Microsoft Fabric Updates Blog

Introducing Trusted Workspace Access for OneLake Shortcuts 

A new feature that enables secure and seamless access to ADLS Gen2 storage accounts from OneLake shortcuts in Fabric 

We are excited to announce Trusted workspace access, a new feature in Fabric that allows you to securely access firewall-enabled Storage accounts. With Trusted workspace access, you can create OneLake shortcuts to Storage accounts, and then use the shortcuts in various Fabric items, such as Spark notebooks, SQL analytics endpoints, semantic models, reports, data pipelines, and dataflows Gen2.  

Trusted workspace access is designed to help you securely and easily access data stored in Storage accounts from Fabric workspaces, without compromising on performance or functionality. You can leverage the power and flexibility of Fabric and OneLake to work with data in place without compromising on security. 

How does Trusted workspace access work?

Trusted workspace access is based on the concept of workspace identity, which is a unique identity that can be associated with workspaces that are in Fabric capacities. When you create a workspace identity, Fabric creates a service principal in Microsoft Entra ID to represent the identity.  

A workspace identity enables OneLake shortcuts in Fabric to access Storage accounts that have resource instance rules configured. Resource instance rules are a way to grant access to specific resources based on the workspace identity or managed identity. You can create resource instance rules by deploying an ARM template with the resource instance rule details. 

To leverage Trusted workspace access in Fabric workspaces, you can create a OneLake shortcut in a Lakehouse, and provide the URL of the Storage account that has been configured with a resource instance rule. While creating the shortcut, you need to select organizational account or service principal for authentication, and ensure that the principal used for authenticating to Storage has the appropriate Azure RBAC roles on the Storage account. Once the shortcut is created, you can use it in various Fabric items. 

What are the benefits and use cases of Trusted workspace access? 

Trusted workspace access offers several benefits and use cases for Fabric users, such as: 

  • Secure access to firewall-enabled Storage accounts from OneLake shortcuts  in Fabric workspaces, without the need to open the Storage account to public access. 
  • Seamlessly access firewall-enabled Storage accounts without complicated network setup. 
  • Ability to configure specific Fabric workspaces to access Storage account.  
  • Improved performance and scalability without the need to copy or move data. 
  • Ability to leverage trusted workspace access across different experiences like SQL analytics endpoints, and semantic models and reports (through OneLake shortcuts).

How to get started with Trusted workspace access?

Trusted workspace access is available for workspaces in Fabric capacities (F64 or higher). To get started with Trusted workspace access, you need to do the following steps: 

  1. Create a workspace identity for your Fabric workspace, if you don’t have one already. If you face issues with creation of the workspace identity, follow the troubleshooting guidelines provided here.
Create a workspace identity

2. Configure resource instance rules for the Storage account that you want to access from your Fabric workspace. Follow the guidelines for configuring resource instance rules for Fabric workspaces here.

Resource instance rules in a Storage account

3. Create a OneLake shortcut to the Storage account in a Lakehouse, and select the organizational account or service principal option for authentication.  

Create an ADLS g2 shortcut in a Lakehouse
Create an ADLS g2 shortcut in a Lakehouse

4. Use the OneLake shortcut in various Fabric items, such as Spark notebooks, SQL analytics endpoints, semantic models, reports, data pipelines, and dataflows Gen2.  

Access data stored in firewall-enabled Storage accounts through OneLake shortcuts

For more details and guidance on how to use Trusted workspace access, please refer to the documentation links below. 

We hope you use Trusted workspace access, and we would love to hear your feedback and suggestions.  Have any questions or feedback? Leave a comment below! 

相關部落格文章

Introducing Trusted Workspace Access for OneLake Shortcuts 

10月 7, 2024 作者: Alex Lin

Introducing Managed VNet Support for Fabric Eventstream! By creating a Fabric’s Managed Private Endpoint, you can now securely connect Eventstream to your Azure services, such as Azure Event Hubs or IoT Hub, within a private network or behind a firewall. This integration ensures your data is securely transmitted over a private network, enabling you to … Continue reading “Secure Data Streaming with Managed Private Endpoints in Eventstream (Preview)”

10月 4, 2024 作者: Jason Himmelstein

We had an incredible time in our host city of Stockholm for FabCon Europe! 3,300 attendees joined us from our international community, and it was wonderful to meet so many of you in person. Throughout the week of FabCon Europe, our teams published a wealth of valuable content, and we want to ensure you have … Continue reading “Fabric Community Conference Europe Recap”