Please enter your information to subscribe to the Microsoft Fabric Blog.

Thanks for subscribing to the Microsoft Fabric Blog. You’ll receive email notifications when we publish new posts.

Microsoft Fabric Updates Blog

  1. Updates
  2. Priya Sathy

Introducing Workspace Identity Authentication for OneLake Shortcuts and Data Pipelines 

We are excited to announce the launch of authentication with workspace identity for OneLake external shortcuts and data pipelines. Previously, we announced workspace identity for trusted access in OneLake shortcuts, data pipelines, and DW Copy statement.  Now, you can also use workspace identity as an authentication method for the Azure Data Lake Storage gen 2 (ADLS gen 2) connector in OneLake shortcuts and data pipelines.   

Benefits of authentication with workspace identity

Workspace identity is an automatically managed service principal that can be associated with workspaces in any capacity (except My Workspaces). When you create a workspace identity, Fabric creates a service principal in Microsoft Entra ID to represent the identity.  Workspace identity is a secure authentication method as there is no need to manage keys, secrets, and certificates.  When you grant the workspace identity with permissions on target resources such as ADLS gen 2, Fabric can use the identity to obtain Microsoft Entra tokens to access the resource.  

Trusted access to Storage accounts and authentication with workspace identity can be combined, enabling you to use workspace identity as the authentication method to access storage accounts that have public access restricted to selected virtual networks and IP addresses. 

Getting started

Here’s a quick guide on how to set up and use this feature: 

Step 1: Create the Workspace Identity 

As a workspace admin, navigate to your workspace settings, select the Workspace identity tab, and create a new workspace identity by clicking the + Workspace identity button. Once created, the tab will display the workspace identity details. 

Step 2: Grant Permissions to the Storage Account 

Log in to the Azure portal, navigate to the storage account you wish to access, and assign the necessary role to the workspace identity. This can be done via the Access control (IAM) tab, where you can add a new role assignment and select the appropriate role (e.g., Storage Blob Data Reader or Storage Blob Data Contributor). 

Step 3: Create the Fabric Item 

When creating OneLake shortcuts and data pipelines, select the workspace identity as the authentication method.  

To create an external ADLS gen 2 shortcut follow the steps listed in Create an Azure Data Lake Storage Gen2 shortcut. Select workspace identity as the authentication method (supported only for ADLS Gen2). 

To create a data pipeline, follow the steps listed in Module 1 – Create a pipeline with Data Factory. Select workspace identity as the authentication method (supported only for ADLS Gen2 and for Copy, Lookup, and GetMetadata activities). 

The user creating the shortcut or data pipeline with workspace identity must have an admin, member or contributor role in the workspace.

Administering the workspace identity 

Fabric administrators can administer the workspace identities created in their tenant on the Fabric identities tab in the admin portal. You can also view the audit events generated upon the creation and deletion of workspace identity in Purview Audit Log. The following activities related to workspace identities are emitted in the audit log: 

  • Created Fabric Identity for Workspace 
  • Retrieved Fabric Identity for Workspace 
  • Deleted Fabric Identity for Workspace 
  • Retrieved Fabric Identity Token for Workspace 

In addition to this, the application associated with the workspace identity can be seen in Enterprise Applications, and the app registration can be seen under App registrations in the Azure portal. Fabric Identity Management app is its configuration owner. Learn more about security, administration, and governance of the workspace identity here

Looking ahead

We will add support for workspace identity authentication in additional Fabric items such as semantic models, along with more connectors such as SQL , Cosmos DB, and more. Stay tuned for product announcements and updates. 

We invite you to try out the new workspace identity authentication feature and provide your feedback through comments on this post or Fabric Ideas. To learn more about this feature, see workspace identity authentication.

Related blog posts

Introducing Workspace Identity Authentication for OneLake Shortcuts and Data Pipelines 

Blog's featured image

Announcing: The Microsoft Fabric & AI Learning Hackathon
September 16, 2024 by Paul DeCarlo

Get ready for the Microsoft Fabric & AI Learning Hackathon!   We’re calling all Data/AI Enthusiasts and Data/AI practitioners to join us for another exciting opportunity to upskill and build the next generation of Data + AI solutions with Microsoft Fabric!  This event follows up on the recent Microsoft Fabric Global AI Hackathon held earlier this … Continue reading “Announcing: The Microsoft Fabric & AI Learning Hackathon”

Read more
Blog's featured image

Microsoft Fabric Achieves HITRUST CSF Certification
September 12, 2024 by Rick Xu

We are excited to announce that Microsoft Fabric, which includes healthcare data solutions in Microsoft Fabric, is now certified for the HITRUST Common Security Framework (CSF) v11.0.1.  The HITRUST CSF certification, one of the most widely adopted and recognized frameworks for information protection in the healthcare industry, provides customers with the assurance that Microsoft Fabric … Continue reading “Microsoft Fabric Achieves HITRUST CSF Certification”

Read more