Fabric domains
This article introduces key concepts of domains in Fabric, and shows how to set up and manage them. To get started planning domains for your organization, see Best practices for planning and creating domains in Microsoft Fabric.
Introduction
Today, organizations are facing massive growth in data, and there's an increasing need to be able to organize and manage that data in a logical way that facilitates more targeted and efficient use and governance.
To meet this challenge, organizations are shifting from traditional IT centric data architectures, where the data is governed and managed centrally, to more federated models organized according to business needs. This federated data architecture is called data mesh. A data mesh is a decentralized data architecture that organizes data by specific business domains, such as marketing, sales, human resources, etc.
Currently, Microsoft Fabric's data mesh architecture primarily supports organizing data into domains and enabling data consumers to be able to filter and find content by domain. It also enables federated governance, which means that some governance currently controlled at the tenant level can be delegated to domain-level control, enabling each business unit/department to define its own rules and restrictions according to its specific business needs.
Key concepts
Domains
In Fabric, a domain is a way of logically grouping together all the data in an organization that is relevant to a particular area or field. One of the most common uses for domains is to group data by business department, making it possible for departments to manage their data according to their specific regulations, restrictions, and needs.
To group data into domains, workspaces are associated with domains. When a workspace is associated with a domain, all the items in the workspace are also associated with the domain, and they receive a domain attribute as part of their metadata. Currently, the association of workspaces and the items in them with domains primarily enables a better consumption experience. For instance, in the OneLake data hub, users can filter content by domain in order find content that is relevant to them. In addition, some tenant-level settings for managing and governing data can be delegated to the domain level, thus allowing domain-specific configuration of those settings.
Subdomains
A subdomain is a way for fine tuning the logical grouping of your data. You can create subdomains under domains. For information about how to create subdomains, see Create subdomains.
Domain roles
There are three roles involved in the creation and management of domains:
Fabric admin (or higher): Fabric admins can create and edit domains, specify domain admins and domain contributors, and associate workspaces with domains. Fabric admins see all the defined domains on the Domains tab in the admin portal, and they can edit and delete domains.
Domain admin: Ideally, the domain admins of a domain are the business owners or designated experts. They should be familiar with the data in their area and the regulations and restrictions that are relevant to it.
Domain admins can access to the Domains tab in the admin portal, but they can only see and edit the domains they're admins of. Domain admins can update the domain description, define/update domain contributors, and associate workspaces with the domain. They also can define and update the domain image and override tenant settings for any specific settings the tenant admin has delegated to the domain level. They can't delete the domain, change the domain name, or add/delete other domain admins.
Domain contributor: Domain contributors are workspace admins whom a domain or Fabric admin has authorized to assign the workspaces they're the admins of to a domain, or to change the current domain assignment.
Domain contributors assign the workspaces they're an admin of in the settings of the workspace itself. They don't have access to the Domains tab in the admin portal.
Note
Remember, to be able to assign a workspace to a domain, a domain contributor must be a workspace admin (that is, have the Admin role in the workspace).
Domain settings delegation
To allow domain-specific configuration, some tenant-level settings for managing and governing data can be delegated to the domain level. Domain settings delegation enables each business unit/department to define its own rules and restrictions according to its specific business needs.
Domain image
When users look for data items in the OneLake data hub, they might want to see only the data items that belong to a particular domain. To do this, they can select the domain in the domain selector on the data hub to display only items belonging to that domain. To remind them which domain's data items they're seeing, you can choose an image to represent your domain. Then, when your domain is selected in the domain selector, the image becomes part of the data hub's theme, as illustrated in the following image.
For information about how to specify an image for a domain, see Specify a domain image.
Default domain
A default domain is a domain that has been defined as the default domain for specified users and/or security groups. When you define a domain as the default domain for specified users and/or security groups, the following happens:
- The system scans the organization's workspaces. When it finds a workspace whose admin is a specified user or member of a specified security group:
- If the workspace already has a domain assignment, it is preserved. The default domain doesn't override the current assignment.
- If the workspace is unassigned, it is assigned to the default domain.
- After this, whenever a specified user or member of a specified security group creates a new workspace, it is assigned to the default domain.
The specified users and/or members of the specified security groups generally automatically become domain contributors of workspaces that are assigned in this manner.
For information about defining a domain as a default domain, see Define the domain as a default domain.
Create a domain
Before you start creating domains for your organization, it is recommended to review Best practices for planning and creating domains in Microsoft Fabric.
To create domain, you must be a Fabric admin.
Open the admin portal and select the Domains tab.
On the Domains tab, select Create new domain.
In the New domain dialog that appears, provide a name (mandatory) and specify domain admins (optional). If you don't specify domain admins, you can do this later in the domain settings.
Select Create. The domain is created, and you can continue configuring the domain as described in the following sections.
Structure your data in the domain
Once you create some domains, you can refine the logic of the way you're structuring your data by creating subdomains for the domains.
You organize your data into the appropriate domains and subdomains by assigning the workspaces the data is located in to the relevant domain or subdomain. When a workspace is assigned to a domain, all the items in the workspace are associated with the domain.
Create subdomains
To create subdomains for a domain, you must be Fabric admin or domain admin.
Open the domain you want to create a subdomain for and select New subdomain.
Provide a name for the subdomain in the New subdomain dialog that appears. When done, select Create.
Note
Subdomains don't have their own domain admins. A subdomain's domain admins are the domain admins of its parent domain.
Assign workspaces to domains and subdomains
To assign workspaces to a domain or subdomain in the admin portal, you must be a Fabric admin or a domain admin.
Go to the domain or subdomain's page and select Assign workspaces.
In the Assign workspaces to this domain side pane, select how to assign the workspaces.
Assign by workspace name
- Some organizations have naming conventions for workspaces that make it easy to identify the data's business context.
- You can search for and select multiple workspaces at once
- If a workspace is already associated with another domain, you'll see an icon next to the specific name. If you chose to continue the action, a warning message pops up, but you'll be able to continue and override the previous association.
Assign by workspace admin
- You can select specific users or security groups as per your business structure. When you confirm the selection, all the workspaces the users and security groups are admins of will be associated to the domain.
- This action excludes "My workspaces".
- If some of the workspaces are already associated with another domain, a warning message will pop up, but you'll be able to continue and override the previous association.
- This action affects existing workspaces only. It won't affect workspaces the selected users create after the action has been performed.
Assign by capacity
- Some organizations have dedicated capacities per department/business unit.
- You can search for and select multiple capacities at once. When you confirm your selection, all the workspaces associated to the selected capacities will be assigned to the domain.
- If some of the workspaces are already associated with another domain, a warning message will pop up, but you'll be able to continue and override the previous association.
- This action excludes "My workspaces".
- This action affects existing workspaces only. It won't affect workspaces that are assigned to the specified capacities after the action has been performed.
Note
Workspace domain assignments by Fabric and domain admins will override existing assignments only if the Allow tenant and domain admins to override workspace assignments (preview) tenant setting is enabled. For more information, see Allow tenant and domain admins to override workspace assignments (preview).
To unassign a workspace from a domain or subdomain, select the checkbox next to the workspace name and then select the Unassign button above the list. You can select several checkboxes to unassign more than one workspace at a time.
Configure domain settings
You configure domain and subdomain settings on the domain or subdomain's Domain settings side pane.
The domain settings side pane has the following tabs:
- General settings: Edit domain name and description
- Image: Specify domain image
- Admins: Specify domain admins
- Contributors: Specify domain contributors
- Default domain: Set up domain as a default domain
- Delegated settings: Override tenant-level settings
Note
Subdomains currently have general settings only.
To open the Domain settings side pane, open the domain or subdomain and select Domain settings (for subdomains, Subdomain settings).
Alternatively, for domains, you can hover over the domain on the Domain tab, select More options (...), and choose Settings.
Edit name and description
Select General settings and then edit the name and description fields as desired.
Note
Domain admins can only edit the description field.
When done, select Apply.
Specify a domain image
Select Image and then select Select an image.
In the photo gallery that pops up you can choose an image or color to represent your domain in the OneLake data hub when your domain is selected.
Specify domain admins
You must be a Fabric admin to specify domain admins.
Select Admins and then specify who can change domain settings and add or remove workspaces. When done, select Apply.
Specify domain contributors
You must be a domain admin of the domain or a Fabric admin to specify domain contributors.
Select Contributors and then specify who can assign workspaces to the domain. You can specify everyone in the organization (default), specific users/groups only, or you can allow only tenant admins and the specific domain admins to assign workspaces to the domain. When done, select Apply.
Note
For domain contributors to be able to associate their workspaces with their domains, they must have an admin role in the workspaces they are trying to associate with the domain.
Define the domain as a default domain
To define a domain as a default domain, you must be a Fabric admin or a domain admin of the domain.
Select Default domain and specify users and/or security groups. When you add people to the default domain list, unassigned workspaces they're admins of, and new workspaces they create, will automatically be assigned to the domain. For a detailed description of the process, see Default domain.
Note
The users and/or members of the security groups specified in the default domain definition generally automatically become domain contributors of the workspaces that get assigned to the domain via the default domain mechanism.
Delegate settings to the domain level
Some tenant-level settings can potentially be overridden at the domain level. To see these settings, select Delegated Settings. The following admin settings can potentially be overridden.
Domain-level default sensitivity label
If the domain-level default sensitivity label feature is enabled in your organization, you can specify a sensitivity label that will be applied by default to items in workspaces that are assigned to the domain.
To specify a default sensitivity label for your domain, you must be a Fabric admin or a domain admin of the domain.
Expand Delegated Settings and choose Information protection. You'll see the option Set a default label for this domain. Select the drop down menu and select the desired sensitivity label. The label will be applied to items in workspaces associated with the domain according to the logic described in Domain-level default sensitivity labels in Microsoft Fabric.
Certification settings
Certification is a way for organizations to label items that it considers to be quality items. For more information about certification, see Endorsement.
Certification settings at the domain level mean you can:
- Enable or disable certification of items that belong to the domain.
- Specify certifiers who are experts in the domain.
- Provide a URL to documentation that is relevant to certification in the domain.
To override the tenant-level certification settings, expand the certification section, select the Override tenant admin selection checkbox, and configure the settings as desired.
For descriptions of the things you need to set, see Set up certification.
Microsoft Fabric REST Admin APIs for domains
Most of the actions available from the UI are available through the Fabric REST Admin APIs for domains. For more information, see Domains API reference.
Track user activity on domains
Whenever a domain is created, edited, or deleted, that activity is recorded in the audit log for Fabric. You can track these activities in the unified audit log or in the Fabric activity log. For information about the information in the Fabric auditing schema that's specific to domains, see Audit schema for domains.