Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This guide helps you establish data security in your mirrored Azure SQL Database in Microsoft Fabric.
Security requirements
If your Azure SQL Database is not publicly accessible and doesn't allow Azure services to connect to it, you can create a virtual network data gateway or install an on-premises data gateway to mirror the data. Make sure the Azure Virtual Network or the gateway machine's network can connect to the Azure SQL server via a private endpoint or is allowed by the firewall rule.
Either the System Assigned Managed Identity (SAMI) or the User Assigned Managed Identity (UAMI) of your Azure SQL logical server needs to be enabled, and must be the primary identity.
Note
Support for User Assigned Managed Identity (UAMI) is currently in preview.
Fabric needs to connect to the Azure SQL database. For this purpose, create a dedicated database user with limited permissions, to follow the principle of least privilege. Create either a login with a strong password and connected user, or a contained database user with a strong password. For a tutorial, see Tutorial: Configure Microsoft Fabric mirrored databases from Azure SQL Database.
Important
If the source tables have granular security such as row-level security, column-level security, or data masking configured, the tables will be mirrored without the granular security. The granular security must be reconfigured in the mirrored database in Microsoft Fabric. For more information, see Get started with OneLake security (preview) and SQL granular permissions in Microsoft Fabric.
Data protection features
You can secure column filters and predicate-based row filters on tables to roles and users in Microsoft Fabric:
You can also mask sensitive data from non-admins using dynamic data masking: