Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! It's time to submit your entry. Live now!

Reply
pranavsabnis
Frequent Visitor

Cross-Tenant Purview Scan of Fabric Lakehouse fails to ingest Sub-items (Delta Tables)

‎12-03-2025 05:40 AM

Environment:

  • Tenant 1 (Consumer): Azure Purview (Microsoft Purview Data Map).
  • Tenant 2 (Provider): Microsoft Fabric (Capacity + Workspaces).
  • Architecture: Purview in Tenant 1 is scanning Fabric in Tenant 2 via the "Fabric" Data Source using Azure Auto-Resolve Integration Runtime.

The Issue: I can successfully scan and see Item-level metadata (e.g., Workspace Name, Lakehouse Name). However, I am getting Zero sub-item visibility. No Delta Tables, no Columns, and no sub-item lineage are being ingested into Purview.

Configuration Verified:

Service Principal (SPN): Created an App Registration in Tenant 2 (Fabric Tenant).

Permissions: The SPN is a Member (and I tested Admin) of the target Fabric Workspace.

Fabric Admin Settings (Tenant 2):

Allow service principals to use read-only admin APIs: Enabled for the SPN's Security Group.

Enhance admin APIs responses with detailed metadata: Enabled.

Enhance admin APIs responses with DAX and mashup expressions: Enabled.

My Specific Questions for the Product Team / MVPs/Members:

  1. Authentication Flow: For sub-item ingestion (Delta Tables) to work cross-tenant, is it sufficient for the SPN to be a standard App Registration in Tenant 2 (Provider), or does Fabric require the "Cross-Tenant Access" (Guest User) flow where a shadow SPN is created via the specific trusted external tenants configuration?
  2. API Limitation: Is the "Enhanced Metadata" API payload (metadata/subartifacts) restricted to Same-Tenant calls only during the current Preview? I suspect the API is returning a standard payload instead of the enhanced one due to the cross-tenant boundary.
  3. Workaround: Has anyone successfully forced ingestion of Delta Tables cross-tenant by using the Apache Atlas REST API to manually inject the schema entities, or is there a specific hidden toggle in the Fabric Admin Portal (perhaps specifically for "External Principals") that I am missing?
Labels:
Message 1 of 4
504 Views
1 ACCEPTED SOLUTION
Ugk161610
Continued Contributor
Continued Contributor

‎12-03-2025 06:09 AM

Hi @pranavsabnis ,

 

You’re not doing anything “wrong” here – what you’re seeing lines up with the current limits of the Fabric ↔ Purview integration, especially in a cross-tenant setup.

 

Right now, the Fabric data source in Purview is still in preview, and for most Fabric items it only brings in item-level metadata and lineage (workspace, lakehouse, warehouse, pipeline, etc.), not the sub-artifacts like individual Delta tables and columns. That behaviour is explicitly called out in the Fabric/Purview integration docs: for non–Power BI items, only the top-level asset is guaranteed; sub-items such as Lakehouse tables and files are not fully supported yet. https://techcommunity.microsoft.com/blog/microsoft-security-blog/scan-microsoft-fabric-items-in-micr...

 

There is work in progress on sub-item metadata for Lakehouse tables and files, but that’s being rolled out in stages and, at the moment, the “nice” experience is focused on same-tenant scenarios. Cross-tenant scans tend to lag a bit in terms of feature parity. So the fact that you can see the Fabric items (workspaces, lakehouses) but get zero Delta tables or column-level entities is very likely due to a product limitation, not your SPN setup or tenant trust configuration. Your current auth flow is clearly good enough for item-level metadata; if auth were the problem, you wouldn’t see the Lakehouse assets at all.

 

On your specific questions:

 

  1. Changing the SPN from “plain app registration in provider tenant” to some special cross-tenant guest/SPN pattern won’t suddenly unlock table-level ingestion. Since item-level metadata already flows, the cross-tenant trust is working as designed; the missing sub-items come from what the Fabric metadata APIs expose to Purview today, not from the auth shape.
  2. The enhanced metadata settings you’ve enabled are necessary, but in preview they don’t fully override the limitation for Fabric items across tenants. Same-tenant scans are where you’ll see the most benefit first.https://learn.microsoft.com/en-us/purview/register-scan-fabric-tenant?utm_source
  3. Manually pushing table entities into Purview via the Atlas API is technically possible, but it’s brittle: you’d be hand-crafting a catalog that won’t stay in sync with Fabric changes, and you’d be outside the supported Fabric→Purview integration path. It’s more of a last-resort experiment than a sustainable solution.

If you want a definitive product answer, I’d raise a support ticket or post this exact scenario in the Purview / Fabric governance channel and reference the cross-tenant Fabric scan docs. But from what we know today, the honest state is:

 

In cross-tenant preview, you can reliably get item-level Fabric metadata; table-level Lakehouse metadata and lineage are still limited, and what you’re seeing (no Delta tables, no columns) is expected rather than a misconfiguration.https://learn.microsoft.com/en-us/purview/register-scan-fabric-tenant-cross-tenant?utm_source

 

So you’re not missing a hidden toggle – you’ve essentially hit the edge of what the preview supports right now.

 

– Gopi Krishna

View solution in original post

Message 2 of 4
488 Views
3 REPLIES 3
Ugk161610
Continued Contributor
Continued Contributor

‎12-03-2025 06:09 AM

Hi @pranavsabnis ,

 

You’re not doing anything “wrong” here – what you’re seeing lines up with the current limits of the Fabric ↔ Purview integration, especially in a cross-tenant setup.

 

Right now, the Fabric data source in Purview is still in preview, and for most Fabric items it only brings in item-level metadata and lineage (workspace, lakehouse, warehouse, pipeline, etc.), not the sub-artifacts like individual Delta tables and columns. That behaviour is explicitly called out in the Fabric/Purview integration docs: for non–Power BI items, only the top-level asset is guaranteed; sub-items such as Lakehouse tables and files are not fully supported yet. https://techcommunity.microsoft.com/blog/microsoft-security-blog/scan-microsoft-fabric-items-in-micr...

 

There is work in progress on sub-item metadata for Lakehouse tables and files, but that’s being rolled out in stages and, at the moment, the “nice” experience is focused on same-tenant scenarios. Cross-tenant scans tend to lag a bit in terms of feature parity. So the fact that you can see the Fabric items (workspaces, lakehouses) but get zero Delta tables or column-level entities is very likely due to a product limitation, not your SPN setup or tenant trust configuration. Your current auth flow is clearly good enough for item-level metadata; if auth were the problem, you wouldn’t see the Lakehouse assets at all.

 

On your specific questions:

 

  1. Changing the SPN from “plain app registration in provider tenant” to some special cross-tenant guest/SPN pattern won’t suddenly unlock table-level ingestion. Since item-level metadata already flows, the cross-tenant trust is working as designed; the missing sub-items come from what the Fabric metadata APIs expose to Purview today, not from the auth shape.
  2. The enhanced metadata settings you’ve enabled are necessary, but in preview they don’t fully override the limitation for Fabric items across tenants. Same-tenant scans are where you’ll see the most benefit first.https://learn.microsoft.com/en-us/purview/register-scan-fabric-tenant?utm_source
  3. Manually pushing table entities into Purview via the Atlas API is technically possible, but it’s brittle: you’d be hand-crafting a catalog that won’t stay in sync with Fabric changes, and you’d be outside the supported Fabric→Purview integration path. It’s more of a last-resort experiment than a sustainable solution.

If you want a definitive product answer, I’d raise a support ticket or post this exact scenario in the Purview / Fabric governance channel and reference the cross-tenant Fabric scan docs. But from what we know today, the honest state is:

 

In cross-tenant preview, you can reliably get item-level Fabric metadata; table-level Lakehouse metadata and lineage are still limited, and what you’re seeing (no Delta tables, no columns) is expected rather than a misconfiguration.https://learn.microsoft.com/en-us/purview/register-scan-fabric-tenant-cross-tenant?utm_source

 

So you’re not missing a hidden toggle – you’ve essentially hit the edge of what the preview supports right now.

 

– Gopi Krishna

Message 2 of 4
489 Views
pranavsabnis
Frequent Visitor
In response to Ugk161610

‎12-03-2025 06:22 AM

@Ugk161610 Thanks Gopi for clarifying.

Message 3 of 4
477 Views
Ugk161610
Continued Contributor
Continued Contributor
In response to pranavsabnis

‎12-03-2025 06:38 AM

@pranavsabnis If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution. 

Message 4 of 4
471 Views

Helpful resources

Announcements
December Fabric Update Carousel

Fabric Monthly Update - December 2025

Check out the December 2025 Fabric Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All