Essential Fabric Tenant Settings
Configure essential Microsoft Fabric tenant settings for security, governance, and optimal performance. Admin guide for enterprise Fabric environments.
Fabric tenant settings control which features and capabilities are available across your entire organization. These settings are the primary governance control plane for Microsoft Fabric—they determine who can create workspaces, what data can be exported, which AI features are enabled, and how external sharing works. Misconfiguring tenant settings is the most common cause of both security incidents and user frustration in Fabric environments.
Accessing and Managing Tenant Settings
Tenant settings are managed through the Fabric admin portal. Navigate to Settings (gear icon) > Admin portal > Tenant settings. Only users with the Fabric Administrator role, Power BI Administrator role, or Global Administrator role can view and modify these settings.
Change Management: Every tenant setting change affects all users in your organization. Before modifying settings, document the current state, communicate planned changes to affected teams, test in a non-production environment when possible, and schedule changes during low-usage periods to minimize disruption.
Critical Security Settings
Export and Sharing Controls
These settings control how data leaves your Fabric environment:
**Export to Excel**: Controls whether users can export data from Power BI visuals to Excel. For compliance-sensitive environments in healthcare (HIPAA, SOC 2), restrict this to specific security groups. Unrestricted Excel export is the most common data leakage vector in Power BI.
Print Dashboards and Reports: Controls the ability to print or export to PDF. Consider restricting for workspaces containing PII or PHI data.
Embed Content in Apps: Determines who can create embed codes for websites. Unrestricted embed permissions allow users to expose reports publicly without review. Restrict to the embedding development team.
Publish to Web: The most dangerous export setting. "Publish to web" creates a publicly accessible URL with no authentication. Disable this for all users in enterprise environments—there is virtually no enterprise use case that justifies the security risk.
| Setting | Recommended Default | Exception Groups | |---|---|---| | Export to Excel | Specific security groups | Analyst teams with data handling training | | Print dashboards | Enabled (organization) | Restrict for HIPAA workspaces | | Embed content | Specific security groups | Embedding development team only | | Publish to web | Disabled (entire org) | None—use embedding instead | | Download reports (.pbix) | Specific security groups | Developer teams only |
External Sharing and Collaboration
B2B Sharing: Controls whether users can share Power BI content with external Azure AD users. Enable only for specific security groups that have legitimate external collaboration needs. Configure granularly—sharing a dashboard view is lower risk than sharing the underlying dataset.
Guest User Access: Determines what guest users can do in your Fabric environment. Restrict guests to Viewer role only. Never allow guest users to create content or access raw data without explicit compliance review.
External Data Sharing: Controls whether Fabric data can be shared with external organizations through OneLake cross-tenant sharing. Disable by default and enable only for approved data sharing agreements.
Developer and Creation Settings
Workspace Creation
Create Workspaces: Controls who can create Fabric workspaces. Unrestricted workspace creation leads to sprawl—hundreds of workspaces with no owner, no governance, and no cleanup schedule. Restrict workspace creation to designated workspace administrators or a request-based provisioning process.
Use Fabric Items: Controls which Fabric item types (lakehouses, warehouses, notebooks, etc.) users can create. For organizations new to Fabric, enable items incrementally as teams are trained. Start with Power BI items (reports, semantic models), then enable data engineering items (lakehouses, notebooks) for data engineering teams.
External Tool Access
XMLA Endpoint: Controls read/write access to semantic models via XMLA protocol, used by external tools like Tabular Editor, DAX Studio, and ALM Toolkit. Enable read access for all developers; restrict write access to senior developers who manage production models.
Service Principal Access: Determines whether service principals can use Fabric APIs. Enable for specific security groups containing application service principals. Required for automated CI/CD pipelines and embedding applications.
AI and Copilot Settings
Copilot Configuration
Enable Copilot and Other AI Features: Master switch for all AI capabilities in Fabric. When enabled, users can use Copilot in Power BI, natural language query features, and AI-powered suggestions.
**Data Sent to AI Services**: Controls what data Copilot can access when generating responses. In regulated industries such as healthcare and government, review this setting carefully with your compliance team. Copilot sends schema metadata and sample data rows to Azure OpenAI services for processing.
Copilot for Report Authoring: Specific control for whether Copilot can generate report pages. Enable for report developers but consider disabling for consumers who might generate misleading analyses.
Capacity and Performance Settings
Autoscale: Configures automatic capacity scaling during high demand. Set maximum scale limits to prevent runaway costs. Enable autoscale for production capacities; disable for development capacities where pausing is preferred.
Interactive and Background Workload Limits: Controls the percentage of capacity allocated to interactive queries (user-facing dashboards) versus background jobs (scheduled refreshes, pipeline runs). Default is balanced, but production capacities serving many concurrent users should favor interactive workloads (70% interactive, 30% background).
Governance Best Practices
Start Restrictive, Open Gradually: Enable features for the entire organization only after piloting with specific security groups. The sequence: pilot group validates the feature, documentation and training materials are created, settings are opened to broader groups, monitoring confirms no security or performance issues.
Security Group Strategy: Create a hierarchy of security groups: Fabric-Admins (tenant settings access), Fabric-Developers (workspace creation, XMLA write), Fabric-Analysts (export to Excel, external tool read), Fabric-Consumers (default, view-only). Map tenant settings to these groups consistently.
Quarterly Review Cycle: Review all tenant settings quarterly. Features you disabled at initial deployment may now be appropriate to enable. Features you enabled broadly may need restriction based on usage patterns or new compliance requirements.
Documentation: Maintain a settings registry documenting every non-default tenant setting with the justification, the approving authority, and the review date. This registry is essential for compliance audits (SOC 2, HIPAA) and for onboarding new administrators.
Related Resources
Frequently Asked Questions
Who can change Fabric tenant settings?
Only Fabric administrators and Global administrators can modify tenant settings. These settings affect all users in the organization, so changes should be made carefully and documented.
Can I apply settings to specific groups?
Yes, many tenant settings can be scoped to specific security groups. This allows piloting features with selected users before organization-wide rollout.