatively affect DAX performance if overused?

A. Single-direction filtering
B. Many-to-one relationships
C. Bidirectional filtering
D. Active relationships

Correct Answer: C

Explanation:
Bidirectional relationships increase filter propagation paths and query complexity. While useful in some scenarios, overuse can significantly degrade performance in enterprise-scale models.

Question 10

Which tool should you use to identify slow visuals caused by inefficient DAX measures?

A. Power Query Editor
B. Model View
C. Performance Analyzer
D. Deployment Pipelines

Correct Answer: C

Explanation:
Performance Analyzer captures visual query durations, DAX query times, and rendering times, making it the primary tool for diagnosing DAX and visual performance issues in Power BI and Fabric semantic models.

BI Administration, Business Intelligence, Business Intelligence (BI) Development, Business Intelligence Platform, Data Governance, Data Integration, Data Integration (ETL), Data Modeling, Data Security, Data Strategy, Data Visualization, Data Warehousing, DP-600, Microsoft Certification, Microsoft Fabric, Microsoft OneLake December 28, 2025

Configure Direct Lake, including default fallback and refresh behavior

This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections: 
Implement and manage semantic models (25-30%) 
    --> Optimize enterprise-scale semantic models 
        --> Configure Direct Lake, including default fallback and refresh behavior

Overview

Direct Lake is a storage and connectivity mode in Microsoft Fabric semantic models that enables Power BI to query data directly from OneLake without importing data into VertiPaq or sending queries back to the data source (as in DirectQuery). It is designed to deliver near–Import performance with DirectQuery-like freshness, making it a key feature for enterprise-scale analytics.

For the DP-600 exam, you are expected to understand:

How Direct Lake works
When and why fallback occurs
How default fallback behavior is configured
How refresh behaves in Direct Lake models
Common performance and design considerations

How Direct Lake Works

In Direct Lake mode:

Data resides in Delta tables stored in OneLake (typically from a Lakehouse or Warehouse).
The semantic model reads Parquet/Delta files directly, bypassing data import.
Metadata and file statistics are cached to optimize query performance.
Queries are executed without duplicating data into VertiPaq storage.

This architecture reduces data duplication while still enabling fast, interactive analytics.

Default Fallback Behavior

What Is Direct Lake Fallback?

Fallback occurs when a query or operation cannot be executed using Direct Lake. In these cases, the semantic model automatically falls back to another mode to ensure the query still returns results.

Depending on configuration, fallback may occur to:

DirectQuery, or
Import (VertiPaq), if data is available

Fallback is automatic and transparent to report users unless explicitly restricted.

Common Causes of Fallback

Direct Lake fallback can be triggered by:

Unsupported DAX functions or expressions
Unsupported data types in Delta tables
Complex model features (certain calculation patterns, security scenarios)
Queries that cannot be resolved efficiently using file-based access
Temporary unavailability of OneLake files

Understanding these triggers is important for diagnosing performance issues.

Configuring Default Fallback Behavior

In Fabric semantic model settings, you can configure:

Allow fallback (default) – Ensures queries continue to work even when Direct Lake is not supported.
Disable fallback – Queries fail instead of falling back, which is useful for enforcing performance expectations or testing Direct Lake compatibility.

From an exam perspective:

Allowing fallback prioritizes reliability
Disabling fallback prioritizes predictability and performance validation

Refresh Behavior in Direct Lake Models

Do Direct Lake Models Require Refresh?

Unlike Import mode:

Direct Lake does not require scheduled data refresh to reflect new data in OneLake.
New or updated Delta files are automatically visible to the semantic model.

However, metadata refreshes are still relevant.

Types of Refresh in Direct Lake

Metadata Refresh
- Updates table schemas, partitions, and statistics
- Required when:
  - Columns are added or removed
  - Table structures change
- Lightweight compared to Import refresh
Hybrid Scenarios
- If fallback to Import is enabled and used, those imported parts do require refresh
- Mixed behavior may exist in composite or fallback-heavy models

Impact of Refresh on Performance

No large-scale data movement during refresh
Faster model readiness after schema changes
Reduced refresh windows compared to Import models
Lower memory pressure in capacity

This makes Direct Lake especially suitable for large, frequently updated datasets.

Performance and Design Considerations

To optimize Direct Lake usage:

Use supported Delta table features and data types
Keep models simple and star-schema based
Avoid unnecessary bidirectional relationships
Monitor fallback behavior using performance tools
Test critical DAX measures for Direct Lake compatibility

From an exam standpoint, expect scenario-based questions asking you to choose Direct Lake and configure fallback appropriately for scale, freshness, and reliability.

When to Use Direct Lake

Direct Lake is best suited for:

Large datasets stored in OneLake
Near-real-time analytics
Enterprise models that need both performance and freshness
Organizations standardizing on Fabric Lakehouse or Warehouse architectures

Key DP-600 Takeaways

Direct Lake queries Delta tables directly in OneLake
Default fallback ensures query continuity when Direct Lake isn’t supported
Fallback behavior can be enabled or disabled
Data refresh is not required, but metadata refresh still matters
Understanding fallback and refresh behavior is critical for enterprise-scale optimization

DP-600 Exam Tip 💡

Expect scenario-based questions where you must decide:

Whether to enable or disable fallback
How refresh behaves after schema changes
Why a query is falling back unexpectedly

Practice Questions:

Here are 10 questions to test and help solidify your learning and knowledge. As you review these and other questions in your preparation, make sure to …

Identifying and understand why an option is correct (or incorrect) — not just which one
Look for and understand the usage scenario of keywords in exam questions to guide you
Expect scenario-based questions rather than direct definitions

1. What is the primary benefit of using Direct Lake mode in a Fabric semantic model?

A. It fully imports data into VertiPaq for maximum compression
B. It queries Delta tables in OneLake directly without data import
C. It sends all queries back to the source system
D. It eliminates the need for semantic models

Correct Answer: B

Explanation:
Direct Lake reads Delta/Parquet files directly from OneLake, avoiding both data import (Import mode) and source query execution (DirectQuery), enabling near-Import performance with fresher data.

2. When does a Direct Lake semantic model fall back to another query mode?

A. When scheduled refresh fails
B. When unsupported features or queries are encountered
C. When the dataset exceeds 1 GB
D. When row-level security is enabled

Correct Answer: B

Explanation:
Fallback occurs when a query or model feature is not supported by Direct Lake, such as certain DAX expressions or unsupported data types.

3. What is the default behavior of Direct Lake when a query cannot be executed in Direct Lake mode?

A. The query fails immediately
B. The query retries using Import mode only
C. The query automatically falls back to another supported mode
D. The semantic model is disabled

Correct Answer: C

Explanation:
By default, Direct Lake allows fallback to ensure query reliability. This allows reports to continue functioning even if Direct Lake cannot handle a specific request.

4. Why might an organization choose to disable fallback in a Direct Lake semantic model?

A. To reduce OneLake storage costs
B. To enforce consistent Direct Lake performance and detect incompatibilities
C. To allow automatic data imports
D. To improve data refresh frequency

Correct Answer: B

Explanation:
Disabling fallback ensures queries only run in Direct Lake mode. This is useful for performance validation and preventing unexpected query behavior.

5. Which action typically requires a metadata refresh in a Direct Lake semantic model?

A. Adding new rows to a Delta table
B. Updating existing fact table values
C. Adding a new column to a Delta table
D. Running a Power BI report

Correct Answer: C

Explanation:
Schema changes such as adding or removing columns require a metadata refresh so the semantic model can recognize structural changes.

6. How does Direct Lake handle new data written to Delta tables in OneLake?

A. Data is visible only after a scheduled refresh
B. Data is visible automatically without data refresh
C. Data is visible only after manual import
D. Data is cached permanently

Correct Answer: B

Explanation:
Direct Lake reads data directly from OneLake, so new or updated data becomes available without needing a traditional Import refresh.

7. Which scenario is MOST likely to cause Direct Lake fallback?

A. Simple SUM aggregation on a fact table
B. Querying a supported Delta table
C. Using unsupported DAX functions in a measure
D. Filtering data using slicers

Correct Answer: C

Explanation:
Certain complex or unsupported DAX functions can force fallback because Direct Lake cannot execute them efficiently using file-based access.

8. What happens if fallback is disabled and a query cannot be executed in Direct Lake mode?

A. The query automatically switches to DirectQuery
B. The query fails and returns an error
C. The semantic model imports the data
D. The model switches to Import mode permanently

Correct Answer: B

Explanation:
When fallback is disabled, unsupported queries fail instead of switching modes, making incompatibilities more visible during testing.

9. Which statement about refresh behavior in Direct Lake models is TRUE?

A. Full data refresh is always required
B. Direct Lake models do not support refresh
C. Only metadata refresh may be required
D. Refresh behaves the same as Import mode

Correct Answer: C

Explanation:
Direct Lake does not require full data refreshes because it reads data directly from OneLake. Metadata refresh is needed only for structural changes.

10. Why is Direct Lake well suited for enterprise-scale semantic models?

A. It eliminates the need for Delta tables
B. It supports unlimited bidirectional relationships
C. It combines near-Import performance with fresh data access
D. It forces all data into memory

Correct Answer: C

Explanation:
Direct Lake offers high performance without importing data, making it ideal for large datasets that require frequent updates and scalable analytics.

Analytics, BI Administration, Business Intelligence, Business Intelligence (BI) Development, Business Intelligence Platform, Data Development, Data Governance, Data Integration, Data Integration (ETL), Data Modeling, Data Security, Data Strategy, Data Warehousing, DP-600, Microsoft Certification, Microsoft Fabric, Microsoft OneLake, Performance Tuning December 28, 2025

Choose Between Direct Lake on OneLake and Direct Lake on SQL Endpoints

This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections: 
Implement and manage semantic models (25-30%) 
    --> Optimize enterprise-scale semantic models 
        --> Choose between Direct Lake on OneLake and Direct Lake on SQL endpoints

In Microsoft Fabric, Direct Lake is a high-performance semantic model storage mode that allows Power BI and Fabric semantic models to query data directly from OneLake without importing it into VertiPaq. When implementing Direct Lake, you must choose where the semantic model reads from, either:

Direct Lake on OneLake
Direct Lake on SQL endpoints

Understanding the differences, trade-offs, and use cases for each option is critical for optimizing enterprise-scale semantic models, and this topic appears explicitly in the DP-600 exam blueprint.

Direct Lake on OneLake

What It Is

Direct Lake on OneLake connects the semantic model directly to Delta tables stored in OneLake, bypassing SQL engines entirely. Queries operate directly on Parquet/Delta files using the Fabric Direct Lake engine.

Key Characteristics

Reads Delta tables directly from OneLake
No dependency on a SQL query engine
Near-Import performance with zero data duplication
Minimal latency between data ingestion and reporting
Requires supported Delta table structures and data types

Advantages

Best performance for large-scale analytics
Always reflects the latest data written to OneLake
Eliminates Import refresh overhead
Ideal for lakehouse-centric architectures

Limitations

Some complex DAX patterns may cause fallback
Requires schema compatibility with Direct Lake
Less flexibility for SQL-based transformations

Typical Use Cases

Enterprise lakehouse analytics
High-volume fact tables
Near-real-time reporting
Fabric-native data pipelines

Direct Lake on SQL Endpoints

What It Is

Direct Lake on SQL endpoints connects the semantic model to the SQL analytics endpoint of a Lakehouse or Warehouse, while still using Direct Lake storage mode behind the scenes.

Instead of reading files directly, the semantic model relies on the SQL endpoint to expose the data.

Key Characteristics

Queries go through the SQL endpoint
Still benefits from Direct Lake storage
Enables SQL views and transformations
Slightly higher latency than pure OneLake access

Advantages

Supports SQL-based modeling (views, joins, calculated columns)
Easier integration with existing SQL logic
Familiar experience for SQL-first teams
Useful when business logic is already defined in SQL

Limitations

Additional query layer may impact performance
Less efficient than direct file access
SQL endpoint availability becomes a dependency

Typical Use Cases

Organizations with strong SQL development practices
Reuse of existing SQL views and transformations
Gradual migration from Warehouse or SQL models
Mixed BI and ad-hoc SQL workloads

Key Comparison Summary

Aspect	Direct Lake on OneLake	Direct Lake on SQL Endpoint
Data access	Direct file access	Via SQL analytics endpoint
Performance	Highest	Slightly lower
SQL dependency	None	Required
Schema flexibility	Lower	Higher
Transformation style	Lakehouse / Spark	SQL-based
Ideal for	Scale & performance	SQL reuse & flexibility

Choosing Between the Two (Exam-Focused Guidance)

On the DP-600 exam, questions typically focus on architectural intent and performance optimization:

Choose Direct Lake on OneLake when:

Performance is the top priority
Data is already modeled in Delta tables
You want the simplest, most scalable architecture
Near-real-time analytics are required

Choose Direct Lake on SQL endpoints when:

You need SQL views or transformations
Existing logic already exists in SQL
Teams are more comfortable with SQL than Spark
Some flexibility is preferred over maximum performance

Exam Tip 💡

If a question emphasizes:

Maximum performance, minimal latency, or scalability/large-scale analytics → Direct Lake on OneLake
SQL views, SQL transformations, or SQL reuse → Direct Lake on SQL endpoints

Expect scenario-based questions where both options are technically valid, but only one best aligns with the business and performance requirements.

Practice Questions:

Here are 10 questions to test and help solidify your learning and knowledge. As you review these and other questions in your preparation, make sure to …

Identifying and understand why an option is correct (or incorrect) — not just which one
Look for and understand the usage scenario of keywords in exam questions to guide you
Expect scenario-based questions rather than direct definitions

Question 1

A company has Delta tables stored in OneLake and wants the lowest possible query latency for Power BI reports without using SQL views. Which option should they choose?

A. Import mode
B. DirectQuery on SQL endpoint
C. Direct Lake on SQL endpoint
D. Direct Lake on OneLake

Correct Answer: D

Explanation:
Direct Lake on OneLake reads Delta tables directly from OneLake without a SQL layer, delivering the best performance and lowest latency.

Question 2

Which requirement would most strongly favor Direct Lake on SQL endpoints over Direct Lake on OneLake?

A. Maximum performance
B. Real-time data visibility
C. Use of SQL views for business logic
D. Minimal infrastructure dependencies

Correct Answer: C

Explanation:
Direct Lake on SQL endpoints allows semantic models to consume SQL views and transformations, making it ideal when business logic is defined in SQL.

Question 3

What is a key architectural difference between Direct Lake on OneLake and Direct Lake on SQL endpoints?

A. Only OneLake supports Delta tables
B. SQL endpoints require data import
C. OneLake access bypasses the SQL engine
D. SQL endpoints cannot be used with semantic models

Correct Answer: C

Explanation:
Direct Lake on OneLake reads Delta files directly from storage, while SQL endpoints introduce an additional SQL query layer.

Question 4

A Fabric semantic model uses Direct Lake on OneLake. Under which condition might it fallback to DirectQuery?

A. The model contains calculated columns
B. The dataset exceeds 1 TB
C. The Delta table schema is unsupported
D. The SQL endpoint is unavailable

Correct Answer: C

Explanation:
If the Delta table schema or data types are not supported by Direct Lake, Fabric automatically falls back to DirectQuery.

Question 5

Which scenario is best suited for Direct Lake on SQL endpoints?

A. High-volume streaming telemetry
B. SQL-first team reusing existing warehouse views
C. Near-real-time dashboards on raw lake data
D. Large fact tables optimized for scan performance

Correct Answer: B

Explanation:
Direct Lake on SQL endpoints is ideal when teams rely on SQL views and want to reuse existing SQL logic.

Question 6

Which statement about performance is most accurate?

A. SQL endpoints always outperform OneLake
B. OneLake always requires Import mode
C. Direct Lake on OneLake typically offers better performance
D. Direct Lake on SQL endpoints does not use Direct Lake

Correct Answer: C

Explanation:
Direct Lake on OneLake avoids the SQL layer, resulting in faster query execution in most scenarios.

Question 7

A Power BI model must reflect new data immediately after ingestion into OneLake. Which option best supports this requirement?

A. Import mode
B. DirectQuery
C. Direct Lake on SQL endpoint
D. Direct Lake on OneLake

Correct Answer: D

Explanation:
Direct Lake on OneLake reads data directly from Delta tables and reflects changes immediately without refresh.

Question 8

Which dependency exists when using Direct Lake on SQL endpoints that does not exist with Direct Lake on OneLake?

A. Delta Lake support
B. VertiPaq compression
C. SQL analytics endpoint availability
D. Semantic model compatibility

Correct Answer: C

Explanation:
Direct Lake on SQL endpoints depends on the SQL analytics endpoint being available, while OneLake access does not.

Question 9

From a DP-600 exam perspective, which factor most often determines the correct choice between these two options?

A. Dataset size alone
B. Whether SQL transformations are required
C. Number of report users
D. Power BI license type

Correct Answer: B

Explanation:
Exam questions typically focus on whether SQL logic (views, joins, transformations) is needed, which drives the choice.

Question 10

You are designing an enterprise semantic model focused on scalability and minimal complexity. The data is already curated as Delta tables. What is the best choice?

A. Import mode
B. DirectQuery on SQL endpoint
C. Direct Lake on SQL endpoint
D. Direct Lake on OneLake

Correct Answer: D

Explanation:
Direct Lake on OneLake offers the simplest architecture with the highest scalability and performance when Delta tables are already prepared.

Analytics, BI Administration, Business Intelligence, Business Intelligence (BI) Development, Data Integration, Data Integration (ETL), Data Modeling, Data Strategy, Data Warehousing, DP-600, Microsoft Certification, Microsoft Fabric, Power BI, Power Query December 28, 2025

Implement Incremental Refresh for Semantic Models

This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections: 
Implement and manage semantic models (25-30%) 
    --> Optimize enterprise-scale semantic models 
        --> Implement Incremental Refresh for Semantic Models

Overview

Incremental refresh is a key optimization technique for enterprise-scale semantic models in Microsoft Fabric and Power BI. Instead of fully refreshing all data during each refresh cycle, incremental refresh allows you to refresh only new or changed data, significantly improving refresh performance, reducing resource consumption, and enabling scalability for large datasets.

In the DP-600 exam, this topic appears under Optimize enterprise-scale semantic models and focuses on when, why, and how to configure incremental refresh correctly.

What Is Incremental Refresh?

Incremental refresh is a feature for Import mode and Hybrid (Import + DirectQuery) semantic models that:

Partitions data based on date/time columns
Refreshes only a recent portion of data
Retains historical data without reprocessing it
Optionally supports real-time data using DirectQuery

Incremental refresh is not applicable to:

Direct Lake–only semantic models
Pure DirectQuery models

Key Benefits

Incremental refresh provides several enterprise-level advantages:

Faster refresh times for large datasets
Reduced memory and CPU usage
Improved reliability of scheduled refreshes
Better scalability for growing fact tables
Enables near-real-time analytics when combined with DirectQuery

Core Configuration Components

1. Date/Time Column Requirement

Incremental refresh requires a column that:

Is of type Date, DateTime, or DateTimeZone
Represents a monotonically increasing timeline (for example, OrderDate or TransactionDate)

This column is used to define data partitions.

2. RangeStart and RangeEnd Parameters

Incremental refresh relies on two Power Query parameters:

RangeStart – Beginning of the refresh window
RangeEnd – End of the refresh window

These parameters:

Must be of type Date/Time
Are used in a filter step in Power Query
Are evaluated dynamically during refresh

Exam tip: These parameters are required, not optional.

3. Refresh and Storage Policies

When configuring incremental refresh, you define two key time windows:

Policy	Purpose
Store rows from the past	Defines how much historical data is retained
Refresh rows from the past	Defines how much recent data is refreshed

Example:

Store data for 5 years
Refresh data from the last 7 days

Only the refresh window is reprocessed during each refresh.

4. Optional: Detect Data Changes

Incremental refresh can optionally use a change detection column (for example, LastModifiedDate):

Only refreshes partitions where data has changed
Reduces unnecessary refresh operations
Column must be reliably updated when records change

This is especially useful for slowly changing dimensions.

Incremental Refresh with Real-Time Data (Hybrid Tables)

Incremental refresh can be combined with DirectQuery to support real-time data:

Historical data → Import mode
Recent data → DirectQuery

This configuration:

Uses the “Get the latest data in real time” option
Is commonly referred to as a Hybrid table
Balances performance with freshness

Deployment and Execution Behavior

Incremental refresh is defined in Power BI Desktop
Partitions are created only after publishing
Refresh execution happens in the Fabric service
Desktop refresh does not create partitions

Exam tip: Many questions test the difference between design-time configuration and service-side execution.

Limitations and Considerations

Requires Import or Hybrid mode
Date column must exist in the fact table
Cannot be configured directly in Fabric service
Schema changes may require full refresh
Partition count should be managed to avoid excessive overhead

Common DP-600 Exam Scenarios

You may be asked to:

Choose incremental refresh to solve long refresh times
Identify missing requirements (RangeStart/RangeEnd)
Decide between full refresh vs incremental refresh
Configure refresh windows for historical vs recent data
Combine incremental refresh with real-time analytics

When to Use Incremental Refresh (Exam Heuristic)

Choose incremental refresh when:

Fact tables are large and growing
Only recent data changes
Full refresh times are too long
Import mode is required for performance

Avoid it when:

Data volume is small
Real-time access is required for all data
Using Direct Lake–only models

Exam Tips

For DP-600, remember:

RangeStart / RangeEnd are mandatory
Incremental refresh = Import or Hybrid
Partitions are service-side
Refresh window ≠ storage window
Hybrid tables enable real-time + performance

Summary

Incremental refresh is a foundational optimization technique for large semantic models in Microsoft Fabric. For the DP-600 exam, focus on:

Required parameters (RangeStart, RangeEnd)
Refresh vs storage windows
Import and Hybrid model compatibility
Real-time and change detection scenarios
Service-side execution behavior

Practice Questions:

Here are 10 questions to test and help solidify your learning and knowledge. As you review these and other questions in your preparation, make sure to …

Identifying and understand why an option is correct (or incorrect) — not just which one
Look for and understand the usage scenario of keywords in exam questions to guide you
Expect scenario-based questions rather than direct definitions

Question 1

You have a large fact table with 5 years of historical data. Only the most recent data changes daily. Which feature should you implement to reduce refresh time?

A. DirectQuery mode
B. Incremental refresh
C. Calculated tables
D. Composite models

✅ Correct Answer: B

Explanation:
Incremental refresh is designed to refresh only recent data while retaining historical partitions, significantly improving refresh performance for large datasets.

Question 2

Which two Power Query parameters are required to configure incremental refresh?

A. StartDate and EndDate
B. MinDate and MaxDate
C. RangeStart and RangeEnd
D. RefreshStart and RefreshEnd

✅ Correct Answer: C

Explanation:
Incremental refresh requires RangeStart and RangeEnd parameters of type Date/Time to define partition boundaries.

Question 3

Where are incremental refresh partitions actually created?

A. Power BI Desktop during data load
B. Fabric Data Factory
C. Microsoft Fabric service after publishing
D. SQL endpoint

✅ Correct Answer: C

Explanation:
Partitions are created and managed only in the Fabric service after the model is published. Desktop refresh does not create partitions.

Question 4

Which storage mode is required to use incremental refresh?

A. DirectQuery only
B. Direct Lake only
C. Import or Hybrid
D. Dual only

✅ Correct Answer: C

Explanation:
Incremental refresh works with Import mode and Hybrid tables. It is not supported for DirectQuery-only or Direct Lake–only models.

Question 5

You configure incremental refresh to store 5 years of data and refresh the last 7 days. What happens during a scheduled refresh?

A. All data is fully refreshed
B. Only the last 7 days are refreshed
C. Only the last year is refreshed
D. Only new rows are loaded

✅ Correct Answer: B

Explanation:
The refresh window defines how much data is reprocessed. Historical partitions outside that window are retained without refresh.

Question 6

Which column type is required for incremental refresh filtering?

A. Text
B. Integer
C. Boolean
D. Date/DateTime

✅ Correct Answer: D

Explanation:
Incremental refresh requires a Date, DateTime, or DateTimeZone column to define time-based partitions.

Question 7

What is the purpose of the Detect data changes option?

A. To refresh all partitions automatically
B. To detect schema changes
C. To refresh only partitions where data has changed
D. To enable real-time DirectQuery

✅ Correct Answer: C

Explanation:
Detect data changes uses a change-tracking column (e.g., LastModifiedDate) to avoid refreshing partitions when no data has changed.

Question 8

Which scenario best fits a Hybrid incremental refresh configuration?

A. All data must be queried in real time
B. Small dataset refreshed once per day
C. Historical data rarely changes, but recent data must be real time
D. Streaming data only

✅ Correct Answer: C

Explanation:
Hybrid tables combine Import for historical data and DirectQuery for recent data, providing real-time access where needed.

Question 9

What happens if the date column used for incremental refresh contains null values?

A. Incremental refresh is automatically disabled
B. Only historical partitions fail
C. Refresh may fail or produce incorrect partitions
D. Null values are ignored safely

✅ Correct Answer: C

Explanation:
The date column must be reliable. Null or invalid values can break partition logic and cause refresh failures.

Question 10

When should you avoid using incremental refresh?

A. When the dataset is large
B. When only recent data changes
C. When using Direct Lake–only semantic models
D. When refresh duration is long

✅ Correct Answer: C

Explanation:
Incremental refresh is not supported for Direct Lake–only models, as Direct Lake handles freshness differently through OneLake access.

BI Administration, Business Intelligence Platform, Data Security, DP-600, Microsoft Certification, Microsoft Fabric December 28, 2025

Implement workspace-level access controls in Microsoft Fabric

This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections: 
Maintain a data analytics solution 
    --> Implement security and governance 
        --> Implement workspace-level access controls

To Do:
Complete the related module for this topic in the Microsoft Learn course: Secure data access in Microsoft Fabric

Workspace-level access control is the first and most fundamental security boundary in Microsoft Fabric. It determines who can access a workspace, what actions they can perform, and how they can interact with Fabric items such as Lakehouses, Warehouses, semantic models, reports, notebooks, and pipelines.

For the DP-600 exam, you should clearly understand workspace roles, their permissions, and how workspace security integrates with broader governance practices.

What Are Workspace-Level Access Controls?

Workspace-level access controls define permissions at the workspace scope, applying to all items within that workspace unless further restricted by item-level or data-level security.

These controls are managed through workspace roles, which are assigned to:

Individual users
Microsoft Entra ID (Azure AD) security groups
Distribution lists (limited scenarios)

Workspace Roles in Microsoft Fabric

Microsoft Fabric workspaces use role-based access control (RBAC). There are 4 roles that users can be assigned to for workspace access and each role grants a predefined set of permissions.

1. Admin

Highest level of access

Admins can:

Manage workspace settings
Add or remove users and assign roles
Delete the workspace
Control capacity assignment
Access and manage all items

Typical use cases

Platform administrators
Lead analytics engineers

Exam note
Admins automatically have all permissions of lower roles.

2. Member

Full content creation and collaboration role

Members can:

Create, edit, and delete Fabric items
Publish and update semantic models and reports
Share content
Run pipelines and notebooks

Members cannot:

Delete the workspace
Manage capacity settings

Typical use cases

Analytics engineers
Senior analysts

3. Contributor

Content creation with limited governance control

Contributors can:

Create and modify items they have access to
Run notebooks, pipelines, and queries
Publish reports and datasets

Contributors cannot:

Manage workspace users
Modify workspace settings

Typical use cases

Data analysts
Developers contributing content

4. Viewer

Read-only access

Viewers can:

View reports and dashboards
Read data from semantic models
Execute queries if explicitly allowed

Viewers cannot:

Create or edit items
Publish or share content

Typical use cases

Business users
Report consumers

Summary table:

Role	Description	Can / Cannot	Typical use cases
Admin	– Highest level of access. – Full workspace administration access including ability to delete.	Admins Can: – Manage workspace settings – Add or remove users and assign roles – Delete the workspace – Control capacity assignment – Access and manage all items	– Platform administrators – Lead analytics engineers
Member	– Full content creation and collaboration role. – Can manage members with same or lower permissions.	Members can: – Create, edit, and delete Fabric items – Publish and update semantic models and reports – Share content – Run pipelines and notebooks Members cannot: – Delete the workspace – Manage capacity settings	– Analytics engineers – Senior analysts
Contributor	– Content creation with limited governance control – Can create and manage workspace content	Contributors can: – Create and modify items they have access to – Run notebooks, pipelines, and queries – Publish reports and datasets Contributors cannot: – Manage workspace users – Modify workspace settings	– Data analysts – Developers contributing content
Viewer	– Read-only access to the workspace	Viewers can: – View reports and dashboards – Read data from semantic models – Execute queries if explicitly allowed Viewers cannot: – Create or edit items – Publish or share content	– Business users – Report consumers

How Workspace-Level Security Is Enforced

Workspace-level access controls:

Are evaluated before item-level or data-level security
Determine whether a user can even see workspace content
Apply consistently across all Fabric workloads (Power BI, Lakehouse, Warehouse, Data Factory, Real-Time Analytics)

This makes workspace roles the entry point for all other security mechanisms.

Best Practices for Workspace-Level Access Control

Use Security Groups Instead of Individuals

Assign Microsoft Entra ID security groups to workspace roles
Simplifies access management
Supports scalable governance

Separate Workspaces by Purpose

Common patterns include:

Development vs Test vs Production
Department-specific workspaces
Consumer-only (Viewer) workspaces

Apply Least Privilege

Grant users the lowest role necessary
Avoid overusing Admin and Member roles

Relationship to Other Security Layers

Workspace-level access controls work alongside:

Item-level permissions (e.g., sharing a report)
Row-level, column-level, and object-level security in semantic models
File-level security in OneLake
Capacity-level governance

For exam scenarios, always identify which security layer is being tested.

Common Exam Scenarios to Watch For

You may be asked to:

Choose the correct workspace role for a given user persona
Identify why a user cannot see or edit workspace content
Decide when to use Viewer vs Contributor
Understand how workspace roles interact with RLS or file access

Key Exam Takeaways

Workspace roles control who can access a workspace and what actions they can perform
Admin, Member, Contributor, and Viewer each have distinct permission boundaries
Workspace security is broader than item-level sharing
Always think workspace first, data second when designing security

Exam Tips

If the question is about who can create, edit, share, or manage content, the answer almost always involves workspace-level access controls.

Expect scenario-based questions that test:

Choosing the least-privileged role
Understanding the difference between Member vs Contributor
Knowing when workspace security is not enough and must be combined with RLS or item-level access

Practice Questions

Question 1 (Single choice)

Which workspace role in Microsoft Fabric allows a user to publish content, manage permissions, and delete the workspace?

A. Viewer
B. Contributor
C. Member
D. Admin

Correct Answer: D

Explanation:

Admin is the highest workspace role and includes full control, including managing access, deleting the workspace, and assigning roles.
Contributors and Members cannot manage workspace-level permissions.
Viewers have read-only access.

Question 2 (Scenario-based)

You want analysts to create and edit items (lakehouses, notebooks, reports) but prevent them from managing access or deleting the workspace. Which role should you assign?

A. Viewer
B. Contributor
C. Member
D. Admin

Correct Answer: C

Explanation:

Members can create, edit, and publish content but cannot manage workspace access or delete the workspace.
Contributors have more limited permissions.
Admins have excessive privileges for this scenario.

Question 3 (Multi-select)

Which actions are possible for a user assigned the Contributor role? (Select all that apply.)

A. Create new items
B. Edit existing items
C. Manage workspace permissions
D. Publish reports to the workspace

Correct Answers: A, B

Explanation:

Contributors can create and edit items.
They cannot manage permissions or perform full publishing/administrative actions.
Publishing to app audiences or managing access requires Member or Admin.

Question 4 (Scenario-based)

A workspace contains sensitive data. You want executives to view reports only, without seeing datasets, lakehouses, or notebooks. What is the BEST approach?

A. Assign Viewer role
B. Assign Contributor role
C. Assign Member role
D. Assign Admin role

Correct Answer: A

Explanation:

Viewer role provides read-only access and prevents exposure to underlying assets beyond consumption.
Other roles expose authoring and object-level visibility.

Question 5 (Single choice)

Workspace-level access controls in Fabric are applied to:

A. Individual tables only
B. Semantic models only
C. All items within the workspace
D. Reports published to apps only

Correct Answer: C

Explanation:

Workspace-level roles apply across all items in the workspace unless further restricted using item-level or semantic-model security.
Finer-grained security must be implemented separately.

Question 6 (Scenario-based)

You need to ensure that workspace access is centrally governed and users cannot self-assign roles. What is the BEST practice?

A. Allow Members to manage access
B. Restrict access management to Admins only
C. Use Viewer roles exclusively
D. Disable workspace sharing

Correct Answer: B

Explanation:

Only Admins should manage workspace access for governance and compliance.
Members should not be allowed to assign roles in controlled environments.

Question 7 (Multi-select)

Which of the following are valid workspace roles in Microsoft Fabric? (Select all that apply.)

A. Viewer
B. Contributor
C. Member
D. Owner

Correct Answers: A, B, C

Explanation:

Valid Fabric workspace roles are Viewer, Contributor, Member, and Admin.
“Owner” is not a Fabric workspace role.

Question 8 (Scenario-based)

A user can view reports but receives an error when attempting to open a semantic model directly. What is the MOST likely reason?

A. They are a Contributor
B. They are a Viewer
C. The dataset is in Import mode
D. XMLA endpoint is disabled

Correct Answer: B

Explanation:

Viewers can consume reports but may not have permissions to explore or access underlying semantic models directly.
This behavior aligns with workspace-level access restrictions.

Question 9 (Single choice)

Which statement about workspace-level access vs. item-level security is TRUE?

A. Workspace access overrides all other security
B. Workspace access is more granular than item-level security
C. Item-level security can further restrict access granted by workspace roles
D. Workspace access only applies to reports

Correct Answer: C

Explanation:

Workspace roles grant baseline access, which can then be restricted using item-level security, RLS, or object-level permissions.
Workspace access does not override more restrictive controls.

Question 10 (Scenario-based)

You want to minimize administrative overhead while allowing self-service analytics. Which workspace role strategy is MOST appropriate?

A. Assign Admin to all users
B. Assign Member to authors and Viewer to consumers
C. Assign Contributor to executives
D. Assign Viewer to data engineers

Correct Answer: B

Explanation:

This is a recommended best practice:
- Members for authors/builders
- Viewers for consumers
It balances governance and agility while minimizing risk.

Analytics, BI Administration, Business Intelligence, Business Intelligence Platform, Data Security, DP-600, Microsoft Certification, Microsoft Fabric, Microsoft OneLake December 28, 2025

Implement item-level access controls in Microsoft Fabric

This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections: 
Maintain a data analytics solution 
    --> Implement security and governance
        --> Implement item-level access controls

To Do:
Complete the related module for this topic in the Microsoft Learn course: Secure data access in Microsoft Fabric

Item-level access controls in Microsoft Fabric determine who can access or interact with specific items inside a workspace, rather than the entire workspace. Items include reports, semantic models, Lakehouses, Warehouses, notebooks, pipelines, dashboards, and other Fabric artifacts.

For the DP-600 exam, it’s important to understand how item-level permissions differ from workspace roles, when to use them, and how they interact with data-level security such as RLS.

What Are Item-Level Access Controls?

Item-level access controls:

Apply to individual Fabric items
Are more granular than workspace-level roles
Allow selective sharing without granting broad workspace access

They are commonly used when:

Users need access to one report or dataset, not the whole workspace
Consumers should view content without seeing development artifacts
External or business users need limited access

Common Items That Support Item-Level Permissions

In Microsoft Fabric, item-level permissions can be applied to:

Power BI reports
Semantic models (datasets)
Dashboards
Lakehouses and Warehouses
Notebooks and pipelines (via workspace + item context)

The most frequently tested scenarios in DP-600 involve reports and semantic models.

Sharing Reports and Dashboards

Report Sharing

Reports can be shared directly with users or groups.

When you share a report:

Users can be granted View or Reshare permissions
The report appears in the recipient’s “Shared with me” section
Access does not automatically grant workspace access

Exam considerations

Sharing a report does not grant edit permissions
Sharing does not bypass data-level security (RLS still applies)
Users must also have access to the underlying semantic model

Semantic Model (Dataset) Permissions

Semantic models support explicit permissions that control how users interact with data.

Common permissions include:

Read – View and query the model
Build – Create reports using the model
Write – Modify the model (typically for owners)
Reshare – Share the model with others

Typical use cases

Allow analysts to build their own reports (Build permission)
Allow consumers to view reports without building new ones
Restrict direct querying of datasets

Exam tips

Build permission is required for “Analyze in Excel” and report creation
RLS and OLS are enforced at the semantic model level
Dataset permissions can be granted independently of report sharing

Item-Level Access vs Workspace-Level Roles

Understanding this distinction is critical for the exam.

Feature	Workspace-Level Access	Item-Level Access
Scope	Entire workspace	Single item
Typical roles	Admin, Member, Contributor, Viewer	View, Build, Reshare
Best for	Team collaboration	Targeted sharing
Granularity	Coarse	Fine-grained

Key exam insight:
Item-level access does not override workspace permissions. A user cannot edit an item if their workspace role is Viewer, even if the item is shared.

Interaction with Data-Level Security

Item-level access works together with:

Row-Level Security (RLS)
Column-Level Security (CLS)
Object-Level Security (OLS)

Important behaviors:

Sharing a report does not expose restricted rows or columns
RLS is evaluated based on the user’s identity
Item access only determines whether a user can query the item, not what data they see

Common Exam Scenarios

You may encounter questions such as:

A user can see a report but cannot build a new one → missing Build permission
A user has report access but sees no data → likely RLS
A business user needs access to one report only → item-level sharing, not workspace access
An analyst can’t query a dataset in Excel → lacks Build permission

Best Practices to Remember

Use item-level access for consumers and ad-hoc sharing
Use workspace roles for development teams
Assign permissions to Entra ID security groups when possible
Always pair item access with appropriate semantic model permissions

Key Exam Takeaways

Item-level access controls provide fine-grained security
Reports and semantic models are the most tested items
Build permission is critical for self-service analytics
Item-level access complements, but does not replace, workspace roles

Exam Tips

Think “Can they see the object at all?”
Combine:
- Workspace roles → broad access
- Item-level access → fine-grained control
- RLS/CLS → data-level restrictions
Expect scenarios involving:
- Preventing access to lakehouses
- Separating authors from consumers
- Protecting production assets
If a question asks who can view or build from a specific report or dataset without granting workspace access, the correct answer almost always involves item-level access controls.

Practice Questions:

Question 1 (Single choice)

What is the PRIMARY purpose of item-level access controls in Microsoft Fabric?

A. Control which rows a user can see
B. Control which columns a user can see
C. Control access to specific workspace items
D. Control DAX query execution speed

Correct Answer: C

Explanation:

Item-level access controls determine who can access specific items (lakehouses, warehouses, semantic models, notebooks, reports).
Row-level and column-level security are semantic model features, not item-level controls.

Question 2 (Scenario-based)

A user should be able to view reports but must NOT access the underlying lakehouse or semantic model. Which control should you use?

A. Workspace Viewer role
B. Item-level permissions on the lakehouse and semantic model
C. Row-level security
D. Column-level security

Correct Answer: B

Explanation:

Item-level access allows you to block direct access to specific items even when the user has workspace access.
Viewer role alone may still expose certain metadata.

Question 3 (Multi-select)

Which Fabric items support item-level access control? (Select all that apply.)

A. Lakehouses
B. Warehouses
C. Semantic models
D. Power BI reports

Correct Answers: A, B, C, D

Explanation:

Item-level access can be applied to most Fabric artifacts, including data storage, models, and reports.
This allows fine-grained governance beyond workspace roles.

Question 4 (Scenario-based)

You want data engineers to manage a lakehouse, but analysts should only consume a semantic model built on top of it. What is the BEST approach?

A. Assign Analysts as Workspace Viewers
B. Deny item-level access to the lakehouse for Analysts
C. Use Row-Level Security only
D. Disable SQL endpoint access

Correct Answer: B

Explanation:

Analysts can access the semantic model while being explicitly denied access to the lakehouse via item-level permissions.
This is a common enterprise pattern in Fabric.

Question 5 (Single choice)

Which permission is required for a user to edit or manage an item at the item level?

A. Read
B. View
C. Write
D. Execute

Correct Answer: C

Explanation:

Write permissions allow editing, updating, or managing an item.
Read/View permissions are consumption-only.

Question 6 (Scenario-based)

A user can see a report but receives an error when trying to connect to its semantic model using Power BI Desktop. Why?

A. XMLA endpoint is disabled
B. They lack item-level permission on the semantic model
C. The dataset is in Direct Lake mode
D. The report uses DirectQuery

Correct Answer: B

Explanation:

Viewing a report does not automatically grant access to the underlying semantic model.
Item-level access must explicitly allow it.

Question 7 (Multi-select)

Which statements about workspace access vs item-level access are TRUE? (Select all that apply.)

A. Workspace access automatically grants access to all items
B. Item-level access can further restrict workspace permissions
C. Item-level access overrides Row-Level Security
D. Workspace roles are broader than item-level permissions

Correct Answers: B, D

Explanation:

Workspace roles define baseline access.
Item-level access can tighten restrictions on specific assets.
RLS still applies within semantic models.

Question 8 (Scenario-based)

You want to prevent accidental modification of a production semantic model while still allowing users to query it. What should you do?

A. Assign Viewer role at the workspace level
B. Grant Read permission at the item level
C. Disable the SQL endpoint
D. Remove the semantic model

Correct Answer: B

Explanation:

Read item-level permission allows querying and consumption without edit rights.
This is safer than relying on workspace roles alone.

Question 9 (Single choice)

Which security layer is MOST appropriate for restricting access to entire objects rather than data within them?

A. Row-level security
B. Column-level security
C. Object-level security
D. Item-level access control

Correct Answer: D

Explanation:

Item-level access controls whether a user can access an object at all.
Object-level security applies inside semantic models.

Question 10 (Scenario-based)

A compliance requirement states that only approved users can access notebooks in a workspace. What is the BEST solution?

A. Place notebooks in a separate workspace
B. Apply item-level access controls to notebooks
C. Use Row-Level Security
D. Restrict workspace Viewer access

Correct Answer: B

Explanation:

Item-level access allows targeted restriction without restructuring workspaces.
This is the preferred Fabric governance approach.

Analytics, BI Administration, Data Security, Data Strategy, DP-600, Microsoft Certification, Microsoft Fabric December 28, 2025

Implement Row-Level, Column-Level, Object-Level, and File-Level Access Controls in Microsoft Fabric

This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections: 
Maintain a data analytics solution 
 --> Implement security and governance
  --> Implement row-level, column-level, object-level, and file-level access control

To Do:
Complete the related module for this topic in the Microsoft Learn course: Secure data access in Microsoft Fabric

Security and governance are foundational responsibilities of a Fabric Analytics Engineer. Microsoft Fabric provides multiple layers of access control to ensure users can only see and interact with the data they are authorized to access. For the DP-600 exam, it is important to understand what each access control type does, where it is applied, and when to use it.

1. Row-Level Security (RLS)

What it is

Row-Level Security (RLS) restricts access to specific rows in a table based on the identity or role of the user querying the data.

Where it is implemented

Power BI semantic models (datasets)
Direct Lake or Import models in Fabric
Applies at query time

How it works

You define DAX filter expressions on tables.
Users are assigned to roles, and those roles determine which rows are visible.
The filtering is enforced automatically whenever the model is queried.

Common use cases

Sales users see only their assigned regions
Managers see only their department’s data
Multi-tenant reporting scenarios

Exam tips

RLS filters rows, not columns
RLS is evaluated dynamically based on user context
Know the difference between static RLS (hard-coded filters) and dynamic RLS (based on USERPRINCIPALNAME or lookup tables)

2. Column-Level Security (CLS)

What it is

Column-Level Security (CLS) restricts access to specific columns within a table, preventing sensitive fields from being exposed.

Where it is implemented

Power BI semantic models
Defined within the model, not in reports

How it works

Columns are marked as hidden for certain roles
Users in those roles cannot query or visualize the restricted columns

Common use cases

Hiding personally identifiable information (PII)
Restricting access to salary, cost, or confidential metrics

Exam tips

CLS does not hide entire rows
Users without access cannot bypass CLS using visuals or queries
CLS is evaluated before data reaches the report layer

3. Object-Level Security (OLS)

What it is

Object-Level Security (OLS) controls access to entire objects within a semantic model, such as:

Tables
Columns
Measures

Where it is implemented

Power BI semantic models in Fabric
Typically managed using external tools or advanced model editing

How it works

Objects are explicitly denied to specific roles
Denied objects are completely invisible to the user

Common use cases

Hiding technical or staging tables
Preventing access to internal calculation measures
Supporting multiple audiences from the same model

Exam tips

OLS is stronger than CLS (objects are invisible, not just hidden)
OLS affects metadata discovery
Users cannot query objects they do not have access to

4. File-Level Access Controls

What it is

File-level access control governs who can access files stored in OneLake, including:

Lakehouse files
Warehouse data
Files accessed via notebooks or Spark jobs

Where it is implemented

OneLake
Workspace permissions
Underlying Azure Data Lake Gen2 permission model

How it works

Permissions are assigned at:
- Workspace level
- Item level (Lakehouse, Warehouse)
- Folder or file level (where applicable)
Uses role-based access control (RBAC)

Common use cases

Restricting raw data access to engineers only
Allowing analysts read-only access to curated zones
Enforcing separation between development and production data

Exam tips

File-level security applies before data reaches semantic models
Workspace roles (Admin, Member, Contributor, Viewer) matter
OneLake follows a centralized storage model across Fabric workloads

Key Comparisons to Remember for the Exam

Security Type	Scope	Enforced At	Typical Use
Row-Level (RLS)	Rows	Query time	User-specific data filtering
Column-Level (CLS)	Columns	Model level	Protect sensitive fields
Object-Level (OLS)	Tables, columns, measures	Model metadata	Hide entire objects
File-Level	Files and folders	Storage/workspace	Control raw and curated data access

How This Fits into Fabric Governance

In Microsoft Fabric, these access controls work together:

File-level security protects data at rest
Object-, column-, and row-level security protect data at the semantic model layer
Workspace roles govern who can create, modify, or consume items

For the DP-600 exam, expect scenario-based questions that test:

Choosing the right level of security
Understanding where security is enforced
Knowing limitations and interactions between security types

Final Exam Tips

If the question mentions who can see which data values, think RLS or CLS.
If it mentions who can see which objects, think OLS.
If it mentions access to files or raw data, think file-level and workspace permissions.

DP-600 Exam Strategy Notes

Security evaluation order (exam favorite):
1. Workspace access
2. Item-level access
3. Object-level security
4. Column-level security
5. Row-level security
Use:
- RLS → Who sees which rows?
- CLS → Who sees which columns?
- OLS → Who sees which tables/measures?
- File-level → Who sees which files?

Practice Questions

Question 1 (Single choice)

Which access control mechanism restricts which rows of data a user can see in a semantic model?

A. Column-level security
B. Object-level security
C. Row-level security
D. Item-level access

Correct Answer: C

Explanation:

Row-level security (RLS) filters rows dynamically based on user identity.
CLS restricts columns, OLS restricts objects, and item-level controls access to the artifact itself.

Question 2 (Scenario-based)

A sales manager should only see sales data for their assigned region across all reports. Which solution should you implement?

A. Column-level security
B. Row-level security with dynamic DAX
C. Object-level security
D. Workspace Viewer role

Correct Answer: B

Explanation:

Dynamic RLS uses functions like USERPRINCIPALNAME() to filter rows per user.
Workspace roles do not filter data.

Question 3 (Multi-select)

Which security types are configured within a Power BI semantic model? (Select all that apply.)

A. Row-level security
B. Column-level security
C. Object-level security
D. File-level security

Correct Answers: A, B, C

Explanation:

RLS, CLS, and OLS are semantic model features.
File-level security applies to OneLake files, not semantic models.

Question 4 (Scenario-based)

You want to prevent users from seeing a Salary column but still allow access to other columns in the table. What should you use?

A. Row-level security
B. Object-level security
C. Column-level security
D. Item-level access

Correct Answer: C

Explanation:

Column-level security hides specific columns from unauthorized users.
RLS filters rows, not columns.

Question 5 (Single choice)

Which access control hides entire tables or measures from users?

A. Row-level security
B. Column-level security
C. Object-level security
D. File-level security

Correct Answer: C

Explanation:

Object-level security (OLS) hides tables, columns, or measures completely.
Users won’t even see them in the field list.

Question 6 (Scenario-based)

A user should be able to query a semantic model but must not see a calculated measure used only internally. Which control is BEST?

A. Column-level security
B. Object-level security
C. Row-level security
D. Workspace permission

Correct Answer: B

Explanation:

OLS can hide measures entirely.
CLS only applies to columns, not measures.

Question 7 (Multi-select)

Which scenarios require file-level access controls in Microsoft Fabric? (Select all that apply.)

A. Restricting access to specific Parquet files in OneLake
B. Limiting access to a lakehouse table
C. Controlling access to raw ingestion files
D. Filtering rows in a semantic model

Correct Answers: A, C

Explanation:

File-level access applies to files and folders in OneLake.
Table and row access are handled elsewhere.

Question 8 (Scenario-based)

A data engineer needs access to raw files in OneLake, but analysts should only see curated tables. What should you implement?

A. Row-level security
B. Column-level security
C. File-level access controls
D. Object-level security

Correct Answer: C

Explanation:

File-level access ensures analysts cannot browse or access raw files.
RLS and CLS don’t apply at the file system level.

Question 9 (Single choice)

Which security type is evaluated first when a user attempts to access data?

A. Row-level security
B. Column-level security
C. Item-level access
D. Object-level security

Correct Answer: C

Explanation:

Item-level access determines whether the user can access the artifact at all.
If denied, other security layers are never evaluated.

Question 10 (Scenario-based)

A user can access a report but receives an error when querying a table directly from the semantic model. What is the MOST likely cause?

A. Missing Row-Level Security role
B. Column-level security blocking access
C. Object-level security hiding the table
D. File-level security restriction

Correct Answer: C

Explanation:

If OLS hides a table, it cannot be queried—even if reports still function.
Reports may rely on cached or abstracted queries.

Analytics, BI Administration, Business Intelligence (BI) Development, Business Intelligence Platform, Data Analysis, Data Governance, Data Quality Assurance, Data Security, DP-600, Microsoft Certification, Microsoft Fabric December 28, 2025

Apply sensitivity labels to items in Microsoft Fabric

This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections: 
Maintain a data analytics solution 
   --> Implement security and governance
      --> Apply sensitivity labels to items

To Do:
Complete the related module for this topic in the Microsoft Learn course: Secure data access in Microsoft Fabric

Sensitivity labels are a data protection and governance feature in Microsoft Fabric that help organizations classify, protect, and control the handling of sensitive data. They integrate with Microsoft Purview Information Protection and extend data protection consistently across Fabric, Power BI, and Microsoft 365.

For the DP-600 exam, you should understand what sensitivity labels are, how they are applied, what they affect, and how they differ from access controls.

What Are Sensitivity Labels?

Sensitivity labels:

Classify data based on confidentiality and business impact
Travel with the data across supported services
Can trigger protection behaviors, such as encryption or usage restrictions

Common label examples include:

Public
Internal
Confidential
Highly Confidential

Labels are organizationally defined and managed centrally.

Where Sensitivity Labels Come From

Sensitivity labels in Fabric are:

Created and managed in Microsoft Purview
Defined at the tenant level by security or compliance administrators
Made available to Fabric and Power BI through tenant settings

Fabric users apply labels, but typically do not define them.

Items That Can Be Labeled in Microsoft Fabric

Sensitivity labels can be applied to many Fabric items, including:

Semantic models (datasets)
Reports
Dashboards
Dataflows
Lakehouses and Warehouses (where supported)
Exported artifacts (Excel, PowerPoint, PDF)

This makes labeling a cross-workload governance mechanism.

How Sensitivity Labels Are Applied

Labels can be applied:

Manually by item owners or authorized users
Automatically through inherited labeling
Programmatically via APIs (advanced scenarios)

Label Inheritance

In many cases:

Reports inherit the label from their underlying semantic model
Dashboards inherit labels from pinned tiles
Exported files inherit the label of the source item

This inheritance model is frequently tested in exam scenarios.

What Sensitivity Labels Do (and Do Not Do)

What they do:

Classify data for compliance and governance
Enable protection such as:
- Encryption
- Watermarking
- Usage restrictions (e.g., block external sharing)
Travel with data when exported or shared

What they do NOT do:

Grant or restrict user access
Replace workspace, item-level, or data-level security
Filter rows or columns

Key exam distinction:
Sensitivity labels protect data after access is granted.

Sensitivity Labels vs Endorsements

These two concepts are often confused on exams.

Feature	Sensitivity Labels	Endorsements
Purpose	Data protection	Trust and quality
Enforced	Yes	No
Affects behavior	Yes (encryption, sharing rules)	No
Security-related	Yes	Governance guidance

Governance and Compliance Benefits

Sensitivity labels support:

Regulatory compliance (e.g., GDPR, HIPAA)
Data loss prevention (DLP)
Auditing and reporting
Consistent handling of sensitive data across platforms

They are especially important in environments with:

Self-service analytics
Data exports to Excel or PowerPoint
External sharing scenarios

Common Exam Scenarios

You may see questions such as:

A report exported to Excel must remain encrypted → sensitivity label
Data should be classified as confidential but still shared internally → labeling, not access restriction
Users can view data but cannot share externally → label-driven protection
A report automatically inherits its dataset’s classification → label inheritance

Best Practices to Remember

Apply labels at the semantic model level to ensure inheritance
Use sensitivity labels alongside:
- Workspace and item-level access controls
- RLS and CLS
- Endorsements
Review labeling regularly to ensure accuracy
Educate users on selecting the correct label

Key Exam Takeaways

Sensitivity labels classify and protect data
They are defined in Microsoft Purview
Labels can enforce encryption and sharing restrictions
Labels do not control access
Inheritance behavior is important for DP-600 questions

Exam Tips

If a question focuses on classifying, protecting, or controlling how data is shared after access, think sensitivity labels.
If it focuses on who can see the data, think security roles or permissions.
Expect scenario questions involving:
- PII, financial data, or confidential data
- Export restrictions
- Label inheritance
Know the difference between:
- Security (RLS, OLS, item access)
- Governance & compliance (sensitivity labels)
Always associate sensitivity labels with Microsoft Purview

Practice Questions

Question 1 (Single choice)

What is the PRIMARY purpose of applying sensitivity labels to items in Microsoft Fabric?

A. Improve query performance
B. Control row-level data access
C. Classify and protect data based on sensitivity
D. Grant workspace permissions

Correct Answer: C

Explanation:
Sensitivity labels are used for data classification, protection, and governance, not for performance or access control.

Question 2 (Scenario-based)

Your organization requires that all reports containing customer PII automatically display a watermark and restrict external sharing. What feature enables this?

A. Row-level security
B. Sensitivity labels with protection settings
C. Item-level access controls
D. Conditional access policies

Correct Answer: B

Explanation:
Sensitivity labels can apply visual markings, encryption, and sharing restrictions when integrated with Microsoft Purview.

Question 3 (Multi-select)

Which Fabric items can have sensitivity labels applied? (Select all that apply.)

A. Power BI reports
B. Semantic models
C. Lakehouses and warehouses
D. Notebooks

Correct Answers: A, B, C, D

Explanation:
Sensitivity labels can be applied to most Fabric artifacts, enabling consistent governance across analytics assets.

Question 4 (Scenario-based)

A semantic model inherits a sensitivity label from its underlying data source. What does this behavior represent?

A. Manual labeling
B. Label inheritance
C. Workspace-level labeling
D. Object-level security

Correct Answer: B

Explanation:
Label inheritance ensures that downstream artifacts maintain appropriate sensitivity classifications automatically.

Question 5 (Single choice)

Which service must be configured to define and manage sensitivity labels used in Microsoft Fabric?

A. Azure Active Directory
B. Microsoft Defender
C. Microsoft Purview
D. Power BI Admin portal

Correct Answer: C

Explanation:
Sensitivity labels are defined and managed in Microsoft Purview, then applied across Microsoft Fabric and Power BI.

Question 6 (Scenario-based)

A report is labeled Highly Confidential, but a user attempts to export its data to Excel. What is the expected behavior?

A. Export always succeeds
B. Export is blocked or encrypted based on label policy
C. Export ignores sensitivity labels
D. Only row-level security applies

Correct Answer: B

Explanation:
Sensitivity labels can restrict exports, apply encryption, or enforce protection based on policy.

Question 7 (Multi-select)

Which actions can sensitivity labels enforce? (Select all that apply.)

A. Data encryption
B. Watermarks and headers
C. External sharing restrictions
D. Row-level filtering

Correct Answers: A, B, C

Explanation:
Sensitivity labels control protection and compliance, not data filtering.

Question 8 (Scenario-based)

You apply a sensitivity label to a lakehouse. Which downstream artifact is MOST likely to automatically inherit the label?

A. A Power BI report built on the semantic model
B. A notebook in a different workspace
C. An external CSV export
D. An Azure SQL Database

Correct Answer: A

Explanation:
Label inheritance flows through Fabric analytics artifacts, especially semantic models and reports.

Question 9 (Single choice)

Who is typically allowed to apply or change sensitivity labels on Fabric items?

A. Any workspace Viewer
B. Only Microsoft admins
C. Users with sufficient item permissions
D. External users

Correct Answer: C

Explanation:
Users must have appropriate permissions (Contributor/Owner or item-level rights) to apply labels.

Question 10 (Scenario-based)

Your compliance team wants visibility into how sensitive data is used across Fabric. Which feature supports this requirement?

A. Query caching
B. Audit logs
C. Sensitivity labels with Purview reporting
D. Direct Lake mode

Correct Answer: C

Explanation:
Sensitivity labels integrate with Microsoft Purview reporting and auditing for compliance and governance tracking.

BI Administration, Business Intelligence Platform, Data Governance, Data Quality Assurance, Data Security, Data Strategy, DP-600, Microsoft Certification, Microsoft Fabric December 28, 2025

Endorse items in Microsoft Fabric

This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections: 
Maintain a data analytics solution 
    --> Implement security and governance 
        --> Endorse items

To Do:
Complete the related module for this topic in the Microsoft Learn course: Secure data access in Microsoft Fabric

Item endorsement is a governance feature in Microsoft Fabric that helps organizations identify trusted, high-quality, and officially supported analytics assets. Endorsements guide users toward the right data and reports, reduce duplication, and promote consistent decision-making.

For the DP-600 exam, you should understand what endorsement is, the types of endorsements available, who can apply them, and how endorsements affect user behavior (not security).

What Does It Mean to Endorse an Item?

Endorsing an item signals to users that the content is:

Reliable
Well-maintained
Appropriate for reuse and decision-making

Endorsement is not a security mechanism. It does not grant or restrict access—it provides trust and visibility cues within the Fabric experience.

Endorsements can be applied to:

Semantic models (datasets)
Reports
Dashboards
Other supported Fabric items

Types of Endorsements

Microsoft Fabric supports three endorsement states:

1. None

There is no endorsement on the content.

2. Promoted

Promoted items are considered:

Useful
Reviewed
Suitable for reuse

Key characteristics:

Any item owner can promote their own content
Indicates quality, but not official certification
Common for team-approved or department-level assets

Typical use cases

A curated dataset used by multiple analysts
A well-designed report shared across a department

3. Certified

Certified items represent the highest level of trust.

Key characteristics:

Only authorized users (often admins or designated certifiers) can certify
Indicates the item meets organizational standards for:
- Data quality
- Governance
- Security
Intended for enterprise-wide consumption

Typical use cases

Official financial reporting datasets
Executive dashboards
Enterprise semantic models

Who Can Endorse Items?

Promoted: Item owners
Certified: Users authorized by Fabric or Power BI tenant settings (often admins or data stewards)

This distinction is important for the exam: not everyone can certify content, even if they own it.

Where Endorsements Appear

Endorsements are visible across the Fabric and Power BI experiences:

In search results
In lineage view
In the data hub
When users select data sources for report creation

Certified items are typically:

Ranked higher
More visible
Preferred in self-service analytics workflows

Endorsements vs Security Controls

A common exam trap is confusing endorsements with access control.

Feature	Endorsement	Access Control
Purpose	Trust and quality	Security and restriction
Limits access?	No	Yes
Affects visibility	Yes	Yes
Enforced by system	No (informational)	Yes (mandatory)

The “Make discoverable” setting

Within the selection settings dialog for Endorsement, there is also a selection option for “Make discoverable“. This option, when selected, allows users to discover the content even if they do not have access to it, and they can then request access.

Summary table

Endorsement and Discovery state	What it is	Who can do it	Typical Use Cases
None	There is no endorsement on the content
Promoted	The content is endorsed/flagged as Promoted Promoted items are considered: – Useful – Reviewed – Suitable for reuse Key characteristics: – Any item owner can promote their own content – Indicates quality, but not official certification – Common for team-approved or department-level assets	– Users can assign “Promoted” without any specific admin settings. – Users can “Promote” as long as they have write permissions on a semantic model.	– A curated dataset used by multiple analysts – A well-designed report shared across a department
Certified	The content is endorsed/flagged as Certified. Certified items represent the highest level of trust. Key characteristics: – Only authorized users (often admins or designated certifiers) can certify – Indicates the item meets organizational standards for: Data quality, Governance, and Security – Intended for enterprise-wide consumption	“Certification” requires admin approval to be able to set it.	– Official financial reporting datasets – Executive dashboards – Enterprise semantic models
Make discoverable	The content is endorsed/flagged as Findable. And the discoverability can be set for selected users, the entire company, or all except selected users.		Make content discoverable even to those that do not currently have access, so that they become aware it’s available and can request access to it.

Key takeaway:
A user must still have workspace or item-level access to use an endorsed item.

Role of Endorsements in Governance

Endorsements support governance by:

Encouraging reuse of approved assets
Reducing “shadow BI”
Helping users choose the right data source
Aligning self-service analytics with enterprise standards

They are especially important in large Fabric environments with:

Many workspaces
Multiple datasets covering similar subject areas
Mixed technical and business users

Common Exam Scenarios

Expect questions such as:

When to use Promoted vs Certified
Who is allowed to certify an item
Whether certification affects access permissions (it does not)
How endorsements support discoverability and trust

Example scenario:

Business users are building reports from multiple datasets and need guidance on which one is authoritative.
Correct concept: Certified semantic models.

Best Practices to Remember

Promote items early to guide reuse
Reserve certification for high-value, governed assets
Combine endorsements with:
- Clear workspace organization
- Descriptions and documentation
- Proper access controls
Review certifications periodically to ensure relevance

Key Exam Takeaways

Endorsements indicate trust, not permission
Two endorsement levels: Promoted and Certified
Certification requires special authorization
Endorsements improve discoverability and governance in Fabric

Final Exam Tips

If a question is about helping users identify trusted or official data, think endorsements.
If it’s about restricting access, think workspace, item-level, or data-level security.
Know the difference between Promoted and Certified
Expect scenario questions about:
- Data trust
- Self-service vs governed BI
- Discoverability in Data hub
Remember:
- Endorsements ≠ security
- Endorsements ≠ performance tuning
Certification permissions are centrally controlled

Link to documentation on this topic: Endorse your content

Practice Questions

Question 1 (Single choice)

What is the PRIMARY purpose of endorsing items in Microsoft Fabric?

A. Improve dataset refresh performance
B. Control data access permissions
C. Identify trusted and authoritative content
D. Apply compliance policies

Correct Answer: C

Explanation:
Endorsements help users quickly identify reliable, trusted content such as official semantic models and reports.

Question 2 (Multi-select)

Which endorsement types are available in Microsoft Fabric? (Select all that apply.)

A. Certified
B. Promoted
C. Verified
D. Approved

Correct Answers: A, B

Explanation:
Fabric supports Promoted and Certified endorsements. “Verified” and “Approved” are not valid endorsement types.

Question 3 (Scenario-based)

A business analyst creates a report that is useful but not officially validated. What endorsement is MOST appropriate?

A. Certified
B. Promoted
C. Deprecated
D. Restricted

Correct Answer: B

Explanation:
Promoted indicates content that is useful and recommended, but not formally governed or validated.

Question 4 (Scenario-based)

Your organization wants only centrally governed semantic models to be marked as official sources of truth. Which endorsement should be used?

A. Promoted
B. Shared
C. Certified
D. Published

Correct Answer: C

Explanation:
Certified content represents authoritative, validated data assets approved by data owners or governance teams.

Question 5 (Single choice)

Who can typically certify an item in Microsoft Fabric?

A. Any workspace Member
B. Only the item creator
C. Users authorized by tenant or workspace settings
D. External users

Correct Answer: C

Explanation:
Certification is restricted and controlled by tenant-level or workspace-level governance policies.

Question 6 (Multi-select)

Which Fabric items can be endorsed? (Select all that apply.)

A. Semantic models
B. Reports
C. Dashboards
D. Dataflows Gen2

Correct Answers: A, B, D

Explanation:
Semantic models, reports, and dataflows can be endorsed. Dashboards are less commonly emphasized in Fabric exam contexts.

Question 7 (Scenario-based)

A user searches for datasets in the Data hub. How do endorsements help in this scenario?

A. They hide non-endorsed items
B. They improve query performance
C. They help users identify trusted content
D. They automatically grant access

Correct Answer: C

Explanation:
Endorsements improve discoverability and trust, not access or performance.

Question 8 (Single choice)

What is the relationship between endorsements and security?

A. Endorsements enforce access controls
B. Endorsements replace RLS
C. Endorsements are independent of security
D. Endorsements automatically grant read access

Correct Answer: C

Explanation:
Endorsements do not control access. Security must be handled separately via permissions and access controls.

Question 9 (Scenario-based)

Your organization wants users to prefer centrally curated datasets without blocking self-service models. What approach BEST supports this?

A. Apply row-level security
B. Disable dataset creation
C. Certify governed datasets
D. Use Direct Lake mode

Correct Answer: C

Explanation:
Certifying official datasets encourages reuse while still allowing self-service analytics.

Question 10 (Fill in the blank)

In Microsoft Fabric, ________ items represent fully validated and authoritative content, while ________ items indicate recommended but not formally governed content.

Correct Answer:
Certified, Promoted

Explanation:
Certified = authoritative source of truth
Promoted = useful and recommended, but not governed

BI Administration, Business Intelligence, Business Intelligence (BI) Development, Business Intelligence Platform, Data Development, Data Governance, Data Quality Assurance, Data Security, Data Strategy, DP-600, Microsoft Certification, Microsoft Fabric December 28, 2025

Configure version control for a workspace in Microsoft Fabric

This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections: 
Maintain a data analytics solution 
    --> Maintain the analytics development lifecycle 
        --> Configure version control for a workspace

Version control in Microsoft Fabric enables teams to track changes, collaborate safely, and manage the lifecycle of analytics assets using source control practices. Fabric integrates workspace items with Git repositories, bringing DevOps discipline to analytics development.

For the DP-600 exam, you should understand how Git integration works in Fabric, what items are supported, how changes flow, and common governance scenarios.

What Is Workspace Version Control in Fabric?

Workspace version control allows you to:

Connect a Fabric workspace to a Git repository
Store item definitions as code artifacts
Track changes through commits, branches, and pull requests
Support collaborative and auditable development

This capability is often referred to as Git integration for Fabric workspaces.

Supported Source Control Platform

Microsoft Fabric supports:

Azure DevOps (ADO) Git repositories

Key points:

GitHub support is limited or evolving (exam questions typically reference Azure DevOps)
Repositories must already exist
Authentication is handled via Microsoft Entra ID

Exam note: Expect Azure DevOps to be the default answer unless stated otherwise.

What Items Can Be Version Controlled?

Common Fabric items that support version control include:

Semantic models
Reports
Lakehouses
Warehouses
Notebooks
Data pipelines
Dataflows Gen2

Items are serialized into files and folders in the Git repo, allowing:

Diffing
History tracking
Rollbacks

How to Configure Version Control for a Workspace

At a high level, the process is:

Open the Fabric workspace settings
Enable Git integration
Select:
- Azure DevOps organization
- Project
- Repository
- Branch
Choose a workspace folder structure
Initialize synchronization

Once configured:

Workspace changes can be committed to Git
Repo changes can be synced back into the workspace

How Changes Flow Between Workspace and Git

From Workspace to Git

Users make changes in Fabric (e.g., update a report)
Changes are committed to the connected branch
Commit history tracks who changed what and when

From Git to Workspace

Changes merged into the branch can be pulled into Fabric
Enables controlled deployment across environments

Important exam concept:
Synchronization is not automatic—users must explicitly commit and sync.

Branching and Environment Strategy

A common lifecycle pattern:

Development workspace → linked to a dev branch
Test workspace → linked to a test branch
Production workspace → linked to a main branch

This supports:

Code reviews
Pull requests
Controlled promotion of changes

Permissions and Governance Considerations

To configure and use version control:

Users need sufficient workspace permissions (typically Admin or Member)
Users also need Git repository access
Git permissions are managed outside Fabric

Version control complements—but does not replace:

Workspace-level access controls
Item-level permissions
Endorsements and sensitivity labels

Benefits of Version Control in Fabric

Version control enables:

Collaboration among multiple developers
Change traceability and auditability
Rollback of problematic changes
CI/CD-style deployment patterns
Alignment with enterprise DevOps practices

These benefits are a frequent theme in DP-600 scenario questions.

Common Exam Scenarios

You may be asked to:

Identify when Git integration is appropriate
Choose the correct platform for source control
Understand how changes move between Git and Fabric
Design a dev/test/prod workspace strategy
Troubleshoot why changes are not reflected (sync not performed)

Example:

Multiple developers need to work on the same semantic model with change tracking.
Correct concept: Configure workspace version control with Git.

Key Exam Takeaways

Fabric supports Git-based version control at the workspace level
Azure DevOps is the primary supported platform
Changes require explicit commit and sync
Version control supports structured development and deployment
It is a core part of the analytics development lifecycle

Exam Tips

If a question mentions tracking changes, collaboration, rollback, or DevOps practices, think workspace version control with Git.
If it mentions moving changes between environments, think branches and multiple workspaces.
Know who can configure it → Workspace Admins
Understand Git integration flow
Expect scenario questions comparing:
- Git vs deployment pipelines
- Collaboration vs governance
Remember:
- JSON-based artifacts
- Not all items are supported
- No automatic commits

Practice Questions

Question 1 (Single choice)

What is the PRIMARY purpose of configuring version control for a Fabric workspace?

A. Improve query execution performance
B. Enable collaboration, change tracking, and rollback
C. Enforce row-level security
D. Automatically deploy content to production

Correct Answer: B

Explanation:
Version control enables source control integration, allowing teams to track changes, collaborate safely, and roll back when needed.

Question 2 (Multi-select)

Which version control systems can be integrated with Microsoft Fabric workspaces? (Select all that apply.)

A. Azure DevOps Git repositories
B. GitHub repositories
C. OneDrive for Business
D. SharePoint document libraries

Correct Answers: A, B

Explanation:
Fabric supports Git integration using Azure DevOps and GitHub. OneDrive and SharePoint are not supported for workspace version control.

Question 3 (Scenario-based)

A team wants to manage Power BI reports, semantic models, and dataflows using pull requests and branching. What should they configure?

A. Deployment pipelines
B. Sensitivity labels
C. Workspace version control with Git
D. Incremental refresh

Correct Answer: C

Explanation:
Git-based workspace version control enables branching, pull requests, and code reviews.

Question 4 (Single choice)

Which workspace role is REQUIRED to configure version control for a workspace?

A. Viewer
B. Contributor
C. Member
D. Admin

Correct Answer: D

Explanation:
Only workspace Admins can connect a workspace to a Git repository.

Question 5 (Scenario-based)

After connecting a workspace to a Git repository, where are Fabric items stored?

A. As binary files
B. As JSON-based artifact definitions
C. As SQL scripts
D. As Excel files

Correct Answer: B

Explanation:
Fabric artifacts are stored as JSON files, making them suitable for source control and comparison.

Question 6 (Multi-select)

Which items can be included in workspace version control? (Select all that apply.)

A. Reports
B. Semantic models
C. Dataflows Gen2
D. Dashboards

Correct Answers: A, B, C

Explanation:
Reports, semantic models, and dataflows are supported. Dashboards are typically excluded from version control scenarios.

Question 7 (Scenario-based)

A developer modifies a semantic model directly in the Fabric workspace while Git integration is enabled. What happens NEXT?

A. The change is automatically committed
B. The change is rejected
C. The workspace shows uncommitted changes
D. The change is immediately deployed to production

Correct Answer: C

Explanation:
Changes made in the workspace appear as pending/uncommitted changes until explicitly committed to the repository.

Question 8 (Single choice)

What is the relationship between workspace version control and deployment pipelines?

A. They are the same feature
B. Version control replaces deployment pipelines
C. They complement each other
D. Deployment pipelines require version control

Correct Answer: C

Explanation:
Version control handles source management, while deployment pipelines manage promotion across environments.

Question 9 (Scenario-based)

Your organization wants to prevent accidental overwrites when multiple developers edit the same item. Which feature BEST helps?

A. Row-level security
B. Sensitivity labels
C. Git branching and pull requests
D. Incremental refresh

Correct Answer: C

Explanation:
Git workflows enable controlled collaboration through branches, reviews, and merges.

Question 10 (Fill in the blank)

When version control is enabled, Fabric workspace changes must be ________ to the repository and ________ to update the workspace from Git.

Correct Answer:
Committed, synced (or pulled)

Explanation:
Changes flow both ways:

Commit workspace → Git
Sync Git → workspace