Microsoft Fabric · Tenant Administration
Fabric Administrator
Tenant-wide Fabric administration. Enable/disable Fabric features, configure tenant settings, monitor usage, manage audit logs, and govern embed codes. Cross-listed from Microsoft Entra ID (this is the same role as the entra-fabric-admin entry).
Scope: Tenant-wide administration of Microsoft Fabric and Power BI
Permissions
- Tenant settings - Configure all Fabric tenant-level settings
- Feature governance - Enable or disable Fabric features org-wide
- Usage metrics - View tenant-wide adoption and consumption data
- Audit logs - Review and manage Fabric audit activity (surfaces in Purview portal)
- Workspaces - View and govern all workspaces in the tenant
- Embed codes - Manage embed codes for sharing reports publicly
- Capacity - Pause, resume, and scale capacities
Common use cases
- Initial Fabric tenant configuration
- Org-wide policy enforcement (data classification, export controls, sharing limits)
- Audit and compliance reporting on Fabric usage
- Capacity planning and cost management
Best practices
- Limit to 2-5 people; use PIM for just-in-time activation
- Delegate domain-level governance to Domain Admins
- Delegate capacity-level governance to Capacity Administrators
- Pair with Purview Compliance Administrator for data governance coordination
Security considerations
- Can view all workspaces and reports across the tenant
- Cannot bypass workspace-level data permissions (RLS/OLS still enforced)
- Does not grant access to data inside workspaces by default - tenant admins must add themselves to workspaces
Common questions
When should I assign the Fabric Administrator role?
Assign Fabric Administrator when you need to: Initial Fabric tenant configuration; Org-wide policy enforcement (data classification, export controls, sharing limits); Audit and compliance reporting on Fabric usage; and Capacity planning and cost management. It is part of Microsoft Fabric and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Fabric Administrator role do?
The Fabric Administrator role grants permissions including: Tenant settings - Configure all Fabric tenant-level settings; Feature governance - Enable or disable Fabric features org-wide; Usage metrics - View tenant-wide adoption and consumption data; Audit logs - Review and manage Fabric audit activity (surfaces in Purview portal); Workspaces - View and govern all workspaces in the tenant; and Embed codes - Manage embed codes for sharing reports publicly. See the Permissions section above for the full list.
What are the security risks of the Fabric Administrator role?
Key considerations when assigning Fabric Administrator: Can view all workspaces and reports across the tenant; Cannot bypass workspace-level data permissions (RLS/OLS still enforced); and Does not grant access to data inside workspaces by default - tenant admins must add themselves to workspaces. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.