It's been a while since I've written on a regular cadance, so I'm picking up my favorite topic again: Governance and Administration!
With all the Fabric announcements in the last months, some of the Admin announcements might have slipped through. As you might know, the Admin part of Fabric is dear to my heart. I've posted about it earlier here, here, here, and here, to name a few 😀.
So in the next weeks I am going to highlight a few things with short, informative posts.
Today I want to talk to you about the Fabric Administrator (role).
- What rights does an Admin have?
- Are there more people that also have these rights? (Hint: YES! 😉)
Toady, I'm not talking about the governance aspects of the Admin, the Tenant settings or the Admin portal in general. I'll leave that for a next time. Or read other posts, for example by Marc on other roles and controls in Fabric or the delicate balance of governance and collaboration.
Manage Fabric Administrators
Users with this role can manage everything in Fabric, so from the Admin portal, to workspace access, and have also read access to various other parts in the Office and Azure ecosystem.
I encourage you to check who are assigned this role, because it should only be a handful of people in my opinion. You can check this in the Azure portal, under Entra ID > Roles and administrators.
Alternatively you can also search for it in the top search bar and go there directly.
I especially want to call out the last row in the permissions:
The link there reads: microsoft.powerApps.powerBi/....
Power Platform Administrator
Now let's take a look at the Power Platform Admnistrator role description:
You might have noticed the same path there: microsoft.powerApps.
So this means, everything "below" PowerApps is also accessible, so the Power Platform Admin can also access and manage the same things the Fabric Admin can!
I also encourage you to check the people assigned to this role 😀
Just In Time Access Roles
Depending on your organizational settings, Privileged Identity Management might be enabled.
This means that people might need to activate the Fabric Admin role (for a period of time) before it becomes active. In the below screenshot you can see that Ernst and me have the role permanently assigned for Powerdobs.
This means that people might need to activate the Fabric Admin role (for a period of time) before it becomes active. In the below screenshot you can see that Ernst and me have the role permanently assigned for Powerdobs.
But if I'm working as a consultant it usually is on a need-to-have bases, so I can e.g. activate it for 1, 2 or 8 hours.
Looking at the picture above, you can see that there's Active and Eligible assignments. Depending on the settings and activity, people might have the PIM-role, but not activated at the moment.
Wrap up
To complete the list of access to Fabric, the Global (tenant) Admin role also has access to everything in Fabric:
- Global Admin
- Power Platform Administrator
- Fabric Administrator
People with the above roles have the same rights as the Fabric Admin.
Did you know the Power Platform Administrator has those rights?
Do you think I missed any information in this blog?
Please let me know in the comments below.
