Microsoft Fabric Updates Blog

Introducing Workspace Identity Authentication for OneLake Shortcuts and Data Pipelines 

We are excited to announce the launch of authentication with workspace identity for OneLake external shortcuts and data pipelines. Previously, we announced workspace identity for trusted access in OneLake shortcuts, data pipelines, and DW Copy statement.  Now, you can also use workspace identity as an authentication method for the Azure Data Lake Storage gen 2 (ADLS gen 2) connector in OneLake shortcuts and data pipelines.   

Benefits of authentication with workspace identity

Workspace identity is an automatically managed service principal that can be associated with workspaces in any capacity (except My Workspaces). When you create a workspace identity, Fabric creates a service principal in Microsoft Entra ID to represent the identity.  Workspace identity is a secure authentication method as there is no need to manage keys, secrets, and certificates.  When you grant the workspace identity with permissions on target resources such as ADLS gen 2, Fabric can use the identity to obtain Microsoft Entra tokens to access the resource.  

Trusted access to Storage accounts and authentication with workspace identity can be combined, enabling you to use workspace identity as the authentication method to access storage accounts that have public access restricted to selected virtual networks and IP addresses. 

Getting started

Here’s a quick guide on how to set up and use this feature: 

Step 1: Create the Workspace Identity 

As a workspace admin, navigate to your workspace settings, select the Workspace identity tab, and create a new workspace identity by clicking the + Workspace identity button. Once created, the tab will display the workspace identity details. 

Step 2: Grant Permissions to the Storage Account 

Log in to the Azure portal, navigate to the storage account you wish to access, and assign the necessary role to the workspace identity. This can be done via the Access control (IAM) tab, where you can add a new role assignment and select the appropriate role (e.g., Storage Blob Data Reader or Storage Blob Data Contributor). 

Step 3: Create the Fabric Item 

When creating OneLake shortcuts and data pipelines, select the workspace identity as the authentication method.  

To create an external ADLS gen 2 shortcut follow the steps listed in Create an Azure Data Lake Storage Gen2 shortcut. Select workspace identity as the authentication method (supported only for ADLS Gen2). 

To create a data pipeline, follow the steps listed in Module 1 – Create a pipeline with Data Factory. Select workspace identity as the authentication method (supported only for ADLS Gen2 and for Copy, Lookup, and GetMetadata activities). 

The user creating the shortcut or data pipeline with workspace identity must have an admin, member or contributor role in the workspace.

Administering the workspace identity 

Fabric administrators can administer the workspace identities created in their tenant on the Fabric identities tab in the admin portal. You can also view the audit events generated upon the creation and deletion of workspace identity in Purview Audit Log. The following activities related to workspace identities are emitted in the audit log: 

  • Created Fabric Identity for Workspace 
  • Retrieved Fabric Identity for Workspace 
  • Deleted Fabric Identity for Workspace 
  • Retrieved Fabric Identity Token for Workspace 

In addition to this, the application associated with the workspace identity can be seen in Enterprise Applications, and the app registration can be seen under App registrations in the Azure portal. Fabric Identity Management app is its configuration owner. Learn more about security, administration, and governance of the workspace identity here

Looking ahead

We will add support for workspace identity authentication in additional Fabric items such as semantic models, along with more connectors such as SQL , Cosmos DB, and more. Stay tuned for product announcements and updates. 

We invite you to try out the new workspace identity authentication feature and provide your feedback through comments on this post or Fabric Ideas. To learn more about this feature, see workspace identity authentication.

Powiązane wpisy w blogu

Introducing Workspace Identity Authentication for OneLake Shortcuts and Data Pipelines 

października 31, 2024 autor: Jovan Popovic

Fabric Data Warehouse is a modern data warehouse optimized for analytical data models, primarily focused on the smaller numeric, datetime, and string types that are suitable for analytics. For the textual data, Fabric DW supports the VARCHAR type that can store up to 8KB of text, which is suitable for most of the textual values … Continue reading “Announcing public preview of VARCHAR(MAX) and VARBINARY(MAX) types in Fabric Data Warehouse”

października 29, 2024 autor: Dandan Zhang

Managed private endpoints allow Fabric experiences to securely access data sources without exposing them to the public network or requiring complex network configurations. We announced General Availability for Managed Private Endpoint in Fabric in May of this year. Learn more here: Announcing General Availability of Fabric Private Links, Trusted Workspace Access, and Managed Private Endpoints. … Continue reading “APIs for Managed Private Endpoint are now available”