In simple terms, a Fabric workspace identity is like a special account that is automatically created and managed by Fabric. This account is linked to a Fabric workspace.
Workspaces with a workspace identity can securely access data stored in Azure Data Lake Storage Gen2 accounts, even if they have strict security settings enabled.
In the future, Fabric will also use workspace identities to connect to other resources that support Microsoft Entra authentication, which is a secure way to access Microsoft services.
To create a workspace identity, you can go to the settings of your workspace. Once created, the workspace identity automatically gets certain permissions i.e workspace contributor role to access items in the workspace.
When Fabric creates a workspace identity, it also creates a special account in Microsoft Entra ID to represent that identity. This account is managed by Fabric, so you don’t have to worry about managing passwords or credentials.
Overall, workspace identities make it easier and more secure for Fabric workspaces to access data and other resources without the risk of credential leaks or downtime.
When the workspace is deleted, the identity gets deleted. The name of the workspace identity is always the same as the name of the workspace it’s associated with.
In summary:
- What is a Fabric Workspace Identity?
- A Fabric workspace identity is like a special account managed by Fabric itself. It’s automatically created and used for certain tasks within a Fabric workspace.
- What Does it Do?
- This identity helps Fabric workspaces securely interact with Azure Data Lake Storage Gen2 accounts, even if they have strict security settings. It can also be used in the future for connecting to other Microsoft services.
- How is it Managed?
- Fabric takes care of creating and managing these identities, so users don’t have to worry about handling any passwords or credentials themselves.
- How to Create One?
- You can create a workspace identity in the settings of your Fabric workspace. Once created, it’s automatically given access to workspace items.
- How Fabric Handles Credentials?
- Fabric creates a special account in Microsoft’s system to represent the workspace identity. It also manages all the credentials associated with it. This helps prevent any security issues or system downtime caused by mishandling credentials.
How to Create and manage a workspace identity?
You must be a workspace admin to be able to create and manage a workspace identity. The workspace you’re creating the identity for must be associated with a Fabric F64 capacity or higher.
- Navigate to the workspace and open the workspace settings.
- Select the Workspace identity tab.
- Select the + Workspace identity button.
Identity details
| Detail | Description |
|---|---|
| Name | Workspace identity name. The workspace identity name is the same as the workspace name. |
| ID | The workspace identity GUID. This is a unique identifier for the identity. |
| Role | The workspace role assigned to the identity. Workspace identities are automatically assigned the contributor role upon creation. |
| State | The state of the workspace. Possible values: Active, Inactive, Deleting, Unusable, Failed, DeleteFailed |
Workspace identity Access control
- Creation and Deletion by Workspace Admins:
- Workspace admins have the ability to create and delete workspace identities. These identities are like special accounts used within the workspace.
- Role of Workspace Identity:
- The workspace identity is automatically assigned the “workspace contributor” role within the workspace. This means it has certain permissions to interact with workspace items.
- Current Limitations:
- Currently, workspace identity cannot be used for authentication when connecting to other resources.
- However, this functionality is expected to be available in the future.
- Future Authentication Support:
- In the future, admins, members, and contributors will be able to use workspace identity for authentication when connecting to resources.
- This feature will enhance security and streamline authentication processes.
- Enabling Workspace Identity in Connections:
- Workspace admins will have the ability to enable the use of workspace identity in connections within custom code, such as Spark notebooks and data pipelines.
- This includes scenarios like data pipelines with web activity or webhook activity.
- Management of Service Principal and App Registration:
- Application administrators or users with higher roles can view, modify, and delete the service principal and app registration associated with the workspace identity in Azure.
- This allows for better control and management of these identities within the Azure environment.
Delete a workspace identity
When an identity is deleted, Fabric items relying on the workspace identity for trusted workspace access or authentication will break. Deleted workspace identities cannot be restored.
How to use workspace identity
Shortcuts in a workspace that has a workspace identity can be used for trusted service access.
Trusted workspace access is in preview currently and would be release by Azure soon.
- Fabric provides secure access to firewall-enabled Azure Data Lake Gen 2 accounts.
- Workspaces with a workspace identity can securely access these accounts from selected virtual networks and IP addresses.
- Access to Azure Data Lake Gen 2 accounts can be limited to specific Fabric workspaces.
- Proper authorization, using Microsoft Entra credentials for organizational accounts or service principals, is required when accessing a storage account with trusted workspace access.
- Resource instance rules can be set up to control access to firewall-enabled storage accounts from specific Fabric workspaces. These rules allow access only from the designated workspaces.
Note - Trusted workspace access is currently in Public preview. Fabric workspace identity can only be created in workspaces associated with a Fabric capacity (F64 or higher). Below two steps needed to create Shortcuts in a workspace that has a workspace identity can be used for trusted service access
Configure trusted workspace access in ADLS Gen2
How to use trusted workspace access in Fabric
Configure trusted workspace access in ADLS Gen2
Resource instance rule
You can configure specific Fabric workspaces to access your storage account based on their workspace identity. You can create a resource instance rule by deploying an ARM template with a resource instance rule.
Note
* Resource instance rules for Fabric workspaces can only be created through ARM templates. Creation through the Azure portal is not supported.
* The subscriptionId "00000000-0000-0000-0000-000000000000" must be used for the Fabric workspace resourceId.
* You can get the workspace id for a Fabric workspace through its address bar URL.
* A Contributor on the storage account (an Azure RBAC role) can configure resource instance rules or trusted service exception.How to use trusted workspace access in Fabric
Create a OneLake shortcut to storage account with trusted workspace access
With the workspace identity configured in Fabric and trusted access enabled in your ADLS Gen2 storage account, you can create OneLake shortcuts to access your data from Fabric. You just create a new ADLS shortcut in a Fabric Lakehouse and you can start analyzing your data with Spark, SQL, and Power BI.
- A Fabric workspace associated with a Fabric capacity.
- Create a workspace identity associated with the Fabric workspace.
- The user account or service principal used for creating the shortcut should have Azure RBAC roles on the storage account. The principal must have a Storage Blob Data Contributor, Storage Blob Data owner, or Storage Blob Data Reader role at the storage account scope, or a Storage Blob Delegator role at the storage account scope in addition to a Storage Blob Data Reader role at the container scope.
- Configure a resource instance rule for the storage account.
Will explain What is Shortcut and How to create shortcut in another blogs
Some Considerations and limitations
- A workspace identity can only be created in workspaces associated with a Fabric F64+ capacity.
- If a workspace with a workspace identity is migrated to a non-Fabric or a capacity lower than F64, the identity won’t be disabled or deleted, but Fabric items relying on the workspace identity will stop working.
- A maximum of 1,000 workspace identities can be created in a tenant. Once this limit is reached, workspace identities must be deleted to enable newer ones to be created.
- Azure Data Lake Storage Gen2 shortcuts in a workspace that has a workspace identity will be capable of trusted service access.
Some Troubleshooting issues with creating a workspace identity
- Creating Workspace Identity:
- If you’re unable to create a workspace identity because the creation button is disabled, there are a couple of things to check.
- First, ensure that you have the workspace administrator role.
- Secondly, confirm that the workspace is associated with a Fabric F64+ capacity.
- Troubleshooting Steps:
- If you encounter issues during the initial creation of the workspace identity, follow these steps:
- If the workspace identity shows a “failed” status, wait for an hour and then delete the identity.
- After deleting the identity, wait for 5 minutes, and then try creating the identity again.
