Securing Microsoft Fabric: Implementing Outbound Access Protection for Semantic Models

Outbound Access Protection for semantic models

Microsoft has introduced a preview of Outbound Access Protection for semantic models within Fabric. This feature blocks outbound public access by default at the workspace level, requiring explicit allow-lists for destinations.

Why This Matters

Traditional BI security focuses on report-level permissions and RLS, but fails to address the semantic model as a data movement boundary. In composite models, sensitive values from one source can be pushed into queries against another endpoint or logged externally, creating a security gap where the semantic layer becomes an unintended path between disparate data sources.

Key Insights

• Enforcement occurs on the model’s bound data connection (2026 Preview), ensuring that M expressions and Power Query transformations cannot route around policy.
• Workspace network security is managed via a specific configuration path: Workspace settings > Network security > Outbound access protection > Block outbound public access.
• Local workspace connections, such as those using SQL analytics endpoints or OneLake ADLS Gen2 paths, may still require explicit exceptions despite appearing internal.

Practical Applications

References:

• https://dev.to/shai_karmani_2521c2f8e837/the-power-bi-setting-that-makes-semantic-models-safer-4hh8
• https://shai-kr.github.io/data-ninja-ai-lab/blog/2026-05-19-outbound-access-protection-semantic-models.html