Microsoft Fabric · Tenant Administration

Fabric Administrator

Tenant-wide Fabric administration. Enable/disable Fabric features, configure tenant settings, monitor usage, manage audit logs, and govern embed codes. Cross-listed from Microsoft Entra ID (this is the same role as the entra-fabric-admin entry).

Scope: Tenant-wide administration of Microsoft Fabric and Power BI

Permissions

  • Tenant settings - Configure all Fabric tenant-level settings
  • Feature governance - Enable or disable Fabric features org-wide
  • Usage metrics - View tenant-wide adoption and consumption data
  • Audit logs - Review and manage Fabric audit activity (surfaces in Purview portal)
  • Workspaces - View and govern all workspaces in the tenant
  • Embed codes - Manage embed codes for sharing reports publicly
  • Capacity - Pause, resume, and scale capacities

Common use cases

  • Initial Fabric tenant configuration
  • Org-wide policy enforcement (data classification, export controls, sharing limits)
  • Audit and compliance reporting on Fabric usage
  • Capacity planning and cost management

Best practices

  • Limit to 2-5 people; use PIM for just-in-time activation
  • Delegate domain-level governance to Domain Admins
  • Delegate capacity-level governance to Capacity Administrators
  • Pair with Purview Compliance Administrator for data governance coordination

Security considerations

  • Can view all workspaces and reports across the tenant
  • Cannot bypass workspace-level data permissions (RLS/OLS still enforced)
  • Does not grant access to data inside workspaces by default - tenant admins must add themselves to workspaces

Common questions

When should I assign the Fabric Administrator role?

Assign Fabric Administrator when you need to: Initial Fabric tenant configuration; Org-wide policy enforcement (data classification, export controls, sharing limits); Audit and compliance reporting on Fabric usage; and Capacity planning and cost management. It is part of Microsoft Fabric and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Fabric Administrator role do?

The Fabric Administrator role grants permissions including: Tenant settings - Configure all Fabric tenant-level settings; Feature governance - Enable or disable Fabric features org-wide; Usage metrics - View tenant-wide adoption and consumption data; Audit logs - Review and manage Fabric audit activity (surfaces in Purview portal); Workspaces - View and govern all workspaces in the tenant; and Embed codes - Manage embed codes for sharing reports publicly. See the Permissions section above for the full list.

What are the security risks of the Fabric Administrator role?

Key considerations when assigning Fabric Administrator: Can view all workspaces and reports across the tenant; Cannot bypass workspace-level data permissions (RLS/OLS still enforced); and Does not grant access to data inside workspaces by default - tenant admins must add themselves to workspaces. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →