LakewardenLakewarden
Product Setup How-to Guides Pricing
Lakewarden

Governance, access, and operations for Microsoft Fabric — in one place.

Access review, refresh health, capacity consumption, connections, audit, scorecards, and one-click accelerators. No agents to install, no data to export — it runs on your own Entra identity.

14 days free · No credit card to start · Secure delegated sign-in · Your data never leaves your tenant

Access Review & Management

See who can touch every workspace, spot risky access, and assign roles by dragging users and groups — with preview before save.

Refresh & Capacity Health

Catch failing refreshes, schedule collisions, throttling pressure, and CU overage before they hit your users.

One-click Accelerators

Deploy production-ready medallion, MLOps, CDC, and BI patterns into your tenant in seconds — fully wired and bound.

Governance Scorecards

Per-workspace governance grades and a tenant-wide health score that turns sprawl into an action list.

One price. Your whole tenant.

A single subscription covers every user in your organization. Start free, no card required.

Lakewarden
$499 / month
  • Unlimited users in your tenant
  • All governance, ops, and capacity tooling
  • Unlimited accelerator deployments
  • Access review & visual role assignment
  • 14-day free trial — cancel anytime

See full pricing & FAQ →

© Lakewarden. Not affiliated with Microsoft. Product Setup Guides Contact sales

Product overview

Everything a Fabric admin needs to govern, secure, and operate the tenant.

Lakewarden connects to Microsoft Fabric with your own Entra identity and turns workspace sprawl, access risk, refresh failures, and capacity pressure into a single, actionable console. No agents, no data export — every call runs through your sign-in against Microsoft's own APIs.

What Lakewarden does

Six jobs, one place — so you stop stitching together the admin portal, capacity metrics app, PowerShell, and spreadsheets.

🛡️

Govern access

See exactly who can reach every workspace and item, flag guests and broad sharing, and assign roles visually with a preview before anything is written.

📈

Operate with confidence

Surface failing refreshes, schedule collisions, and stalled jobs across the tenant before users report them.

⚡

Watch capacity & cost

Track CU consumption per item across every capacity, catch throttling and overage early, and attribute spend back to workspaces and owners.

🧹

Cut the clutter

Find unused reports, datasets, and dashboards — with their owners — so you can retire what nobody opens.

🎯

Score & trend

Per-workspace governance grades, a tenant health score, and day-over-day history so you can prove things are getting better.

🚀

Ship faster

Deploy production-ready medallion, MLOps, CDC, and BI patterns into your tenant in seconds — fully wired and bound.

Inside the console

Lakewarden is organized into focused pages. Each one has a step-by-step how-to guide.

How it connects — and why it's safe

🔑

Your identity, your permissions

Sign-in uses delegated Entra auth. Lakewarden can only ever do what the signed-in admin is already allowed to do.

🏠

Data stays in your tenant

Calls go straight to Microsoft's Fabric, Power BI, and Graph APIs. Lakewarden stores only lightweight governance metadata to power trends and history.

🧩

Nothing to install

No agents, gateways, or VMs. Open the app, sign in, and the first full-tenant scan runs automatically.

📷

Optional daily snapshots

An optional service principal captures a daily snapshot so the History tab can show exactly what changed, even while you're away.

Multi-tenant by design. One admin from each organization consents once; after that everyone in that tenant signs in seamlessly. See the Setup guide.

Try it on your own tenant

14 days free. No credit card. The first scan runs the moment you sign in.

Setup & sign-in guide

Get set up right the first time — and stay signed in for the long run.

Most organizations are live in a few minutes. This guide covers the very first sign-in, the one-time admin consent, the optional daily collector, and how to keep everything healthy month after month.

Before you start

👤

A work or school account

Any Microsoft Entra (Azure AD) account in your organization. Personal Microsoft accounts aren't supported.

🛡️

One admin to consent

The first person from your tenant needs to be able to grant admin consent (Global Administrator or Privileged Role Administrator). After that, everyone else signs in normally.

🗂️

Fabric workspace roles

You'll see whatever your account can see. To review or change access in a workspace, you need Admin or Member on it — exactly as you would in Fabric.

Initial setup — first sign-in

  1. Open Lakewarden and choose “Sign in with Microsoft.” You'll be redirected to your organization's standard Microsoft sign-in page. Allow pop-ups/redirects for the site if prompted.
  2. Grant consent (first admin only). The very first user from your tenant is asked to approve the permissions Lakewarden needs (read workspaces, items, capacities, datasets, and directory info; and write access only for the actions you explicitly take). Tick “Consent on behalf of your organization,” then Accept. Everyone after you skips this step.
  3. Watch the first full-tenant scan. Right after sign-in, Lakewarden runs an animated scan of your workspaces, items, access, and refresh health, showing progress and an ETA. When it finishes, the Command Center (Dashboard) opens.
  4. Confirm your free trial. Your 14-day trial starts automatically on first sign-in — no card required. The trial countdown shows in the top banner and on the Account page.
  5. Take a quick lap. Open Workspaces, expand a row to see items and roles, then run Access Review and Ops Health. Each page has a “?” Help button that opens its how-to guide.
If sign-in shows a consent or AADSTS error: an Entra administrator hasn't approved Lakewarden for your tenant yet. Ask a Global Administrator to sign in once and accept on the organization's behalf, or share the consent link your IT team was given.

Optional: turn on daily snapshots (collector)

Lakewarden works fully on demand. If you also want the History tab to show day-over-day changes — even while nobody is signed in — enable the daily collector. It uses a dedicated service principal to take one snapshot per day. Two tenant settings, set once by a Fabric administrator, make it work:

  1. Admin portal → Tenant settings → Developer settings → enable “Service principals can use Fabric APIs,” scoped to a security group that contains the Lakewarden service principal.
  2. Admin portal → Tenant settings → Admin API settings → enable “Service principals can access read-only admin APIs,” scoped to the same group.
Don't need history? Skip this entirely. Every other page works without it — only the History tab depends on the collector.

Staying set up for the long run

🔁

Re-consent after new features

When Lakewarden adds a capability that needs a new permission, an admin may be prompted to approve it once. If a page reports “insufficient scopes,” sign out and back in, or have an admin re-consent.

🔒

Keep roles current

Lakewarden always reflects live permissions. If you lose Admin/Member on a workspace, write actions there will stop — that's expected and matches Fabric.

💳

Manage the subscription

Before the trial ends, subscribe from the banner or the Account page. Billing is per-tenant and self-serve — update cards, invoices, or cancel anytime from the billing portal.

🔑

Rotate the collector secret

If you enabled daily snapshots, have IT rotate the service-principal secret periodically and keep the two tenant settings scoped to a dedicated group.

Troubleshooting sign-in

The sign-in window is blocked or nothing happens

Allow pop-ups and redirects for the Lakewarden site, then try again. Corporate browsers sometimes block the Microsoft redirect on the first attempt.

“Need admin approval” / AADSTS65001

Admin consent hasn't been granted for your tenant. A Global Administrator signs in once and accepts on behalf of the organization; everyone else then signs in normally.

A page says “insufficient scopes” or 401/403

Your token is missing a permission, or you lack the workspace role for that action. Sign out and back in to refresh the token; if it persists, an admin re-consents the new permission.

History tab says the collector isn't configured

The daily snapshot is optional and off by default. Enable it with the two tenant settings above, or ignore it if you don't need historical change tracking.

I changed something but don't see it

Hard-refresh the page (Ctrl/Cmd + Shift + R). Lakewarden caches scan results in memory for speed; re-running a scan or refreshing pulls the latest.

Ready when you are

Sign in and the first scan runs automatically — usually under a minute.

How-to guides

Step-by-step for every page in Lakewarden.

Pick a page to learn what it shows, how to use it, and the tips that make it faster. The same guides are one tap away inside the app.

Pricing

One simple price for your entire organization.

No per-seat math, no usage meters. One subscription covers every user in your tenant, with a 14-day free trial to start.

Lakewarden
$499 / month
  • Unlimited users in your tenant
  • Governance, access review & visual role assignment
  • Ops health, capacity & CU tracking
  • Cost showback & chargeback
  • Unused-item cleanup, scorecards & history
  • Unlimited accelerator deployments
  • Daily snapshots (optional) & alerting
  • 14-day free trial — cancel anytime

Pricing FAQ

Do I pay per user?

No. One flat subscription covers every user in your Microsoft tenant — admins and viewers alike.

Is a credit card required to try it?

No. The 14-day trial starts on first sign-in with no card. You only enter billing details if you decide to subscribe.

What happens when the trial ends?

Access pauses until you subscribe. Subscribe from the in-app banner or the Account page and you're back instantly — your settings and history are preserved.

Can I cancel anytime?

Yes. Manage your card, invoices, or cancellation from the self-serve billing portal on the Account page. Cancelling stops future charges.

Where does my data live?

Lakewarden calls Microsoft's APIs with your identity; your Fabric content never leaves your tenant. Only lightweight governance metadata is stored to power trends and history.

© Lakewarden. Not affiliated with Microsoft. Contact sales
Lakewarden

Your free trial has ended

Subscribe to keep using Lakewarden across your tenant.

$499/month — unlimited users in your organization. Cancel anytime.

Questions? Talk to us

Lakewarden Lakewarden
0%
Scanning your Microsoft Fabric tenant
Preparing…
Estimating time remaining…

    Help

    Looking for another page? Browse all guides ↗

    Lakewarden

    Command Center

    The governance pulse of your Fabric tenant. Panels light up as scans run — or run everything at once.

    Needs attention

    Recent tenant activity

    Workspace Inventory

    View all →

    Workspaces

    Explore, filter, and manage every workspace. Click one for items, access, and creation actions.

    Items

    Every Fabric item across your tenant — reports, semantic models, lakehouses, notebooks, pipelines and more. Search, filter by type or workspace, and jump straight to any workspace.

    Access Review & Management

    Scan workspace roles, explore your Entra ID people & groups, and visually assign access by dragging users onto workspaces.

    Access graph

    Interactive network: workspaces (green boxes) connected to principals. Guests red, groups orange squares, service principals purple. Thick dark edges = Admin.

    Users

    Click Load from Entra ID to populate.

    Security Groups

    Click a group to pin it — pinned groups appear in the Workspace Access tab

    Load users first.

    Drag a user bubble or group chip onto a workspace row to stage an assignment. Review staged changes before applying.

    Workspaces

    Drop users or groups here to stage assignments

    People

    Pinned Groups

    Best-practice templates

    Common Fabric governance group patterns — click to create or use as naming guide.

    Operations Health

    Refresh failures, recent job runs, and schedule collisions across all workspaces.

    Capacity Health & Utilization

    Queries the Capacity Metrics app's Usage Summary tables: per-capacity health, CU utilization over time, throttling pressure, and overage — with an optimization advisor. Requires the Capacity Metrics app installed and access to its workspace.

    Connections

    Every connection your account can see: duplicates, access models, owners, and cleanup candidates. The API doesn't expose live status or last-used dates (yet), so analysis focuses on inventory and access hygiene.

    Accelerators

    One-click deployment of linked, convention-named Fabric architectures. Pick a blueprint, a target workspace, and a project prefix — items are created wired together.

    Items are created as you (Item.ReadWrite.All). The workspace must be on a Fabric capacity. Notebooks are pre-bound to their lakehouses by ID — open one after deploy and the default lakehouse is already attached.

    Governance Scorecard

    Per-workspace governance grade with the full reason for every penalty and one-click fixes. Built automatically from your sign-in scan.

    History AUTOMATED

    Tenant snapshots collected automatically by the service principal (no user sign-in needed). Compare any two days to see exactly what changed.

    Compare two snapshots

    Audit ADMIN

    Tenant activity log — every recorded action across Fabric. Requires the Fabric administrator role (the Tenant.Read.All permission is already on the app registration).

    Global Search

    Search all workspace and item names. First search runs a full scan.

    OneLake Explorer

    Browse the full OneLake file hierarchy — workspaces, lakehouses, tables, Delta files, and Delta logs. Expands on demand. Requires OneLake storage access (storage.azure.com/user_impersonation).

    Cost / Chargeback

    Estimated cost from per-item CU usage, rolled up by workspace, item type, and owner. Set your $/CU-hour rate for your region & SKU. Based on the most recent collected CU window.

    Account

    Your profile, organization details, subscription, and team.

    Your profile

    Loading…

    Organization & billing details

    Subscription & billing

    Loading…

    Alerts & notifications

    Get a daily digest and warnings (failed refreshes, risky access) posted to Microsoft Teams or Slack. Paste an incoming-webhook URL from your channel.

    Posts fire when the daily collector runs, plus on-demand via Send test. Teams: channel → Workflows / Incoming Webhook. Slack: Incoming Webhooks app.

    Team members

    Loading…