Microsoft Fabric Analytics Engineer Associate (DP-600) (DP-600) practice questions

An analytics engineer joins a "Microsoft Fabric" workspace and must be able to create and edit reports, semantic models, and a "Lakehouse", and to publish content into the workspace. The team lead wants this person to have the lowest workspace role that still allows authoring all those items, without the ability to add or remove other users or change workspace settings. Which workspace role should be assigned?

• AAssign the Contributor role, which lets the engineer create, edit, and publish workspace items while withholding the ability to manage workspace access and settings.check_circle Correct
• BAssign the Viewer role, which lets the engineer open and consume the workspace items and refresh any semantic models that back the published reports.
• CAssign the Member role, which lets the engineer author all items and additionally share the workspace and add other users with lower roles.
• DAssign the Admin role, which grants full authoring plus control over workspace settings, user roles, and deletion of the entire workspace.

Why A is correct: Contributor is the lowest role that grants full authoring of items yet excludes adding users and changing settings, matching the least-privilege authoring requirement exactly.

Why B is wrong: Viewer is read-only and cannot create or edit items, so it cannot satisfy a requirement to author reports, semantic models, and a Lakehouse.

Why C is wrong: Member does grant authoring, but it also lets the user add others and reshare, exceeding the stated limit of no access management, so it is not the lowest sufficient role.

Why D is wrong: Admin gives the broadest control including settings and user management, far more than authoring needs, so it breaks the least-privilege constraint the lead set.

A single Power BI report in a "Microsoft Fabric" workspace must be made available to one external auditor who needs to view only that report and nothing else in the workspace. The auditor should not appear in the workspace role list and should not gain access to other reports, the "Lakehouse", or the semantic models stored alongside it. What is the most appropriate way to grant this access?

• AAdd the auditor to the workspace with the Viewer role so the read scope is limited to viewing rather than editing any of the contained items.
• BShare the individual report with the auditor using item-level sharing, granting read access to just that report without adding the auditor to any workspace role.check_circle Correct
• CCreate a OneLake data access role on the underlying "Lakehouse" and map the auditor to it so the report data is reachable through that role.
• DPublish the workspace as an app and add the auditor to the app audience so the single report is delivered through the packaged app instead.

Why A is wrong: Viewer is scoped to the whole workspace, so the auditor would see every report and item there, breaking the requirement to expose only one report.

Why B is correct: Item-level sharing grants access to a single item without workspace membership, so the auditor sees only that report and never appears in the workspace role list.

Why C is wrong: OneLake data access roles govern table and folder access in a Lakehouse, not visibility of a Power BI report, so they cannot scope report viewing.

Why D is wrong: An app can scope content, but building and maintaining an app for one external viewer is heavier than directly sharing the one report the requirement names.

A "Lakehouse" in a "Microsoft Fabric" workspace stores several folders of files, and a group of data scientists who already hold the Viewer workspace role must be allowed to read only one specific folder of those files through OneLake, while remaining blocked from the other folders. Which approach grants that folder-scoped read access most directly?

• APromote the data scientists to the Contributor workspace role so their elevated role lets them reach the single folder they need inside the Lakehouse.
• BApply row-level security filters on the semantic model built over the Lakehouse so the data scientists only see rows sourced from the permitted folder.
• CCreate a OneLake data access role on the Lakehouse that grants read permission scoped to the specific folder and assign the data scientists to that role.check_circle Correct
• DUse item-level sharing to share the whole Lakehouse with the data scientists, relying on the share dialog to limit them to the one folder.

Why A is wrong: Contributor raises rights across the whole workspace and all Lakehouse data, which over-grants access and still does not scope reading to one folder.

Why B is wrong: Row-level security restricts rows returned by a semantic model, not direct OneLake file access to a folder, so it does not control reading the files themselves.

Why C is correct: OneLake data access roles define read permissions scoped to chosen folders or tables, so a role over just that folder grants exactly the targeted file access required.

Why D is wrong: Sharing the Lakehouse item grants access to the item broadly and the share dialog does not carve out individual folders, so it cannot enforce folder-level scoping.