When exactly will OneLake Security reach GA?

Microsoft has indicated OneLake Security will reach general availability in 2026 but has not announced a specific date. Current expectations are for a release in the first half of 2026. Organizations should begin planning their OneLake Security implementations now to be ready when GA is announced.

Will OneLake Security work with existing Power BI RLS?

Yes, OneLake Security is designed to be compatible with existing Power BI Row-Level Security (RLS) implementations. When you migrate to OneLake Security, your existing RLS rules can be ported to the OneLake layer, where they will apply universally across all access methods (Power BI, SQL, Spark, APIs). This provides a migration path that preserves your investment in existing security configurations.

Does OneLake Security meet HIPAA and GDPR requirements?

OneLake Security provides the technical controls necessary for HIPAA and GDPR compliance, including Row-Level Security (RLS), Column-Level Security (CLS), Object-Level Security (OLS), comprehensive audit logging, and encryption. However, compliance also requires proper implementation, governance policies, and organizational procedures. Our Microsoft Fabric consulting team helps organizations implement OneLake Security to meet specific regulatory requirements.

OneLake Security Reaches GA in 2026: Enterprise-Ready Data Lake Security

Microsoft OneLake Security is reaching general availability (GA) in 2026, marking a watershed moment for enterprise adoption of Microsoft Fabric. This release brings a robust, unified security model across the entire Fabric platform, eliminating the complexity of managing different security layers for data warehouses, lakehouses, and analytics endpoints.

For organizations in regulated industries—healthcare, financial services, government—this represents the breakthrough they've been waiting for.

Why OneLake Security GA Matters

The Enterprise Security Challenge

Traditional data platforms force organizations to implement security at multiple layers: - Data Lake security (storage layer) - Data warehouse security (query engine layer) - BI tool security (reporting layer) - API security (programmatic access layer)

Each layer has different security models, creating complexity and increasing the risk of security gaps.

The OneLake Promise: Unified Security

With OneLake Security, you define security once, and it applies everywhere: - Power BI reports - SQL Analytics Endpoint - Spark notebooks - Data pipelines - API access - External applications

No matter how users or applications access the data, the same security rules apply automatically.

Core OneLake Security Features

1. Row-Level Security (RLS)

Filter data rows based on user identity, ensuring users only see data they're authorized to access.

#### Example: Sales Rep Access

dax // Sales reps see only their own customers [Sales Rep Email] = USERPRINCIPALNAME()

When a sales rep queries customer data through: - Power BI reports → Filtered to their customers - SQL queries → Filtered to their customers - Spark notebooks → Filtered to their customers - Data pipelines → Filtered to their customers

One rule, applied consistently everywhere.

#### Example: Regional Manager Access

dax // Regional managers see customers in their region [Region] IN VALUES('User Security'[Authorized Regions])

RLS supports complex scenarios with role tables, many-to-many relationships, and dynamic filtering based on user attributes.

Learn more about implementing Row-Level Security.

2. Column-Level Security (CLS)

Hide sensitive columns from users who shouldn't see them, even if they have access to the table.

#### Example: HR Data Protection

Table: Employees Hide Columns: - Salary (from non-HR users) - Social Security Number (from all users except payroll) - Performance Rating (from non-managers)

#### How CLS Works

When a non-HR user queries the Employees table: - They see Name, Department, Title, Hire Date - They don't see Salary, SSN, or Performance Rating - Queries that reference hidden columns return an error - Hidden columns don't appear in table schemas or metadata

Critical for compliance: GDPR, HIPAA, and other regulations often require column-level protection for personally identifiable information (PII).

3. Object-Level Security (OLS)

Hide entire tables, views, or Fabric items from users who shouldn't know they exist.

#### Example: Financial Data Separation

Hide from non-finance users: - Financial_Forecasts table - Salary_Budget table - Executive_Compensation view

Users without permission: - Cannot see these objects in metadata - Cannot query them (even indirectly through relationships) - Don't receive error messages revealing their existence

This is crucial for data minimization compliance where regulations require limiting data exposure to only what users need.

4. Dynamic Security

Security rules adapt based on user attributes from Azure Active Directory (AAD) or custom security tables.

#### Example: Multi-Tenant SaaS

dax // Users see only data for their company [Company ID] = LOOKUPVALUE( 'User Security'[Company ID], 'User Security'[User Email], USERPRINCIPALNAME() )

Security automatically adjusts when: - Users change roles - Users move to different departments - New customers are onboarded - Organizational structure changes

No manual security updates required.

Implementation Best Practices

Planning Your Security Architecture

Start with Data Classification Categorize data by sensitivity: - Public: No restrictions - Internal: All employees - Confidential: Department-specific - Restricted: Named individuals only

Map to Security Controls - Public → No RLS/CLS - Internal → Basic RLS by employment status - Confidential → RLS by department + CLS on sensitive fields - Restricted → RLS by named individuals + OLS to hide tables

Designing Security Tables

Create a centralized User Security table that defines access:

sql CREATE TABLE User_Security ( User_Email VARCHAR(255), Department VARCHAR(100), Region VARCHAR(100), Access_Level VARCHAR(50), Authorized_Customers TEXT -- Comma-separated list )

Populate from: - Azure Active Directory (preferred for most attributes) - HR systems (for organizational hierarchy) - Custom tables (for business-specific rules)

Testing Security Configuration

Critical: Always test security with real user accounts before deployment.

Testing Checklist 1. ✅ Impersonate test users from each security group 2. ✅ Verify correct data filtering in Power BI reports 3. ✅ Test SQL queries return filtered results 4. ✅ Confirm Spark notebooks respect RLS 5. ✅ Validate API access applies security 6. ✅ Check error messages don't leak information 7. ✅ Test performance with security enabled

Use Fabric's built-in testing tools: - "View as" feature in Power BI - SQL Analytics Endpoint query testing - Notebook execution with different identities

OneLake Security for Regulated Industries

Healthcare (HIPAA Compliance)

Requirements: - Minimum necessary access to Protected Health Information (PHI) - Audit trails of data access - Encryption in transit and at rest

OneLake Implementation: - RLS: Patients see only their own records; providers see only patients they treat - CLS: Hide sensitive diagnoses, mental health notes, substance abuse history - OLS: Hide research datasets from clinical users - Audit: Fabric automatically logs all data access (included with GA)

Financial Services (SOC 2 / GDPR)

Requirements: - Segregation of duties - Data minimization - Right to be forgotten - Access certification

OneLake Implementation: - RLS: Separate customer data by business unit; analysts can't see individual account details - CLS: Hide SSN, account numbers, credit scores except for authorized roles - OLS: Hide audit tables from general users - Compliance: Automated access reviews via Fabric governance tools

Government (FedRAMP)

Requirements: - Multi-level security classification - Need-to-know access controls - Strict audit requirements - Controlled unclassified information (CUI) protection

OneLake Implementation: - RLS: Security clearance-based filtering - CLS: Hide classified fields based on clearance level - OLS: Separate classified and unclassified lakehouses - Audit: Comprehensive logging with tamper-proof audit trails

Performance Considerations

RLS Performance Impact

Myth: "Security slows down queries significantly" Reality: Well-designed RLS has minimal performance impact (typically <10%)

Optimization Tips: - Use direct filtering (simple equality checks) when possible - Avoid complex many-to-many security relationships - Index security filter columns - Pre-aggregate data when security segments are known

Monitoring Security Performance

Use Fabric's built-in query analysis: - Identify slow security filters - Optimize security table relationships - Monitor query execution plans - Adjust security model if needed

Migration Path to OneLake Security GA

Phase 1: Assessment (Weeks 1-2)

Inventory existing security implementations
Document current RLS/CLS rules in Power BI
Identify data sensitivity levels
Map user roles and permissions

Phase 2: Design (Weeks 3-4)

Design unified security architecture
Create security table schemas
Define RLS/CLS/OLS rules
Plan testing approach

Phase 3: Implementation (Weeks 5-8)

Build security tables and populate data
Implement RLS rules in OneLake
Configure CLS for sensitive columns
Set up OLS for restricted tables
Enable audit logging

Phase 4: Testing (Weeks 9-10)

Test with sample users from each role
Validate Power BI report filtering
Test SQL Analytics Endpoint access
Verify Spark notebook security
Performance testing with security enabled

Phase 5: Deployment (Week 11-12)

Deploy to production
Monitor initial usage
Collect user feedback
Adjust rules if needed

Common Pitfalls to Avoid

1. Over-Restricting Access

Mistake: Implementing overly restrictive security that blocks legitimate business needs.

Solution: Start with broader access, then tighten based on actual usage patterns and compliance requirements.

2. Ignoring Performance Testing

Mistake: Not testing security with production-scale data volumes.

Solution: Test with full data volumes during UAT phase. Security that works with 1000 rows may not scale to 100 million rows.

3. Hidden Column Assumption

Mistake: Assuming hidden columns in Power BI are secure.

Solution: Never rely on hidden columns for security. Always use CLS to properly protect sensitive data.

4. Static Security Rules

Mistake: Hard-coding security rules that require manual updates when org structure changes.

Solution: Use dynamic security with user tables that sync from AAD or HR systems.

5. Insufficient Testing

Mistake: Not testing security from the perspective of actual users.

Solution: Impersonate real users and attempt to access data they shouldn't see. Have security testers actively try to bypass controls.

Getting Expert Implementation Help

OneLake Security is powerful but complex. Proper implementation requires expertise in: - Fabric architecture and OneLake design - Security modeling for complex scenarios - Compliance frameworks (HIPAA, SOC 2, FedRAMP, GDPR) - Performance optimization with security enabled - Change management for security transitions

Our Microsoft Fabric consulting team helps organizations: - Security assessment - Review current state and identify gaps - Architecture design - Design unified security model - Implementation - Build and deploy RLS/CLS/OLS - Testing & validation - Comprehensive security testing - Compliance documentation - Prepare for audits - Training - Educate admins and users on new security model

Conclusion

OneLake Security reaching general availability in 2026 removes the final barrier to enterprise adoption of Microsoft Fabric for regulated industries. With unified RLS, CLS, and OLS across the entire platform, organizations can finally consolidate their fragmented data estate into a single, secure, AI-powered analytics platform.

The complexity of managing multiple security layers is eliminated. The risk of security gaps is dramatically reduced. And the path to compliance becomes clear and auditable.

For organizations serious about data-driven decision-making while maintaining the highest security standards, OneLake Security GA is a game-changer.