Fabric Workspace Identity: Removing Default Contributor Access for Workspace Identity
A Fabric workspace identity is an automatically managed service principal that can be associated with a Fabric workspace. Fabric workspaces with a workspace identity can securely read or write to firewall-enabled Azure Data Lake Storage Gen2 accounts through trusted workspace access for OneLake shortcuts. Fabric items can use the identity when connecting to resources that support Microsoft Entra authentication. Fabric uses workspace identities to obtain Microsoft Entra tokens without the customer having to manage any credentials.
Previously, a workspace identity was automatically assigned the workspace contributor role and had access to workspace items.
As part of our ongoing security hardening efforts and in response to enterprise customer feedback, Workspace identities will no longer have the workspace contributor role by default. This change is designed to make it easier to adhere to the principle of least privilege.
What’s Changing?
Effective July 27, 2025, Microsoft Fabric will remove the default ‘Contributor’ role assignment from Workspace Identities; this affects both:
- New Workspace Identities will no longer be granted Contributor role automatically.
- Existing Workspace Identities will no longer have the Contributor role.
Why the change?
Removing the workspace contributor role granted by default to workspace identities will reduce accidental, unintended, or unauthorized modifications to Fabric items and data. This may be possible if the workspace identity token is retrieved and then directly used to create or modify Fabric items.
If your workload depends on Workspace Identity, for automating tasks such as refreshing datasets or reports and assumes default Contributor permissions, you must now explicitly assign RBAC roles to these identities.
Important: Modifying the application associated with a Workspace Identity (e.g., changing app registration, permissions, or tenant) is not a supported scenario and may make the identity inoperative.
Admin Responsibilities and Best Practices
As a Fabric Admin, you should proactively:
- Review all active Workspace identities:
- Go to Admin Portal > Fabric identities and audit identities in use.
- Validate usage scenarios
- Determine if the identity is used for:
- Authentication, trusted access, or a combination of both capabilities in shortcuts and data pipelines, or Fabric warehouse T-SQL COPY: No RBAC role is needed.
- Automation: Assign roles explicitly to the workspace identity (see below).
- Determine if the identity is used for:
- Enforce least privilege
- Use roles like Viewer instead of Contributor or Member, unless write access is strictly necessary.
Assigning role to workspace identity explicitly
As admins or developer, you can still assign a role to the workspace identity explicitly by following these steps:
- Navigate to the Workspace.
- Go to Settings > Manage Access > Add people or groups.
- Add the Workspace Identity explicitly to the Contributor or custom role.
| Role | Action Required |
| Fabric Developers | Review all scripts, apps, or tools using Workspace Identity for automation. Add explicit role assignments if needed. |
| Fabric Admins | Audit all workspace identities via the Admin Portal. Update RBAC assignments according to the organization’s access control policies. |
| Security Teams | Reassess any existing role assumptions or threat models related to automated workloads in Fabric. |
Rollout Timeline
This update will be rolled out incrementally starting July 27, 2025, and will affect all tenants globally. Fabric admins should also have received targeted notifications in the M365 admin center.
This change is a security-forward step in reinforcing explicit access management in Microsoft Fabric. We recommend that admins and developers begin reviewing current configurations immediately to ensure uninterrupted workflows and improved compliance.
We appreciate your partnership and feedback as we continue to enhance the Fabric security model.
Learn More
