Introducing Workspace Identity Authentication for OneLake Shortcuts and Data Pipelines
We are excited to announce the launch of authentication with workspace identity for OneLake external shortcuts and data pipelines. Previously, we announced workspace identity for trusted access in OneLake shortcuts, data pipelines, and DW Copy statement. Now, you can also use workspace identity as an authentication method for the Azure Data Lake Storage gen 2 (ADLS gen 2) connector in OneLake shortcuts and data pipelines.
Benefits of authentication with workspace identity
Workspace identity is an automatically managed service principal that can be associated with workspaces in any capacity (except My Workspaces). When you create a workspace identity, Fabric creates a service principal in Microsoft Entra ID to represent the identity. Workspace identity is a secure authentication method as there is no need to manage keys, secrets, and certificates. When you grant the workspace identity with permissions on target resources such as ADLS gen 2, Fabric can use the identity to obtain Microsoft Entra tokens to access the resource.
Trusted access to Storage accounts and authentication with workspace identity can be combined, enabling you to use workspace identity as the authentication method to access storage accounts that have public access restricted to selected virtual networks and IP addresses.
Getting started
Here’s a quick guide on how to set up and use this feature:
Step 1: Create the Workspace Identity
As a workspace admin, navigate to your workspace settings, select the Workspace identity tab, and create a new workspace identity by clicking the + Workspace identity button. Once created, the tab will display the workspace identity details.
Step 2: Grant Permissions to the Storage Account
Log in to the Azure portal, navigate to the storage account you wish to access, and assign the necessary role to the workspace identity. This can be done via the Access control (IAM) tab, where you can add a new role assignment and select the appropriate role (e.g., Storage Blob Data Reader or Storage Blob Data Contributor).
Step 3: Create the Fabric Item
When creating OneLake shortcuts and data pipelines, select the workspace identity as the authentication method.
To create an external ADLS gen 2 shortcut follow the steps listed in Create an Azure Data Lake Storage Gen2 shortcut. Select workspace identity as the authentication method (supported only for ADLS Gen2).
To create a data pipeline, follow the steps listed in Module 1 – Create a pipeline with Data Factory. Select workspace identity as the authentication method (supported only for ADLS Gen2 and for Copy, Lookup, and GetMetadata activities).
The user creating the shortcut or data pipeline with workspace identity must have an admin, member or contributor role in the workspace.
Administering the workspace identity
Fabric administrators can administer the workspace identities created in their tenant on the Fabric identities tab in the admin portal. You can also view the audit events generated upon the creation and deletion of workspace identity in Purview Audit Log. The following activities related to workspace identities are emitted in the audit log:
- Created Fabric Identity for Workspace
- Retrieved Fabric Identity for Workspace
- Deleted Fabric Identity for Workspace
- Retrieved Fabric Identity Token for Workspace
In addition to this, the application associated with the workspace identity can be seen in Enterprise Applications, and the app registration can be seen under App registrations in the Azure portal. Fabric Identity Management app is its configuration owner. Learn more about security, administration, and governance of the workspace identity here.
Looking ahead
We will add support for workspace identity authentication in additional Fabric items such as semantic models, along with more connectors such as SQL , Cosmos DB, and more. Stay tuned for product announcements and updates.
We invite you to try out the new workspace identity authentication feature and provide your feedback through comments on this post or Fabric Ideas. To learn more about this feature, see workspace identity authentication.