Skip to main content

Outbound Access Protection for semantic models (Preview)

Outbound Access Protection (OAP) is a workspace-level network security and governance feature that blocks outbound traffic from a workspace by default and lets you allow only the destinations you explicitly trust. With this preview, you can now extend OAP to semantic models. Power BI reports aren't part of this preview yet; report support is coming in a separate announcement soon.

Outbound data movement from semantic models

Semantic model connections can cross workspace boundaries and can pull data from cloud and on-premises sources, including destinations that fall outside your organization's data boundary. Composite semantic models (models combining tables from multiple sources) can also send data from one source to another, when pushing filter values to a table in DirectQuery mode, as depicted in the diagram example.

The relationship between Table A and Table B might have been created unintentionally. The query does not have to return meaningful results. The point is that values from source A might be exposed to source B in certain situations. This means that sensitive filter values might show up in the wrong query logs!

kayu_0-1779136984937.jpeg

Figure: User selects a value from source A in a slicer and source B runs a query with the filter value in the Where clause.

Security controls at the data gateway and network layers help, but they don't stop a model creator from binding a connection to an unsanctioned endpoint in the Power BI service. You need a policy in the service that controls outbound connections across workspace boundaries.

How OAP works for semantic models

OAP is a single toggle on the workspace. Open Workspace settings, select Network security, and turn on Block outbound public access. Once enabled, every outbound connection from items in that workspace is denied unless you create an explicit exception.

kayu_1-1779137038460.png

Figure: Workspace settings for outbound access protection.

For semantic models, enforcement happens on the model's bound data connection. That means Power Query transformations, M expressions, and dataset parameters can't route around the policy — the connection itself is evaluated against the workspace's outbound rules before any data moves. Import refreshes and DirectQuery queries follow the same path.

Prefer automation? The same policy is exposed through the Fabric REST API. Refer to Workspaces - Set Network Communication Policy REST API and set outbound.publicAccessRules.defaultAction to Deny. Toggle changes take about 15 minutes to propagate.

Intra-workspace connections

It’s important to note that the default OAP configuration blocks all data connections perceived as cross-workspace. This includes any sources accessed through SQL, ADLS Gen2, and other non-Fabric connection kinds. Your source lakehouse might be in the same workspace as your semantic model, but your semantic model will not be able to connect unless you allow the local workspace for the SQL connection kind (for import and DirectQuery mode) and the ADLS Gen2 connection kind (for Direct Lake mode).

Select Add new cloud connection rule, select SQL Server or Azure Data Lake Storage Gen2, and then specify the fully qualified domain name of the source’s SQL analytics endpoint or the URL of the workspace in OneLake. The following screenshot shows the corresponding exceptions with placeholder values. 

kayu_2-1779137092019.png

Figure: Exceptions for SQL and ADLS Gen2 data connections.

You can discover the FQDN from the lakehouse settings. On the SQL endpoint tab, the FQDN appears under SQL connection string, as in the next screenshot.

 

kayu_3-1779137125152.png

Figure: FQDN in the SQL Analytics Endpoint settings.

For the ADLS Gen2 URL of a workspace in OneLake, look at the URL of a Delta table. For example, in the Table properties, copy the URL to the clipboard, and then remove the lakehouse and table specific parts that follow the first (workspace) GUID in the URL. For details about the URL syntax, refer to Connecting to Microsoft OneLake in the product documentation.

kayu_4-1779137209024.png

Figure: Getting the URL of a Delta table.

Getting started

Follow these steps to enable OAP to create a workspace that hosts semantic models:

  1. Confirm the workspace is on an F SKU and that the tenant setting Configure workspace-level outbound network rules are on.
  2. Plan the workspace. If you're adding OAP to an existing workspace, ensure that the workspace only contains items that support OAP. You cannot enable OAP if the workspace contains Power BI reports, dashboards, and other unsupported artifacts.
  3. Open Workspace settings > Network security and turn on Block outbound public access.
  4. Add a data connection exception for each destination, including the local workspace where the semantic model resides.
  5. Wait about 15 minutes for the policy to propagate.
  6. Validate by refreshing an Import model and by opening a report in another workspace that connects to a DirectQuery model in the OAP-protected workspace. Connections to allowed destinations succeed; for blocked destinations, note the error indicating that the connection is blocked by Outbound Access Protection policies.
Labels:

Comments

Post a Comment

Hi User,
Thanks for visiting My Blog and please provide your valuable feedback and subscribe for more updates. Please don't post any spam content or comments.
Thank You

Popular posts from this blog

SSRS INTERVIEW QUESTIONS

Q: What is SSRS? Ø   SSRS or SQL Server Reporting Service is a server-based report generation software systems from Microsoft and is part of Microsoft BI. Ø   It is used for preparing and delivering interactive and variety of reports. Ø   It is administered through an web based interface. Ø   Reporting services utilizes a web service interface for supporting and developing of customized reporting applications. Ø   SSRS lets you create very rich reports (Tabular/Graphical/Interactive) from various datasources with rich data visualization (Charts, Maps, sparklines) Ø   SSRS allows are reports to be exported in various formats (Excel, PDF, word etc) Q: Explain SSRS Architecture? Reporting services architecture comprises of integrated components. It is a multi-tiered, included with application, server and data layers. This architecture is scalable and modular. A single installation can be used across multiple computers. It includes the fo...
3 comments
Read more

Exception deserializing the package "The process cannot access the file because it is being used by another process."

TITLE: Microsoft Visual Studio ------------------------------ Failed to start project ------------------------------ ADDITIONAL INFORMATION: Exception deserializing the package "The process cannot access the file 'E:\SSASCube\HistoricalDataLoad\HistoricalDataLoad\bin\Development\HistoricalDataLoad.ispac' because it is being used by another process.". (Microsoft.DataTransformationServices.VsIntegration) ------------------------------ The process cannot access the file 'E:\SSASCube\HistoricalDataLoad\HistoricalDataLoad\bin\Development\HistoricalDataLoad.ispac' because it is being used by another process. (mscorlib) ------------------------------ BUTTONS: OK ------------------------------ While running SSIS package i got the error “The process cannot access the file ‘*.ispac’ because it is being used by another process”. I tried to close SSDT and run it again but, I still got the same error while compiling. Then, after searching over internet, I got...
58 comments
Read more

Failed to execute the package or element. Build errors were encountered

Error: TITLE: Microsoft Visual Studio ------------------------------ Failed to execute the package or element.   Build errors were encountered. For more information, see the Output window. ------------------------------ BUTTONS: OK ------------------------------   Solution: We tried to close SSDT and run it again but, we still got the same error while running SSIS package. Then, we need to follow bellow solution: Step 1: Go to Task Manager–> Details Tab. Step 2: Locate the process “ DtsDebugHost.exe “. Kill this process. There might be multiple instances of this process. Kill all of them. Step 3: Rerun SSIS package
31 comments
Read more