Governance: Labels, Endorsement & Audit
Apply sensitivity labels, endorse trusted items, track activity with audit logs, and configure OneLake security for enterprise governance.
What is Fabric governance?
Think of a library’s classification system.
Every book has a label (fiction, reference, restricted). Some books get a “Staff Pick” sticker (endorsed). The library keeps a log of who borrowed what (audit trail). And the reading room has rules about who can photocopy which sections (data access policy).
Fabric governance is that system for your data platform. Sensitivity labels classify items by confidentiality. Endorsement marks items as trusted. Audit logs track who did what. And OneLake security controls data access at the storage layer.
Sensitivity labels
Sensitivity labels from Microsoft Purview can be applied to Fabric items — lakehouses, warehouses, reports, notebooks, pipelines, and more.
What labels do in Fabric
| Capability | How It Works |
|---|---|
| Classification | Visual tag showing the sensitivity level (Public, General, Confidential, Highly Confidential) |
| Downstream inheritance | When a labeled lakehouse feeds a report, the report inherits the label automatically |
| Export protection | Labeled data exported to Excel or PDF retains its sensitivity label and encryption |
| Mandatory labeling | Tenant setting requires a label on every item — no unlabeled content allowed |
| Default labels | New items automatically receive a default label (e.g., “General”) |
Label hierarchy and inheritance
Lakehouse (Confidential)
→ Pipeline reads from it (inherits Confidential)
→ Report built on it (inherits Confidential)
→ Export to Excel (encrypted, Confidential label in file)Labels flow downstream — from data source to consumer. The highest label in the chain applies.
Scenario: Ibrahim enforces mandatory labeling
Ibrahim enables mandatory labeling for all Nexus Financial workspaces. Every new item must have a sensitivity label before it can be saved. He sets the default label to “Internal” — engineers can upgrade to “Confidential” or “Highly Confidential” but can never go below “Internal.”
When the compliance team creates a lakehouse with trading data, they apply “Highly Confidential.” Every report, notebook, and pipeline that touches this data automatically inherits the label.
Endorsement
Endorsement is Fabric’s trust signal. It tells consumers: “this item has been vetted.”
| Level | Promoted | Certified |
|---|---|---|
| Who can apply | Workspace Members and Admins | Only designated certifiers (set by tenant admin) |
| Visual indicator | Blue badge | Green badge with checkmark |
| Trust level | Good quality, ready for use | Verified, authoritative — the gold standard |
| Typical use | Team-level — this dataset is ready for our team | Org-level — this is the official source of truth |
| Discoverability | Appears in endorsed filter in data hub | Appears at the top of endorsed results |
Exam tip: Who can certify?
Only users designated as certifiers by the Fabric tenant admin can apply the “Certified” badge. This is an explicit permission, not inherited from any workspace role. Even a workspace Admin cannot certify items unless they’re on the certifiers list.
Promoted is more democratic — any workspace Member or Admin can promote items.
Audit logs
Fabric generates detailed audit logs that flow into the Microsoft 365 unified audit log and can be accessed through the Microsoft Purview compliance portal or via the Office 365 Management API.
What’s logged
| Category | Examples |
|---|---|
| Item operations | Create, update, delete items (lakehouses, pipelines, notebooks) |
| Data access | SQL queries, Spark reads, OneLake API access |
| Admin actions | Workspace settings changes, capacity assignments, role changes |
| Security events | Permission grants/revokes, sensitivity label changes, sharing |
| Pipeline runs | Start, complete, fail — including activity-level details |
Accessing audit logs
| Method | Best For |
|---|---|
| Purview compliance portal | Manual investigation — search by user, date, activity |
PowerShell (Search-UnifiedAuditLog) | Scripted searches and exports |
| Microsoft 365 Management Activity API | Automated ingestion into SIEM tools (Sentinel, Splunk) |
| Fabric Monitoring Hub | Quick view of recent workspace activity (not full audit depth) |
Scenario: Ibrahim investigates a data export
The compliance team at Nexus Financial detects that a large dataset was exported from the trading lakehouse. Ibrahim searches the audit log:
- Activity: Export to CSV
- User: david@nexusfinancial.com
- Item: FactTrades lakehouse
- Timestamp: Saturday 2:14 AM
- Sensitivity label: Highly Confidential
The Saturday timing and the sensitivity level trigger an investigation. Ibrahim pulls the full audit trail for David’s account over the past 30 days using PowerShell.
OneLake security posture
OneLake security is the storage-layer complement to workspace and item permissions. It controls:
| Setting | Scope |
|---|---|
| OneLake data access | Whether external tools can read workspace data via ADLS Gen2 endpoints |
| External data sharing | Whether shortcuts from other tenants can access this workspace’s OneLake data |
| Folder-level security | Per-folder read restrictions within a lakehouse (covered in the previous module) |
Exam tip: OneLake security vs workspace permissions
Workspace permissions control who can access Fabric items. OneLake security controls who can access the underlying storage. A user might have Viewer access to a lakehouse item but be blocked from reading OneLake files directly if OneLake data access is disabled.
Think of it as two doors: workspace permission opens the Fabric portal door; OneLake security opens the storage API door.
A workspace Member wants to certify a lakehouse as the official source of truth for the organisation. They apply the Certified badge but get an error. Why?
Ibrahim needs to investigate who accessed a Highly Confidential lakehouse over the past 30 days and export the results for the legal team. Which approach is most appropriate?
🎬 Video coming soon
Next up: Orchestration: Pick the Right Tool — when to use Dataflows Gen2, pipelines, or notebooks for your data workflow.