How to implement Microsoft Fabric successfully – part 1

In recent years, I have been involved in numerous discussions with customers regarding the effective planning of Microsoft Fabric implementations. These talks, combined with my real-world experience on this topic, have shown how important it is to think carefully before deciding to adopt something new.

Microsoft Fabric is a unified, Software-as-a-Service (SaaS) analytics platform that integrates data engineering, data science, real-time analytics, data warehousing, and business intelligence capabilities—all centered around OneLake as a single data storage foundation. While it offers significant advantages for many organizations, careful assessment is essential to ensure it aligns with specific needs.

In this article, I will highlight a few key things you should focus on when implementing Microsoft Fabric. My goal is not to tell you what to do, but to point out important decision points related to Microsoft Fabric. This is the first part of a two-part article.

Is Microsoft Fabric the Right Service for Your Organization?

The first step in any implementation plan is to evaluate whether Fabric is the right tool. Its main strengths lie in providing a unified SaaS platform, which simplifies management by eliminating the need for multiple tools and their associated upkeep. Key advantages include:

• Integration with the Azure and Microsoft 365 ecosystems. This enables efficient data flows across familiar services, such as Power BI, Azure Synapse Analytics, and Microsoft Purview for governance.
• Built-in Power BI capabilities. These provide robust business intelligence and reporting without additional licensing costs (for that you need F64 capacity or larger – Power BI readers do not require extra licenses in such cases).
• Centralized data management through OneLake. It supports open formats like Delta Lake, reduces data silos, and enables better collaboration across diverse workloads.

These features make Fabric an excellent choice for organizations seeking an end-to-end analytics solution that delivers value faster. However, Fabric may not be ideal in every scenario. Consider alternative platforms or custom solutions in the following cases:

• Requirement for a highly customized Infrastructure-as-a-Service (IaaS) solution. Fabric’s SaaS model prioritizes simplicity and managed services, which may limit deep customization of the underlying infrastructure compared to platforms like Azure Databricks or self-managed setups.
• Desire to avoid vendor lock-in. Although Fabric supports open data formats and interoperates with other systems, it is connected to the Microsoft ecosystem can create dependencies that may conflict with multi-vendor or open-source strategies.
• Preference for lift-and-shift migrations. Organizations looking to migrate existing on-premises or cloud workloads with minimal changes may find more flexible options elsewhere.

These points highlight some of the tool’s core pros and cons. Ultimately, evaluate whether Fabric aligns with your specific needs.

Set Up and Manage Fabric Capacity

Second point on the agenda is to properly plan Fabric capacity. Capacities supply the compute resources needed to run workloads in data engineering, data science, real-time analytics, and business intelligence. Proper setup is important for platform stability and efficiency.

You must decide the number of capacities and their sizes. First, consider your capacity setup based on these decision points:

• A Fabric capacity is created as an Azure resource in a specific region. This choice affects data location and compliance, so select the region carefully to meet company rules.
• The capacity provides compute power for various Fabric items, measured in Capacity Units (CUs). By default, capacities use a pay-as-you-go model with no long-term commitment. Billing is per second, with a one-minute minimum. For cost savings instead of pausing, consider Azure reservations. Commit to one-year terms for CUs to save about 41% compared to pay-as-you-go rates. Reservations apply across the tenant to multiple capacities.
• Multiple workspaces can share one capacity, but not one workspace across multiple capacities. Organizations can create several capacities for separation, governance, or cost tracking.
• Capacity can be paused and resumed. Pausing stops billing for compute (storage costs continue). However, ongoing background operations may cause extra charges. In most cases, pausing is not the best way to save costs so you should not include it as a part of your strategy.
• Capacity can be scaled up or down: Changes do not interrupt running operations. I recommend you to start small and after some time scale-up when needed.
• Capacities use F SKUs (such as F2, F4, up to F2048). These replaced the old Power BI Premium P SKUs. Security and networking features are the same across all SKUs so you don’t need to worry about feature compatibility.
• Every SKU has its own Spark Queue limit so review it to not be surprised after implementation (link).
• If you don’t know where to start with regarding capacity SKU there is a tool called Fabric Capacity Estimator (in preview) help predict needed SKUs based on workloads (link).
• Prices vary by Azure region so start calculating costs based on proper region from the beginning.
• For Power BI, capacities of F64 or higher allow report viewers to use free licenses. Creators and those who share content still need proper licenses (such as Power BI Pro). License changes after scaling may take up to 24 hours. Scaling up to F64 during business hours and down afterward to save money will not work well due to this delay.

Those points are not the only ones, when you will deploy your solution you should configure setting called surge protection. This setting limits background operations (such as refreshes and pipelines) during high 24-hour use. This prioritizes interactive tasks and helps avoid throttling. Set these in the Fabric Admin Portal under Capacity Settings. Monitor them using the Fabric Capacity Metrics app.

Example setup of capacities and workspaces looks as following:

As you can see, in some cases, having more than one capacity is a good strategy. Capacity is typically divided by environment, but also by area (e.g., backend vs. frontend). A good capacity setup balances performance and costs, so spend time carefully planning this aspect and keep the above points in mind.

Networking

In the beginning, I said that Fabric is a SaaS solution, so infrastructure configuration should be simplified. That is true, but you still have some decisions to make – one of them is networking. I am aware that this area can be problematic for data people, but it is still relevant.

Microsoft documentation outlines primary methods to protect inbound connections to Fabric, emphasizing a layered security approach. The following options provide flexible controls without compromising the platform’s unified experience.

Option 1: Azure Private Link

This method leverages Azure Private Link to establish private endpoints, routing traffic over Microsoft’s backbone network instead of the public internet. Key characteristics include:

• Upon configuration, Fabric resources receive private IP addresses within the client’s virtual network (VNet).
• Private endpoints facilitate secure communication between resources in the VNet and Fabric services.
• When public access is blocked, Fabric becomes inaccessible from the public internet, enforcing private connectivity exclusively.
• Users must connect through the organization’s approved network (e.g., via VPN or ExpressRoute) to access Fabric.
• Implementation requires pre-existing Azure networking infrastructure, such as VNets and subnets.

Private Link is available at both tenant-level (applying to the entire organization) and workspace-level (for granular control over specific workspaces). It is particularly suited for environments demanding strict network isolation and compliance with data sovereignty or exfiltration prevention mandates.

Option 2: Microsoft Entra Conditional Access

All interactions with Microsoft Fabric are authenticated via Microsoft Entra ID. Conditional Access policies operate within a Zero Trust framework, prioritizing identity verification. Policies can enforce conditions such as:

• Requiring multi-factor authentication (MFA).
• Mandating device compliance or managed device status.
• Verifying application compliance.
• Restricting access based on network location or IP ranges.

This approach requires a Microsoft Entra ID P1 license (or equivalent, often included in Microsoft 365 subscriptions). It provides dynamic, identity-centric controls without necessitating dedicated networking infrastructure.

Option 3: Microsoft Entra Security Defaults

As a foundational layer, Security Defaults offer baseline protections enabled by default in many tenants. These include mandatory MFA for administrators and risky sign-ins, blocking legacy authentication protocols, and protecting privileged actions. While not as customizable as full Conditional Access policies, Security Defaults provide essential safeguards without additional licensing in eligible configurations. MFA enforcement is a core component, available through defaults for broader accessibility.

Organizations may combine these options – employing Security Defaults as a baseline, Conditional Access for refined policies, and Private Link for network-level isolation. Selection depends on factors such as existing Azure investments, license availability, and the need for per-workspace granularity. There is also option to limit outbound access (link) that can be useful in some cases especially if you want to block access from specific workspace to the internet.

Thorough networking planning mitigates risks while maintaining accessibility. Future installments will cover governance, monitoring, and optimization to round out a comprehensive Fabric deployment strategy.

Summary

That’s everything for now, in the second part we will cover more topics that you should cover when implementing Microsoft Fabric. Thank you for reading.