Introducing Trusted Workspace Access for OneLake Shortcuts
A new feature that enables secure and seamless access to ADLS Gen2 storage accounts from OneLake shortcuts in Fabric
We are excited to announce Trusted workspace access, a new feature in Fabric that allows you to securely access firewall-enabled Storage accounts. With Trusted workspace access, you can create OneLake shortcuts to Storage accounts, and then use the shortcuts in various Fabric items, such as Spark notebooks, SQL analytics endpoints, semantic models, reports, data pipelines, and dataflows Gen2.
Trusted workspace access is designed to help you securely and easily access data stored in Storage accounts from Fabric workspaces, without compromising on performance or functionality. You can leverage the power and flexibility of Fabric and OneLake to work with data in place without compromising on security.
How does Trusted workspace access work?
Trusted workspace access is based on the concept of workspace identity, which is a unique identity that can be associated with workspaces that are in Fabric capacities. When you create a workspace identity, Fabric creates a service principal in Microsoft Entra ID to represent the identity.
A workspace identity enables OneLake shortcuts in Fabric to access Storage accounts that have resource instance rules configured. Resource instance rules are a way to grant access to specific resources based on the workspace identity or managed identity. You can create resource instance rules by deploying an ARM template with the resource instance rule details.
To leverage Trusted workspace access in Fabric workspaces, you can create a OneLake shortcut in a Lakehouse, and provide the URL of the Storage account that has been configured with a resource instance rule. While creating the shortcut, you need to select organizational account or service principal for authentication, and ensure that the principal used for authenticating to Storage has the appropriate Azure RBAC roles on the Storage account. Once the shortcut is created, you can use it in various Fabric items.
What are the benefits and use cases of Trusted workspace access?
Trusted workspace access offers several benefits and use cases for Fabric users, such as:
- Secure access to firewall-enabled Storage accounts from OneLake shortcuts in Fabric workspaces, without the need to open the Storage account to public access.
- Seamlessly access firewall-enabled Storage accounts without complicated network setup.
- Ability to configure specific Fabric workspaces to access Storage account.
- Improved performance and scalability without the need to copy or move data.
- Ability to leverage trusted workspace access across different experiences like SQL analytics endpoints, and semantic models and reports (through OneLake shortcuts).
How to get started with Trusted workspace access?
Trusted workspace access is available for workspaces in Fabric capacities (F64 or higher). To get started with Trusted workspace access, you need to do the following steps:
- Create a workspace identity for your Fabric workspace, if you don’t have one already. If you face issues with creation of the workspace identity, follow the troubleshooting guidelines provided here.
2. Configure resource instance rules for the Storage account that you want to access from your Fabric workspace. Follow the guidelines for configuring resource instance rules for Fabric workspaces here.
3. Create a OneLake shortcut to the Storage account in a Lakehouse, and select the organizational account or service principal option for authentication.
4. Use the OneLake shortcut in various Fabric items, such as Spark notebooks, SQL analytics endpoints, semantic models, reports, data pipelines, and dataflows Gen2.
For more details and guidance on how to use Trusted workspace access, please refer to the documentation links below.
We hope you use Trusted workspace access, and we would love to hear your feedback and suggestions. Have any questions or feedback? Leave a comment below!
