Microsoft Fabric Updates Blog

Introducing Workspace Identity Authentication for OneLake Shortcuts and Data Pipelines 

We are excited to announce the launch of authentication with workspace identity for OneLake external shortcuts and data pipelines. Previously, we announced workspace identity for trusted access in OneLake shortcuts, data pipelines, and DW Copy statement.  Now, you can also use workspace identity as an authentication method for the Azure Data Lake Storage gen 2 (ADLS gen 2) connector in OneLake shortcuts and data pipelines.   

Benefits of authentication with workspace identity

Workspace identity is an automatically managed service principal that can be associated with workspaces in any capacity (except My Workspaces). When you create a workspace identity, Fabric creates a service principal in Microsoft Entra ID to represent the identity.  Workspace identity is a secure authentication method as there is no need to manage keys, secrets, and certificates.  When you grant the workspace identity with permissions on target resources such as ADLS gen 2, Fabric can use the identity to obtain Microsoft Entra tokens to access the resource.  

Trusted access to Storage accounts and authentication with workspace identity can be combined, enabling you to use workspace identity as the authentication method to access storage accounts that have public access restricted to selected virtual networks and IP addresses. 

Getting started

Here’s a quick guide on how to set up and use this feature: 

Step 1: Create the Workspace Identity 

As a workspace admin, navigate to your workspace settings, select the Workspace identity tab, and create a new workspace identity by clicking the + Workspace identity button. Once created, the tab will display the workspace identity details. 

Step 2: Grant Permissions to the Storage Account 

Log in to the Azure portal, navigate to the storage account you wish to access, and assign the necessary role to the workspace identity. This can be done via the Access control (IAM) tab, where you can add a new role assignment and select the appropriate role (e.g., Storage Blob Data Reader or Storage Blob Data Contributor). 

Step 3: Create the Fabric Item 

When creating OneLake shortcuts and data pipelines, select the workspace identity as the authentication method.  

To create an external ADLS gen 2 shortcut follow the steps listed in Create an Azure Data Lake Storage Gen2 shortcut. Select workspace identity as the authentication method (supported only for ADLS Gen2). 

To create a data pipeline, follow the steps listed in Module 1 – Create a pipeline with Data Factory. Select workspace identity as the authentication method (supported only for ADLS Gen2 and for Copy, Lookup, and GetMetadata activities). 

The user creating the shortcut or data pipeline with workspace identity must have an admin, member or contributor role in the workspace.

Administering the workspace identity 

Fabric administrators can administer the workspace identities created in their tenant on the Fabric identities tab in the admin portal. You can also view the audit events generated upon the creation and deletion of workspace identity in Purview Audit Log. The following activities related to workspace identities are emitted in the audit log: 

  • Created Fabric Identity for Workspace 
  • Retrieved Fabric Identity for Workspace 
  • Deleted Fabric Identity for Workspace 
  • Retrieved Fabric Identity Token for Workspace 

In addition to this, the application associated with the workspace identity can be seen in Enterprise Applications, and the app registration can be seen under App registrations in the Azure portal. Fabric Identity Management app is its configuration owner. Learn more about security, administration, and governance of the workspace identity here

Looking ahead

We will add support for workspace identity authentication in additional Fabric items such as semantic models, along with more connectors such as SQL , Cosmos DB, and more. Stay tuned for product announcements and updates. 

We invite you to try out the new workspace identity authentication feature and provide your feedback through comments on this post or Fabric Ideas. To learn more about this feature, see workspace identity authentication.

Gerelateerde blogberichten

Introducing Workspace Identity Authentication for OneLake Shortcuts and Data Pipelines 

oktober 7, 2024 door Alex Lin

Introducing Managed VNet Support for Fabric Eventstream! By creating a Fabric’s Managed Private Endpoint, you can now securely connect Eventstream to your Azure services, such as Azure Event Hubs or IoT Hub, within a private network or behind a firewall. This integration ensures your data is securely transmitted over a private network, enabling you to … Continue reading “Secure Data Streaming with Managed Private Endpoints in Eventstream (Preview)”

oktober 4, 2024 door Jason Himmelstein

We had an incredible time in our host city of Stockholm for FabCon Europe! 3,300 attendees joined us from our international community, and it was wonderful to meet so many of you in person. Throughout the week of FabCon Europe, our teams published a wealth of valuable content, and we want to ensure you have … Continue reading “Fabric Community Conference Europe Recap”