Microsoft Fabric Updates Blog

Introducing Trusted Workspace Access for OneLake Shortcuts 

A new feature that enables secure and seamless access to ADLS Gen2 storage accounts from OneLake shortcuts in Fabric 

We are excited to announce Trusted workspace access, a new feature in Fabric that allows you to securely access firewall-enabled Storage accounts. With Trusted workspace access, you can create OneLake shortcuts to Storage accounts, and then use the shortcuts in various Fabric items, such as Spark notebooks, SQL analytics endpoints, semantic models, reports, data pipelines, and dataflows Gen2.  

Trusted workspace access is designed to help you securely and easily access data stored in Storage accounts from Fabric workspaces, without compromising on performance or functionality. You can leverage the power and flexibility of Fabric and OneLake to work with data in place without compromising on security. 

How does Trusted workspace access work?

Trusted workspace access is based on the concept of workspace identity, which is a unique identity that can be associated with workspaces that are in Fabric capacities. When you create a workspace identity, Fabric creates a service principal in Microsoft Entra ID to represent the identity.  

A workspace identity enables OneLake shortcuts in Fabric to access Storage accounts that have resource instance rules configured. Resource instance rules are a way to grant access to specific resources based on the workspace identity or managed identity. You can create resource instance rules by deploying an ARM template with the resource instance rule details. 

To leverage Trusted workspace access in Fabric workspaces, you can create a OneLake shortcut in a Lakehouse, and provide the URL of the Storage account that has been configured with a resource instance rule. While creating the shortcut, you need to select organizational account or service principal for authentication, and ensure that the principal used for authenticating to Storage has the appropriate Azure RBAC roles on the Storage account. Once the shortcut is created, you can use it in various Fabric items. 

What are the benefits and use cases of Trusted workspace access? 

Trusted workspace access offers several benefits and use cases for Fabric users, such as: 

  • Secure access to firewall-enabled Storage accounts from OneLake shortcuts  in Fabric workspaces, without the need to open the Storage account to public access. 
  • Seamlessly access firewall-enabled Storage accounts without complicated network setup. 
  • Ability to configure specific Fabric workspaces to access Storage account.  
  • Improved performance and scalability without the need to copy or move data. 
  • Ability to leverage trusted workspace access across different experiences like SQL analytics endpoints, and semantic models and reports (through OneLake shortcuts).

How to get started with Trusted workspace access?

Trusted workspace access is available for workspaces in Fabric capacities (F64 or higher). To get started with Trusted workspace access, you need to do the following steps: 

  1. Create a workspace identity for your Fabric workspace, if you don’t have one already. If you face issues with creation of the workspace identity, follow the troubleshooting guidelines provided here.
Create a workspace identity

2. Configure resource instance rules for the Storage account that you want to access from your Fabric workspace. Follow the guidelines for configuring resource instance rules for Fabric workspaces here.

Resource instance rules in a Storage account

3. Create a OneLake shortcut to the Storage account in a Lakehouse, and select the organizational account or service principal option for authentication.  

Create an ADLS g2 shortcut in a Lakehouse
Create an ADLS g2 shortcut in a Lakehouse

4. Use the OneLake shortcut in various Fabric items, such as Spark notebooks, SQL analytics endpoints, semantic models, reports, data pipelines, and dataflows Gen2.  

Access data stored in firewall-enabled Storage accounts through OneLake shortcuts

For more details and guidance on how to use Trusted workspace access, please refer to the documentation links below. 

We hope you use Trusted workspace access, and we would love to hear your feedback and suggestions.  Have any questions or feedback? Leave a comment below! 

Related blog posts

Introducing Trusted Workspace Access for OneLake Shortcuts 

April 16, 2024 by Ruixin Xu

We are pleased to share a set of key updates regarding the Copilot in Microsoft Fabric experiences. The information in this blog post has also been shared with Fabric tenant administrators. Below are the highlights of the changes. This change is an important milestone to eventually allow Copilot to reach GA within this year. See … Continue reading “Copilot in MS Fabric: Soon available to more users in your organization“

April 15, 2024 by Santhosh Kumar Ravindran

Users orchestrate their data engineering or data science processes using notebooks and in most of the enterprise scenarios pipelines and job schedulers are used as a primary option to schedule and trigger these Spark jobs. We are thrilled to announce a new feature Job Queueing for Notebook Jobs in Microsoft Fabric. This feature aims to … Continue reading “Introducing Job Queueing for Notebook in Microsoft Fabric”