Microsoft Fabric · Workspace Roles

Workspace Admin

Highest workspace role. Full control over a Fabric workspace including settings, identity, Git integration, and member management.

Scope: Single Fabric workspace and all items within it

Permissions

  • Workspace settings - Update and delete the workspace
  • Members - Add or remove members, contributors, viewers, and other admins
  • Reshare - Allow others to reshare items
  • Items - Create, modify, write, and delete all item types (notebooks, pipelines, warehouses, lakehouses, eventhouses, ML models, semantic models, reports)
  • Workspace identity - Create and manage workspace identity for secure connections
  • Git integration - Connect workspace to an Azure DevOps or GitHub repository
  • Read all data - OneLake APIs, Spark, TDS endpoints, Lakehouse explorer
  • Execute - Run notebooks, pipelines, Spark jobs, ML experiments
  • Gateways - Schedule refreshes and modify gateway connection settings

Common use cases

  • Workspace owner / data product lead
  • Lifecycle management (workspace creation, deletion, Git setup)
  • Onboarding/offboarding workspace members

Best practices

  • Use security groups instead of individual user assignments
  • Keep workspace admin count small (2-3 per workspace)
  • Use Members or Contributors for daily authoring work

Security considerations

  • Can delete the workspace and all its items
  • Can add other admins, expanding the privileged set
  • Has access to all data the workspace can read (including via shortcuts)

Common questions

When should I assign the Workspace Admin role?

Assign Workspace Admin when you need to: Workspace owner / data product lead; Lifecycle management (workspace creation, deletion, Git setup); and Onboarding/offboarding workspace members. It is part of Microsoft Fabric and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Workspace Admin role do?

The Workspace Admin role grants permissions including: Workspace settings - Update and delete the workspace; Members - Add or remove members, contributors, viewers, and other admins; Reshare - Allow others to reshare items; Items - Create, modify, write, and delete all item types (notebooks, pipelines, warehouses, lakehouses, eventhouses, ML models, semantic models, reports); Workspace identity - Create and manage workspace identity for secure connections; and Git integration - Connect workspace to an Azure DevOps or GitHub repository. See the Permissions section above for the full list.

What are the security risks of the Workspace Admin role?

Key considerations when assigning Workspace Admin: Can delete the workspace and all its items; Can add other admins, expanding the privileged set; and Has access to all data the workspace can read (including via shortcuts). Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →