Microsoft Fabric Updates Blog

Introducing Trusted Workspace Access for OneLake Shortcuts 

A new feature that enables secure and seamless access to ADLS Gen2 storage accounts from OneLake shortcuts in Fabric 

We are excited to announce Trusted workspace access, a new feature in Fabric that allows you to securely access firewall-enabled Storage accounts. With Trusted workspace access, you can create OneLake shortcuts to Storage accounts, and then use the shortcuts in various Fabric items, such as Spark notebooks, SQL analytics endpoints, semantic models, reports, data pipelines, and dataflows Gen2.  

Trusted workspace access is designed to help you securely and easily access data stored in Storage accounts from Fabric workspaces, without compromising on performance or functionality. You can leverage the power and flexibility of Fabric and OneLake to work with data in place without compromising on security. 

How does Trusted workspace access work?

Trusted workspace access is based on the concept of workspace identity, which is a unique identity that can be associated with workspaces that are in Fabric capacities. When you create a workspace identity, Fabric creates a service principal in Microsoft Entra ID to represent the identity.  

A workspace identity enables OneLake shortcuts in Fabric to access Storage accounts that have resource instance rules configured. Resource instance rules are a way to grant access to specific resources based on the workspace identity or managed identity. You can create resource instance rules by deploying an ARM template with the resource instance rule details. 

To leverage Trusted workspace access in Fabric workspaces, you can create a OneLake shortcut in a Lakehouse, and provide the URL of the Storage account that has been configured with a resource instance rule. While creating the shortcut, you need to select organizational account or service principal for authentication, and ensure that the principal used for authenticating to Storage has the appropriate Azure RBAC roles on the Storage account. Once the shortcut is created, you can use it in various Fabric items. 

What are the benefits and use cases of Trusted workspace access? 

Trusted workspace access offers several benefits and use cases for Fabric users, such as: 

  • Secure access to firewall-enabled Storage accounts from OneLake shortcuts  in Fabric workspaces, without the need to open the Storage account to public access. 
  • Seamlessly access firewall-enabled Storage accounts without complicated network setup. 
  • Ability to configure specific Fabric workspaces to access Storage account.  
  • Improved performance and scalability without the need to copy or move data. 
  • Ability to leverage trusted workspace access across different experiences like SQL analytics endpoints, and semantic models and reports (through OneLake shortcuts).

How to get started with Trusted workspace access?

Trusted workspace access is available for workspaces in Fabric capacities (F64 or higher). To get started with Trusted workspace access, you need to do the following steps: 

  1. Create a workspace identity for your Fabric workspace, if you don’t have one already. If you face issues with creation of the workspace identity, follow the troubleshooting guidelines provided here.
Create a workspace identity

2. Configure resource instance rules for the Storage account that you want to access from your Fabric workspace. Follow the guidelines for configuring resource instance rules for Fabric workspaces here.

Resource instance rules in a Storage account

3. Create a OneLake shortcut to the Storage account in a Lakehouse, and select the organizational account or service principal option for authentication.  

Create an ADLS g2 shortcut in a Lakehouse
Create an ADLS g2 shortcut in a Lakehouse

4. Use the OneLake shortcut in various Fabric items, such as Spark notebooks, SQL analytics endpoints, semantic models, reports, data pipelines, and dataflows Gen2.  

Access data stored in firewall-enabled Storage accounts through OneLake shortcuts

For more details and guidance on how to use Trusted workspace access, please refer to the documentation links below. 

We hope you use Trusted workspace access, and we would love to hear your feedback and suggestions.  Have any questions or feedback? Leave a comment below! 

Entradas de blog relacionadas

Introducing Trusted Workspace Access for OneLake Shortcuts 

octubre 29, 2024 por Dandan Zhang

Managed private endpoints allow Fabric experiences to securely access data sources without exposing them to the public network or requiring complex network configurations. We announced General Availability for Managed Private Endpoint in Fabric in May of this year. Learn more here: Announcing General Availability of Fabric Private Links, Trusted Workspace Access, and Managed Private Endpoints. … Continue reading “APIs for Managed Private Endpoint are now available”

octubre 28, 2024 por Gali Reznick

The Data Activator team has rolled out usage reporting to help you better understand your capacity consumption and future charges. When you look at the Capacity Metrics App you’ll now see operations for the reflex items included. Our usage reporting is based on the following four meters: Rule uptime per hour: This is a flat … Continue reading “Usage reporting for Data Activator is now live”