Fabric Analytics Engineer Associate · 27% of the exam

Maintain a data analytics solution: free practice questions

5 sample questions from our 68-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Microsoft exam.

1. A Fabric administrator at Southridge Video is implementing security for a warehouse. The requirement is that members of the 'Finance' role should not be able to see the 'SalaryAmount' and 'BonusAmount' columns in the 'EmployeeCompensation' table, but should be able to query all other columns in that table. Which security mechanism should be implemented directly on the Fabric Warehouse to satisfy this requirement?

  • A. Row-level security (RLS) with a DAX filter that excludes salary rows
  • B. Column-level security (CLS) using T-SQL GRANT and DENY permissions on the specific columns✓ Correct
  • C. Object-level security (OLS) configured on the semantic model built on top of the warehouse
  • D. A workspace role assignment that restricts Viewer access to the Finance group
Explanation

Column-level security on a Fabric Warehouse is implemented using T-SQL GRANT/DENY statements on specific columns (e.g., DENY SELECT ON EmployeeCompensation (SalaryAmount, BonusAmount) TO [FinanceRole]). This restricts column access at the warehouse engine level. Row-level security (Option A) restricts which rows are visible based on a predicate, not which columns — it does not address column visibility. Object-level security (Option C) is a semantic model–layer feature that hides tables or columns from the model perspective; it does not enforce security at the warehouse storage/query engine level, so users with direct warehouse access would bypass it. Workspace role assignment (Option D) controls whether users can access the workspace and its items, but does not restrict specific columns within a table.

2. Tailspin Toys has a Microsoft Fabric lakehouse containing a Delta table called SalesTransactions. Analysts must be prevented from viewing the CreditCardNumber and SSN columns. Other columns in the same table must remain fully accessible. The solution must apply to all query paths against the lakehouse, including the SQL analytics endpoint and direct Spark queries. Which TWO actions should be taken to implement this requirement? (Select TWO.)

  • A. Enable column-level security in the SQL analytics endpoint by revoking SELECT permission on the restricted columns for the analyst role✓ Correct
  • B. Create a OneLake data access role and define a column mask or column restriction on the CreditCardNumber and SSN columns within the lakehouse✓ Correct
  • C. Apply a sensitivity label with 'Highly Confidential' classification to the SalesTransactions table
  • D. Define column-level security (CLS) on a shared semantic model built on top of the lakehouse and instruct all analysts to use only that model
  • E. Remove the CreditCardNumber and SSN columns from the lakehouse and store them in a separate, restricted lakehouse
  • F. Use object-level security on the SQL analytics endpoint to hide the entire SalesTransactions table from analysts
Explanation

To restrict specific columns across all query paths, two complementary controls are needed. First, revoking SELECT permission on CreditCardNumber and SSN columns via the SQL analytics endpoint enforces column-level security for SQL-based queries. Second, defining column restrictions within a OneLake data access role applies the restriction at the OneLake storage layer, covering Spark and other non-SQL query paths. Together, these two controls enforce the requirement across all access methods. A sensitivity label classifies and potentially encrypts the item for export/sharing purposes but does not prevent analysts from reading column values during a live query. Defining CLS on a shared semantic model only protects access through that specific model; analysts querying the lakehouse directly via Spark or SQL would bypass it. Removing and relocating columns is a data architecture change that is destructive and operationally complex—not an access control mechanism. Hiding the entire table via object-level security would deny access to all columns, violating the requirement that other columns remain accessible.

3. A Fabric workspace is connected to a Git branch in GitHub. Two developers — Alice and Bob — are each working on different reports in their own feature branches. Alice merges her branch into the main branch. Bob then wants to merge his branch but is told there is a merge conflict on the workspace.json file. What is the MOST appropriate next step for Bob to resolve this?

  • A. Bob should disconnect the Fabric workspace from Git, delete the conflicting items, and reconnect to the main branch.
  • B. Bob should resolve the conflict in the GitHub repository (e.g., using a pull request merge conflict editor or locally via Git), then update the Fabric workspace from the resolved main branch.✓ Correct
  • C. Bob should use the Fabric deployment pipeline to overwrite the main branch with his feature branch content.
  • D. Bob should republish all his reports from Power BI Desktop to force-overwrite the workspace, then commit.
Explanation

Git merge conflicts must be resolved in the Git repository itself using standard Git workflows (pull request conflict resolution, local merge, etc.). Once the conflict is resolved and the main branch is updated, Bob can pull the changes into the Fabric workspace using the Source control 'Update' function. Disconnecting and reconnecting Git is destructive and unnecessary for a merge conflict. Deployment pipelines move content between pipeline stages; they cannot resolve Git branch conflicts. Republishing from Desktop would push uncommitted changes and could overwrite Alice's already-merged work, creating data loss and further conflict.

4. A Fabric administrator at Northwind Traders runs an impact analysis on a semantic model and discovers that 14 reports across 6 workspaces depend on it. The team is planning to rename two tables in the model as part of a schema refactoring effort. What does the impact analysis view directly enable the administrator to do with the identified downstream reports?

  • A. Automatically update all 14 downstream reports to use the new table names after the rename is applied.
  • B. View the list of dependent items and contact their owners directly from the impact analysis panel to notify them of the planned change.✓ Correct
  • C. Revert the semantic model to a previous version to avoid breaking the downstream reports.
  • D. Promote all 14 downstream reports to Certified status so they are tracked before the change is made.
Explanation

The impact analysis view in Microsoft Fabric provides a list of all downstream dependent items and allows the administrator or model owner to send notifications to the owners of those items directly from the panel — this is a key feature designed to facilitate communication before making breaking changes. Impact analysis does not automatically update downstream reports (Option A) — that would require manual rework or republishing by report authors after the schema change. Impact analysis does not provide version rollback functionality (Option C) — that capability is related to Git integration or backup/restore, not impact analysis. Promoting items to Certified (Option D) is an endorsement action unrelated to impact analysis; impact analysis is a read and notification tool, not an endorsement workflow.

5. A data engineer at Lakeview Analytics stores raw CSV files in the Files section of a Microsoft Fabric lakehouse. A requirement states that users in the 'ExternalAuditors' Azure AD group should be able to read only the files in the '/audit-reports/' folder and must have no access to any other folder in the lakehouse. What is the correct approach to implement this file-level access control in Fabric?

  • A. Assign the ExternalAuditors group the Viewer workspace role, which automatically restricts their access to the /audit-reports/ folder only.
  • B. Use OneLake data access roles to define a custom role that scopes read permissions to the specific /audit-reports/ folder path in the lakehouse, and assign the ExternalAuditors group to that role.✓ Correct
  • C. Apply a Microsoft Purview sensitivity label named 'Audit-Only' to the /audit-reports/ folder and configure an access policy in Purview to allow only ExternalAuditors.
  • D. Create a row-level security rule on the lakehouse Delta tables that filters rows tagged with 'audit-report' metadata for the ExternalAuditors group.
Explanation

OneLake data access roles (formerly OneLake security) allow administrators to define custom roles that grant read access to specific folders or paths within a lakehouse, enabling fine-grained file-level access control. Assigning the ExternalAuditors group to a role scoped to /audit-reports/ ensures they can only access that folder. The Viewer workspace role (Option A) grants access to all items in the workspace at the item level — it does not provide folder-level granularity within a lakehouse's Files section. Sensitivity labels (Option C) classify and protect data for compliance purposes; they do not function as access control mechanisms for folder-level permissions within OneLake. Row-level security (Option D) applies to structured Delta table data, not to unstructured files in the Files section of a lakehouse.

63 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free