Understanding relationship between Microsoft Fabric Tenant, Azure Subscription and Entra Tenant
Background
Microsoft Fabric is an end-to-end analytics and data platform with the goal of providing rich set of integrated components so that enterprises can draw value out of data faster (aka accelerate time to value). Microsoft Fabric operates on a Software as a Service (SaaS) model which brings unparalleled simplicity and ease of use in comparison to PaaS offerings in Azure. It is observed that components like Data Warehouse, Data Factory, Apache Spark, etc. offered through Microsoft Fabric have quite a bit of similarity to Platform-as-a-Service (PaaS) offerings in Azure. The PaaS offerings continue to exist in parallel but based on learnings from past few years, components from Azure have been re-packaged in Microsoft Fabric to give a much simpler path which requires considerably less effort. So, ultimately it’s a choice to be made whether to use PaaS services from Azure or use Microsoft Fabric SaaS platform where each platform has its own pros and cons.
Objective
When getting started with Microsoft Fabric irrespective of whether one has experience with Azure or not there is quite a bit of terminology that floats around — Fabric Tenant, Fabric OneLake, Fabric Capacity, Azure Subscription, Microsoft Entra Tenant, etc. and the purpose of this blog post is to give you a clear understanding of those terms and how they relate to each other. A picture is worth thousand words so the image below shows the relationship between various entities.
Microsoft Entra Tenant (formerly Azure Active Directory)
Microsoft Entra Tenant sits at the top, this is the Identity and Access Management system where all the identities (user account like johndoe@contoso.com, service accounts which includes Service Principals and Managed Identities, etc.) are defined and there is only single instance of Microsoft Entra Tenant for an entire organization. There could be exceptional circumstances that there are more than one because of acquisitions or maybe the Identity Team has NonProd Tenant for their own internal purpose but these are exceptions.
Microsoft Fabric Tenant
There is single Fabric Tenant aligned with the Microsoft Entra Tenant, multiple Workspaces are created inside Fabric Tenant but there is only one Fabric Tenant for entire organization just like the Microsoft Entra Tenant. Microsoft Fabric has relationship to Azure Subscriptions for billing purpose through Fabric Capacities (discussed below) but for all practical purposes it sits outside Azure Subscription.
- Microsoft Fabric Administration is controlled using specific roles which are documented here — Understand Microsoft Fabric admin roles — Microsoft Fabric | Microsoft Learn
- Microsoft Fabric has its own Admin Portal controlled by Fabric Admins with quite a bit of control provided using Tenant Level Settings. You can read more What is the Microsoft Fabric admin portal? — Microsoft Fabric | Microsoft Learn and About tenant settings — Microsoft Fabric | Microsoft Learn
One important setting to call out is in relation to Workspace Creation — Workspace admin settings — Microsoft Fabric | Microsoft Learn This setting controls whether any user in the organization can create Workspaces or a restricted to a set of users controlled using Microsoft Entra groups.
Microsoft Fabric Workspace
Fabric Workspace is a container and users work within the context of a Workspace to create artifacts/items like Warehouse, Data Factory Pipelines, Notebooks, Reports, etc. Workspace Roles define what actions a user can take within a Workspace. A Fabric Tenant contains several Workspaces, there could be several topologies on how to organize Workspaces which would range from teams, projects, data assets to environment like Prod/Non-Prod (a topic of its own so I won’t go into details).
Microsoft Fabric OneLake
Fabric OneLake is the storage layer which goes hand in hand with Microsoft Entra and Fabric Entra Tenant hence only one for the entire organization. Staying true to principles of simplicity, Fabric OneLake is completely managed by Microsoft (no need to create Storage Accounts or configure multitude of settings). It is architecturally built to unify data estate and brings the simplicity of OneDrive to save and share data to the analytics world. Once the data is saved to OneLake (or virtualized using shortcuts to external object storage) it can be shared easily across teams without any data duplication. Data saved in Fabric OneLake is organized in a natural hierarchy based on the Workspace, Warehouse, Table Name, etc. as shown below.
You can read more on public documentation page — OneLake, the OneDrive for data — Microsoft Fabric | Microsoft Learn Also, OneLake Catalog page built into the Fabric Portal simplifies discovery of all data in OneLake without any additional setup.
Microsoft Fabric Capacity
Fabric Capacity is the term used to refer to a resource created in an Azure Subscription for billing Fabric usage. Fabric Capacity resource is a very simple resource with 3 main properties — Name, SKU and Region. Azure Portal can be used to change the SKU size as well as assign Capacity Admins. Since, Fabric is SaaS model you won’t see any VMs, VNETS, Storage Accounts, etc. in Azure Subscription as those are lower level details abstracted from the consumers of the service. This is not to confuse in any way as lack of security, Microsoft Fabric platform provides very comprehensive security model covering all aspects like Encryption at rest, Encryption in transit, Data Access Security, inbound/outbound network security using Microsoft Entra Conditional Access, compliance certifications like HIPAA/HITRUST, etc. Security documentation section covers this in detail.
The above screenshot shows that Fabric Capacity Administrators can be configured in Azure Portal at the resource level. Fabric Admin portal can also be used to set Fabric Capacity Admin, in addition it can also be used to set Fabric Capacity Contributor role as shown in the screenshot below. Read more on Fabric Capacity management and settings documenation link — Manage your Fabric capacity — Microsoft Fabric | Microsoft Learn
Although Fabric Capacity resource is created in an Azure Subscription, it becomes available in Fabric because both Azure Subscription and Fabric are tied to the same Microsoft Entra Tenant. A user with Fabric Capacity Admin (or Contributor) and Workspace Administrator permissions can set the Workspace Capacity association with any permissions in Azure Subscription. Azure Subscription RBAC Roles like Owner, Contributor, etc. would allow the user to scale, resume or delete the Capacity Resource in Azure Subscription (these are different from Fabric Capacity Admin and Contributor roles described above).
A single Fabric Capacity can be associated to one or more Fabric Workspaces, Fabric Deployment Pattern documentation outlines the various options in detail.
Microsoft Azure Subscriptions
Azure Subscription is a logical container for creating resources like VMs, Storage Accounts, Azure Data Factory, Synapse, etc. as well as Fabric Capacity as described in the previous section. For a given organization and a Microsoft Entra Tenant, there can be many Azure Subscriptions.
