Microsoft Fabric · Workspace Roles

Workspace Admin

Highest workspace role. Full control over a Fabric workspace including settings, identity, Git integration, and member management.

Scope: Single Fabric workspace and all items within it

Permissions

  • Workspace settings - Update and delete the workspace
  • Members - Add or remove members, contributors, viewers, and other admins
  • Reshare - Allow others to reshare items
  • Items - Create, modify, write, and delete all item types (notebooks, pipelines, warehouses, lakehouses, eventhouses, ML models, semantic models, reports)
  • Workspace identity - Create and manage workspace identity for secure connections
  • Git integration - Connect workspace to an Azure DevOps or GitHub repository
  • Read all data - OneLake APIs, Spark, TDS endpoints, Lakehouse explorer
  • Execute - Run notebooks, pipelines, Spark jobs, ML experiments
  • Gateways - Schedule refreshes and modify gateway connection settings

Common use cases

  • Workspace owner / data product lead
  • Lifecycle management (workspace creation, deletion, Git setup)
  • Onboarding/offboarding workspace members

Best practices

  • Use security groups instead of individual user assignments
  • Keep workspace admin count small (2-3 per workspace)
  • Use Members or Contributors for daily authoring work

Security considerations

  • Can delete the workspace and all its items
  • Can add other admins, expanding the privileged set
  • Has access to all data the workspace can read (including via shortcuts)

Official Microsoft Learn documentation →

Open the interactive RBACMap →