| Message Content |
[Introduction:]
To support enhanced monitoring and governance, Microsoft Fabric is introducing a new tenant setting that allows admins to control whether user identifiers are included in OneLake diagnostic logs. This change aligns with customer feedback around privacy and compliance, giving organizations more flexibility in managing diagnostic data.
[When this will happen:]
- OneLake diagnostics will become generally available in mid-October 2025.
- The new tenant admin setting will be available starting October 28, 2025.
[How this affects your organization:]
Who is affected:
- Admins managing Microsoft Fabric and OneLake environments.
- Workspace Admins and Tenant Admins.
What will happen:
- Workspace Admins will be able to enable OneLake diagnostics to monitor data interactions:
- By default, diagnostic events will include End User Identifiable Information (EUII), such as User Principal Name (UPN) and IP address.
- A new tenant admin setting will be available to opt out of logging EUII.
- The setting will be enabled by default―EUII will be logged unless the toggle is disabled.
Example scenarios supported by OneLake diagnostics:
- Security investigation: Track which users accessed sensitive datasets, when, and from where. Helps identify unauthorized access attempts or unusual patterns.
- Performance troubleshooting: Diagnose latency or failure issues by correlating diagnostic events with user actions or system interactions.
- Usage analytics and optimization: Understand which datasets are most frequently accessed, by whom, and how often. Supports data governance and resource optimization.
- Integration monitoring: Monitor external systems interacting with OneLake (via APIs or connectors), ensuring integrations are functioning as expected and diagnosing issues when they arise.
[What you can do to prepare:]
- Review your organization’s privacy and compliance policies.
- Starting mid-October:
- Workspace Admins can enable OneLake diagnostics (EUII will be redacted at this stage).
- By October 28:
- Tenant Admins should review the new admin toggle in the Fabric Admin Portal.
- If you wish to prevent EUII from being logged:
- Disable the toggle in the Fabric Admin Portal.
- Communicate this change to your helpdesk and update internal documentation as needed.
[Compliance considerations:]
| Does the change alter how existing customer data is processed, stored, or accessed? |
Yes. Diagnostic logs will include or exclude EUII based on admin settings. |
| Does the change modify how admins can monitor, report on, or demonstrate compliance activities? |
Yes. Admins gain visibility into data access and usage patterns, similar to Azure Storage Diagnostics. |
| Does the change include an admin control and can it be controlled through Entra ID group membership? |
Yes. The new tenant setting is available in the Fabric Admin Portal and can be toggled by Tenant Admins. |
|