Once your Fabric tenant grows past a few workspaces, data discovery gets weird fast. Duplicates multiply. People stop trusting what they find. And security teams start hearing things like, “I think only the right people have access” (which is never a comforting sentence).
The OneLake catalog is Fabric’s centralized place to find and explore items, and to govern and secure the data you own. Over the past year, the OneLake catalog has seen a tremendous wave of new capabilities added across discovery, governance, and security—and the pace of innovation hasn’t slowed. Microsoft continues to expand it rapidly, with many more features expected as the catalog becomes the central experience for understanding and managing your Fabric data estate.
This blog is a practical walkthrough of the three tabs in the catalog: Explore (find and validate), Govern (see what’s missing and fix it), and Secure (audit and manage access).
Setting the stage
Let’s use a realistic (generic) setup. Your company has domains like Finance and Sales. Each domain has Bronze, Silver, and Gold workspaces, plus at least one Sandbox workspace where “temporary” assets go to live forever. Domains matter because all users can see the domains defined in the tenant, and the catalog’s domain selector lets people scope what they’re browsing (and what admins are assessing) to a specific domain or subdomain.
| Catalog tab | Key features | Typical users | Daily tasks |
|---|---|---|---|
| Explore | Item list + filters + item details (metadata, lineage, permissions) | Analysts, report creators | Find trusted items, preview data |
| Govern | Insights + recommended actions + deeper reports | Fabric admins, data owners | Improve labels, descriptions, endorsements, freshness |
| Secure | Workspace roles + OneLake security roles in one view | Security/compliance, admins | Audit access, manage roles, support investigations |
Explore
Here’s the bottom line: Explore is where analysts go to find data, evaluate it, and decide if they trust it before building anything on top of it.
The Explore tab gives you a single place to search and browse across your Fabric items. You get filters, domains, and an item details pane—all without losing your place. And more importantly, you get signals that help you decide if something is worth using: owner, last refresh, endorsements, and sensitivity labels.
It’s important to understand that the OneLake catalog Explore tab is primarily permission-scoped. In general, it shows only the data assets you already have permission to access, meaning what you see is not the full picture of your organization’s data estate—it’s just your slice of it.
There is one important exception: semantic models that are explicitly configured as discoverable can appear in Explore even if you don’t yet have access to them, allowing you to manually request access through your organization’s standard approval process. Outside of these discoverable semantic models, other Fabric items that you don’t have permission to see are not visible. As a result, users may be unaware that similar data already exists elsewhere in the organization and may unintentionally recreate data in a new lakehouse simply because the existing data isn’t visible to them.
If you’ve used Microsoft Purview before, think of Explore as the in-product, day-to-day experience for discovery inside Fabric. It gives you what you need right where you are working—fast search, filtering, metadata, and limited lineage—all without leaving Fabric.
This is where the Microsoft Purview Unified Catalog comes in. Purview is designed to provide organization-wide visibility, ownership, and governed discovery—helping users understand what data already exists, who owns it, and how it should be reused. It plays a key role in preventing unnecessary duplication by making data discoverable even when you don’t yet have access to it.
You might be wondering how Explore compares to Microsoft Purview—and it’s a fair question. Explore gives you the core capabilities you need inside Fabric: basic lineage, search, filtering, metadata visibility, and access requests. It’s designed for speed and usability so you can get in, find what you need, and move on.
Purview goes quite a bit further. It offers deeper lineage across multiple systems, more advanced search and filtering across the entire data estate, richer metadata management (including the ability to curate and extend it), governance constructs like domains and data products at a broader level, and more comprehensive reporting on your data landscape.
Think of Purview as the “Catalog of Catalogs”.
So don’t think of this as one replacing the other. Think of it as layers. Explore helps you get your work done right now. Purview helps your organization understand and manage data at scale.
Now, if I were sitting next to you and you asked, “What should I actually do in here?”, I’d keep it simple:
- Filter by domain first, then workspace. This alone saves you from digging through sandbox chaos.
- Open item details and actually read the description (you’d be surprised how often this is skipped).
- Look for endorsements—certified or promoted items are your safest starting point.
- Check lineage if what you’re building matters downstream.
Govern
Let’s define what Govern is: it turns governance from a quarterly initiative into a daily backlog of fixes. The Govern tab provides insights plus recommended actions to improve governance posture. Fabric admins see tenant-wide insights based on tenant metadata (items, workspaces, capacities, domains). Data owners can focus on their own inventory using My items.
One important point that often surprises people: you do not need Microsoft Purview to use the governance capabilities in the OneLake catalog. The governance features in the Govern tab work natively inside Fabric. You can manage domains, endorsements, ownership metadata, and many governance insights without deploying Purview at all.
However, if your organization is using Microsoft Purview together with Fabric, the experience becomes much richer. Purview extends what Fabric can already do by adding enterprise-wide capabilities like cross-platform data discovery, advanced classification, broader data loss prevention policies, and deeper compliance and auditing features. Fabric governance works on its own, but Purview expands the reach across your entire data estate.
Two practical details matter. First, admin insights are driven by Admin Monitoring Storage in the Admin Monitoring workspace and refresh daily (so expect some lag). Second, the data-owner report refreshes when owners open the Govern tab (with a manual refresh option).
When you hit View more, you get expanded insights, including security insights that were previously available in the Microsoft Purview hub within Fabric. The expanded views cover: “Manage your data estate” (inventory, capacities/domains, feature usage), “Protect, secure & comply” (sensitivity label coverage and DLP evaluation coverage), and “Discover, trust, and reuse” (freshness, description/endorsement coverage, and sharing). You also get access to the “Item explorer” view, which lets you drill into the actual items behind the metrics—so instead of just seeing that something is missing (like labels or descriptions), you can immediately identify and take action on the specific items that need attention.
How I’d use this in the real world (without making it a second job): pick a domain, then pick one improvement loop. Start with sensitivity labels, move to descriptions, then endorsements. Do it domain by domain, not tenant-wide all at once. Domains are designed for distributed governance, with clear roles (Fabric admin, domain admin, domain contributor/workspace admin) and the ability to delegate certain settings down to domain admins.
Pair Govern with operational evidence. If an insight points to stale or failing data, jump into the item’s Monitor history (from item details) or use the monitoring hub to review recent activity and error details.
And don’t forget the “settings side” of governance. Certification and master data endorsement exist, but they’re controlled by tenant settings and reviewer groups. Item certification can be delegated so domain admins manage certification rules for their domain. Domains can also support delegated settings like a domain-level default sensitivity label (if your organization enables that feature), which is one of the easiest ways to make “born labeled” the default.
Secure
Here’s the bottom line: Secure is where you answer “who can access what” with evidence. The Secure tab centralizes security management by showing workspace roles/permissions and OneLake security roles across items, and it supports auditing and role management from one place.
Day-to-day, there are two views to know. “View users” shows each user, group, or application with roles across selected workspaces, with filters and search to verify access quickly. “View security roles” shows OneLake security roles across items and workspaces (role name, permission, location, data owner), and lets admins create, edit, delete, or duplicate roles.
OneLake security is now generally available, and this is a big deal. It gives you data-level security directly in Fabric, where you can define roles that control access down to folders, tables, and even rows or columns. And the key advantage is consistency—you define security once in OneLake, and it is enforced across all Fabric experiences, including Power BI (Direct Lake and semantic models), SQL analytics endpoints and Warehouses, Spark notebooks and Data Engineering workloads, and Real-Time Intelligence (KQL databases and Eventhouse).
Now add policies, because that’s how security teams scale. Sensitivity labels can be applied to Fabric items (from the item header or in item settings). These policies are not created in Fabric—they are defined in Microsoft Purview and then enforced in Fabric. Protection policies can then use those labels to restrict access: allowed users/groups retain access while everyone else is blocked, and the catalog’s item Permissions tab can show who has access (including restrictions).
At this point, it helps to separate what you do in Fabric versus what you do in Purview. Inside Fabric, the Secure tab is your operational control center. This is where you assign roles, review access, apply labels, and manage OneLake security. It’s built for day-to-day access management and quick answers when someone asks, “who has access to this?”
Purview, on the other hand, extends this into enterprise-wide security and compliance. It gives you capabilities like centralized auditing across multiple systems, advanced data loss prevention policies, richer classification of sensitive data, and broader compliance reporting. Fabric handles the “how is access enforced right now,” while Purview helps answer “are we meeting our organization’s security and compliance requirements everywhere.”
DLP policies can detect sensitive data uploaded into OneLake-supported items and generate policy tips and alerts. And Fabric activities are available through Purview Audit, which is the evidence trail you want when questions get serious (and they always do).
So think of it this way: Fabric gives you strong, built-in security that works immediately and consistently within your data platform. Purview builds on top of that foundation and gives you more advanced capabilities across your entire data estate. You don’t need Purview to secure your data in Fabric—but if you have it, you significantly expand what’s possible.
Bringing it all together
One of the most important things to understand about the OneLake catalog in Fabric is what it is—and what it isn’t. It’s a lightweight, in-product discovery experience designed to help analysts find and evaluate data they already have access to. It does that job well. But it is not a full enterprise data governance solution, and that distinction becomes clear when you compare it to Microsoft Purview.
You don’t need Microsoft Purview to get started. Fabric gives you a lot out of the box—enough to organize, discover, and secure your data in a very practical way. For many teams early on, that’s exactly what they need. But as your environment grows, and as governance becomes more than just “keeping things organized,” you start to need more.
Purview operates at an entirely different level. It provides organization-wide visibility into data assets—even those you don’t yet have access to—along with the ability to request access through built-in approval workflows that can automatically provision permissions. It also introduces a business glossary, allowing organizations to define common terms and map them to technical assets, creating a shared language between business and IT. On top of that, Purview adds structure through governance domains and data products, enabling clear ownership, stewardship, and accountability across the enterprise.
To make this more concrete, here are some of the key capabilities that exist in Purview but are missing or very limited in the OneLake catalog today:
- Business glossary and shared definitions – No native way in Fabric to define business terms and map them to data assets
- Access request workflows – No built-in way to request, approve, and track access to data you don’t already have
- Data quality framework – No support for defining rules, scoring data quality, or monitoring trends over time
- Organization-wide discovery – Fabric only shows data you already have access to, and only within Fabric. That means you can’t see assets outside of Fabric, and you also won’t see Fabric items you don’t have permission to access. As a result, users often lack visibility into what already exists across the organization, which can lead to missed reuse opportunities and unnecessary duplication of data.
- Governance domains and data products – No formal structure for organizing data ownership and accountability
- Automated scanning of external systems – Fabric catalog is limited to Fabric; Purview scans across hybrid and multi-cloud sources
- End-to-end lineage across platforms – Fabric lineage is mostly scoped within Fabric, not across the full data estate
- Rich metadata and classification – Limited extensibility compared to Purview’s custom metadata and classification capabilities
- Policy management and enforcement – No centralized governance policy engine in Fabric
- Audit and compliance reporting – Limited governance reporting compared to Purview’s enterprise capabilities
The bottom line: the OneLake catalog helps you discover and trust data within your current permissions, while Purview helps your organization understand, govern, and manage all of its data. Fabric gets you started quickly—but Purview is what you bring in when governance needs to scale across the enterprise.
Here’s a simple way to think about the relationship between Fabric and Purview—this visual makes it click (graphic courtesy of Prashant Atri):
Wrap-up
Explore is where people discover and validate. Govern is where you find the trust gaps and fix them. Secure is where you prove and manage access. If you want a simple operating rhythm: analysts live in Explore, data owners spend a small weekly block in Govern, and admins/security teams check Govern and Secure to keep posture and access from drifting.
If you want to go deeper on how Fabric and Purview fit into a broader enterprise strategy, Microsoft’s Cloud Adoption Framework provides guidance on building a unified data governance foundation across your entire data estate: Data governance and security baselines with Microsoft Purview.
More info:
OneLake catalog overview – Microsoft Fabric | Microsoft Learn
What’s New? – Microsoft Fabric | Microsoft Learn
The post The OneLake catalog in Fabric: Explore, Govern, Secure first appeared on James Serra's Blog.