Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: ✅ SQL database in Microsoft Fabric
SQL database in Microsoft Fabric comes with a set of security controls that are on by default or easy to enable, which allows you to easily secure your data.
This article provides an overview of security capabilities in SQL database.
Authentication
Like other Microsoft Fabric item types, SQL databases rely on Microsoft Entra authentication. Once your database is shared with users, they're ready to connect to it with Microsoft Entra authentication.
For more information about authentication, see Authentication in SQL database in Microsoft Fabric.
Access control
You can configure access for your SQL database via two sets of controls:
- Fabric access controls - workspace roles and item permissions. They provide the easiest way to manage access for your databases users.
- Native SQL access controls, such SQL permissions or database-level roles. They allow granular access control. You can configure database-level roles with the Manage SQL security UI in Microsoft Fabric portal. You can configure to SQL native controls with Transact-SQL.
For more information about access control, see Authorization in SQL database in Microsoft Fabric
Governance
Microsoft Purview is a family of data governance, risk, and compliance solutions that can help your organization govern, protect, and manage your entire data estate. Among other benefits, Microsoft Purview allows you to label your SQL database items with sensitivity labels and define protection policies that control access based on sensitivity labels.
For more information about data governance capabilities of Microsoft Purview for Microsoft Fabric, including SQL database, see:
- Use Microsoft Purview to govern Microsoft Fabric
- Information protection in Microsoft Fabric
- Protection policies in Microsoft Fabric
- Protect sensitive data in SQL database with Microsoft Purview protection policies
Network security
You can use private links to provide secure access for data traffic in Microsoft Fabric, including SQL database. Azure Private Link and Azure Networking private endpoints are used to send data traffic privately using Microsoft's backbone network infrastructure instead of going across the internet.
For more information about private links, see: Set up and use private links.
Encryption
Every interaction with Fabric is encrypted by default and authenticated using Microsoft Entra ID. For more information, see Security in Microsoft Fabric.
Transport Layer Security
All SQL database connections use Transport Layer Security (TLS) 1.2 to protect your data in transit.
Encryption at rest
Microsoft Fabric encrypts all data at rest using Microsoft-managed keys. All database data is stored in remote Azure Storage accounts. To comply with encryption at rest requirements using Microsoft-managed keys, each Azure Storage account used by the SQL database is configured with service-side encryption enabled.
With customer-managed keys for Fabric workspaces, you can use your Azure Key Vault keys to add another layer of protection to the data in your Microsoft Fabric workspaces - including all data in SQL database in Microsoft Fabric. A customer-managed key provides greater flexibility, allowing you to manage its rotation, control access, and usage auditing. It also helps organizations meet data governance needs and comply with data protection and encryption standards.
For more information about customer-managed keys for a SQL database in Microsoft Fabric, see Customer-managed keys in SQL database in Microsoft Fabric.
Auditing
SQL auditing for SQL database can track database events and write them to an audit log in your OneLake. For more information, see Auditing.
Limitations
- Encryption using customer-managed keys are currently not supported in SQL database in Microsoft Fabric.