Changes to the Default Tenant Setting value for SQL Database

Another post on my favorite topic: Governance and Administration!

With all the Fabric announcements in the last months, some of the Admin announcements might have slipped through. As you might know, the Admin part of Fabric is dear to my heart. I've posted about it earlier here, here, here, and here, to name a few 😀.

So in the next weeks I am going to highlight a few things with short, informative posts.

I decided to leave "Governance & Administration" out of the titles of my blog posts from now on.
The titles were getting a bit lengthy, just because I wanted to include the focus on Governance & Administration. I am already using labels which you can use for that: Governance, Administration, etc..

Microsoft 365 Message Center

In case you have access to the M365 Admin Center, or more specific the M365 Message Center, you might have seen this message. I reckon not many people did.. That's why I'm blogging about it here 😁

I'm specifically talking about this message in the Message Center, being a major update and with admin impact: 

Communications on default checkbox changes on tenant settings and billing start for SQL database in Fabric.

Changes to SQL Database Tenant Setting

Recently, there's been a change to the tenant setting for SQL Database, but only in case you haven't changed the setting before.. 😉

Below is the setting in my own tenant, where the setting is still disabled, which was and still is the default option (hint: this is about to change!).

So if I do nothing, then after March 8, the default value will change to ON, or Enabled for the entire organization.

If I decide to opt out before March 8, so if I uncheck the checkbox Accept Microsoft's default selection (Off for the entire organization), this tenant setting will stay disabled, also after March 8.

To be clear, as I mentioned, you only see this message if you haven't changed the default setting (off).

In the Powerdobs tenant we already enabled SQL Database, so I only see the below:

M365 Message Center for Non-Admins

In case you don't have access to the Message Center, I found another site, called the Microsoft 365 Message Center Archive, where all those messages are replicated, set up by Merill Fernando, Principal Product Manager for Microsoft Entra.

Direct link to the message: https://mc.merill.net/message/MC996579.

I have been searching for a (regular) blog post on this topic, but I haven't seen anything:
Multiple other blog posts were written on the Fabric blog, but none of them explicitly mentioned any of this:

• Feb 12: Govern your data in SQL database in Microsoft Fabric with protection policies in Microsoft Purview
  
• Feb 19: Enhancing SQL database in Fabric: share your feedback and shape the future
  
• Feb 26: Why SQL database in Fabric is the best choice for low-code/no-code Developers
• There's a little link to Billing and utilization reporting for SQL database hidden in this blog post, which explains billing started at February 1st, but no mention of the tenant setting

Billing for SQL Database (preview)

Last thing I want to explicitly call out in accordance with the changed tenant setting:

While SQL Database in Fabric is still in preview, billing already started at February 1. Furthermore, billing for backup starts after April 1.

So when the setting is changed to ON, and you don't run a trial, you can start seeing SQLDbNative on your Capacity Metrics App as explained here. 😉

Governance & Administration - Default Domain settings

I'm picking up my favorite topic again: Governance and Administration!

With all the Fabric announcements in the last months, some of the Admin announcements might have slipped through. As you might know, the Admin part of Fabric is dear to my heart. I've posted about it earlier here, here, here, and here, to name a few 😀.

So in the next weeks I am going to highlight a few things with short, informative posts.

Last week I wrote about the rights of the Fabric Administrator.

Today I want to make you aware of a default value of the domain settings inside Fabric.

This default value might not be the best value for you.. 😉

Domains in Fabric

A short introduction to Domains: they are essentially a way of managing and structuring your data across the organization. You can logically group together data in workspaces. A logical grouping can be business units, areas, fields, solutions or actually whatever works for you. It shouldn't be something a Fabric Admin decides on his own. Ideally business and / or enterprise architects with the data owners (if any 😐) should implement the design of domains, subdomains and owners. People from you Center of Excellence (again: if available..) would be a good fit to include in this discussion.

In case you need some help or guidance on how to set up your domains, there's a nice article that can help you get started: Best practices for planning and creating domains.

Default Domain Settings

Check your defaults! I've said it multiple times, always check default settings in your tenant, be it in the tenant settings or the domain settings.

When you create a domain (either with or without adding a domain admin explicitly), you end up with the default settings applied to that domain. Let's check what that involves.

After creating your domain and navigating to the settings you can SHOULD set the Contributors of the domain.

By default, it is set to The entire organization. I would limit it to either of the other options. Preferably tenant and domain admins, but if you have a group of people from Finance that you want to allow to add workspaces to the Finance domain, I'm happy with that too. Just don't use the default setting 😀

Luckily there's one more caveat to this that restricts it to hopefully a sligthly smaller group: the documentation points out you also have to be a workspace admin to be able to use this feature, so that limits it to people that have an admin role in the workspace.

One more reason to not give everyone the admin role in your workspace by default!

Next to that, you can also audit for these changes by checking the audit log for Fabric, specifically the UpdateDataDomainFoldersRelationsAsAdmin operation, which gives you the activities when someone assigns (or unassigns) a workspace to/from a domain.

Conclusion

Domains give you a good option to manage and group the content in your organization.

Just be aware of the default settings when you create one. Set the contributors to the tenant and domain admins, or a security group, just don't use the default!

Let me know what you think, have you seen this default setting and more importantly, did you change it in any of your domains?

Governance & Administration - Fabric Administrator Role

It's been a while since I've written on a regular cadance, so I'm picking up my favorite topic again: Governance and Administration!

With all the Fabric announcements in the last months, some of the Admin announcements might have slipped through. As you might know, the Admin part of Fabric is dear to my heart. I've posted about it earlier here, here, here, and here, to name a few 😀.

So in the next weeks I am going to highlight a few things with short, informative posts.

Today I want to talk to you about the Fabric Administrator (role).

• What rights does an Admin have?
• Are there more people that also have these rights? (Hint: YES! 😉)

Toady, I'm not talking about the governance aspects of the Admin, the Tenant settings or the Admin portal in general. I'll leave that for a next time. Or read other posts, for example by Marc on other roles and controls in Fabric or the delicate balance of governance and collaboration.

Manage Fabric Administrators

Users with this role can manage everything in Fabric, so from the Admin portal, to workspace access, and have also read access to various other parts in the Office and Azure ecosystem.

I encourage you to check who are assigned this role, because it should only be a handful of people in my opinion. You can check this in the Azure portal, under Entra ID > Roles and administrators.

Alternatively you can also search for it in the top search bar and go there directly.

Looking at the description of the role, we can see a few interesting things:

(As an Admin,) You can go to Azure and O365 Service Health to check for potential status issues with those services. You can also check and file (Premium) support tickets, depending on the license/capacity you have.

I especially want to call out the last row in the permissions:

The link there reads: microsoft.powerApps.powerBi/....

Power Platform Administrator

Now let's take a look at the Power Platform Admnistrator role description:

You might have noticed the same path there: microsoft.powerApps.

So this means, everything "below" PowerApps is also accessible, so the Power Platform Admin can also access and manage the same things the Fabric Admin can!

I also encourage you to check the people assigned to this role 😀

Just In Time Access Roles

Depending on your organizational settings, Privileged Identity Management might be enabled.
This means that people might need to activate the Fabric Admin role (for a period of time) before it becomes active. In the below screenshot you can see that Ernst and me have the role permanently assigned for Powerdobs.

But if I'm working as a consultant it usually is on a need-to-have bases, so I can e.g. activate it for 1, 2 or 8 hours. 

Looking at the picture above, you can see that there's Active and Eligible assignments. Depending on the settings and activity, people might have the PIM-role, but not activated at the moment.

Wrap up

To complete the list of access to Fabric, the Global (tenant) Admin role also has access to everything in Fabric:

• Global Admin
• Power Platform Administrator
• Fabric Administrator

People with the above roles have the same rights as the Fabric Admin.

Did you know the Power Platform Administrator has those rights?

Do you think I missed any information in this blog?

Please let me know in the comments below.

Governance & Administration - Ownership Takeover for Fabric Items

It's been a while since I've written on a regular cadance, so I'm picking up my favorite topic again: Governance and Administration!

With all the Fabric announcements in the last months, some of the Admin announcements might have slipped through. As you might know, the Admin part of Fabric is dear to my heart. I've posted about it earlier here, here, here, and here, to name a few 😀.

So in the next weeks I am going to highlight a few things with short, informative posts.

Today I want to quickly show a new feature that was just introduced, but long awaited for!

Ownership takeover for Fabric items!

Yes, you read it right, you can now TAKE OVER OWNERSHIP in Fabric! 😁

In a workspace, go to the ellipsis of the item (the 3 dots), and go to settings.

In the settings of the item you can see the Take over button:

Clicking that will show a pop-up and will start the transfer of ownership.

After a few seconds (that was my experience for the handful items I tried) you will get the notification it succeeded.

After that the (Take over) button has disappeared and will show up for the original (and other) users.

A few things to be aware of:

• You need read and write permissions to the item you want to take over
• That means a Contributor or higher role in the workspace
• Depending on the item you transfer, you might need to set up/refresh credentials for connections, as explained here
• The old way of taking ownership of Power BI items will still remain the same
• Mirrored databases are not supported (yet)
• If you're taking over a pipeline that execute's other items (like a notebook), you have to take over ownership of that item separately

For more info check the MS Learn docs: Take ownership of Fabric items.

Wrap up

This is of course especially helpful when the creator of an item left the company or that account is locked for whatever reason.

What's next you ask? The API for takeover is not yet available, and you also can't switch to a Service Principal yet. It only switches ownership to the current user at this moment.

Have you tried this feature yet?

Let me know what you think!