COPY INTO: support for firewall-enabled Storage & EntraID Authentication
We are excited to announce not one but two new enhancements to the COPY INTO feature for Fabric Warehouse: COPY INTO support for EntraID Authentication and firewall-enabled Storage!
In todays data-driven world, prioritizing both the security and accessibility of data is crucial. With EntraID authentication support, businesses can now implement granular access controls tied to organizational accounts when importing data from storage accounts like ADLS Gen2 and Blob into Fabric Warehouse.
This integration brings peace of mind to customers by guaranteeing that only authorized users have access to their stored data. Moreover, the extension of COPY INTO functionality to encompass firewall-enabled storage accounts allows for the seamless loading of data from firewall-protected storage. This not only enhances the security of the Fabric environment but also ensures a smoother and more secure data management experience for users.
Entra ID Authentication
When authenticating storage accounts in your environment, from now on by default the executing’s user EntraID will be used. This ensures that you can now leverage ACL and RBAC controls for your storage accounts when using COPY INTO. Currently only Organizational accounts are supported.
How to use EntraID Authentication
- Ensure your EntraID Organizational Account has access to the underlying storage & can execute the COPY INTO statement on your Fabric Warehouse.
- Run your COPY INTO statement without specifying any credential, the EntraID Organization Account will be used as a default authentication mechanism.
COPY INTO support for firewall-enabled storage using trusted workspace access
The COPY INTO for secure storage leverages the Workspace identity to establish a secure and seamless connection between Fabric and your storage accounts that are protected by a firewall.
Access to firewall-enabled storage is supported for both blob and ADLS Gen2 storage accounts, secure access with COPY INTO is available for warehouses in workspaces with Fabric Capacities.
How to use COPY INTO with trusted workspace access
- Create a workspace identity for your Fabric workspace. You can follow the guidelines provided in Workspace identity – Microsoft Fabric | Microsoft Learn. Please note that Workspace identity is only available for capacities of F64 and above.
- Configure resource instance rules for the Storage account that you want to access from your Fabric workspace. Resource instance rules for Fabric workspaces can only be created through ARM templates. Follow the guidelines for configuring resource instance rules for Fabric workspaces Trusted workspace access in Microsoft Fabric (preview) – Microsoft Fabric | Microsoft Learn. This functionality is currently still in public preview.
- Run a COPY INTO statement against files/folders from the firewall-enabled blob or ADLS gen2 storage account in a Fabric Warehouse
To learn more about COPY INTO, please refer to COPY INTO (Transact-SQL) – Azure Synapse Analytics and Microsoft Fabric | Microsoft Learn !