Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during Fabric Data Days. Don't miss your chance! Request now

Reply
EduardD
Helper IV
Helper IV

Dataverse shortcut from Fabric

‎11-20-2025 07:46 AM

Hi there, 

I wonder if anyone knows why this tenant setting is mandatory to enable Fabric Shortcut for Dataverse, are there any workaround not to use the settings (it represent security risk for the whole tenant):  
Tenant settings > oneLake settings > Users can access data stored in OneLake with apps external to Fabric.

Thank you. 
source : Configure your environment and link to Microsoft Fabric - Power Apps | Microsoft Learn 

Labels:
Message 1 of 7
336 Views
0
6 REPLIES 6
DaleT
Resolver II
Resolver II

Friday

Hi, 

I have some ideas that aren't from the documentation. First, Fabric is a relatively independent platform. This setting provides an option to lock everything in. Second, The setting just provides some flexibililty. That's all. Even without it, that doesn't mean the external apps can access Fabric directly.

Message 4 of 7
237 Views
0
v-dineshya
Community Support
Community Support
In response to DaleT

Monday

Hi @DaleT ,

Fabric is designed as a relatively self-contained ecosystem, and this setting doesn’t open the floodgates for external apps to access everything. It simply permits the possibility for external apps to interact with OneLake data through approved APIs or connectors. Without it, those external integrations like Dataverse shortcuts fail because Fabric assumes a “closed garden” by default.

 

Your interpretation that it’s about flexibility rather than exposure is spot-on. The risk only materializes if:

 

1.External apps are granted permissions to OneLake items.

2.RBAC and workspace security are misconfigured.

 

So enabling the setting doesn’t bypass security it just removes the hard block. The actual access still depends on AAD roles, workspace permissions, and OneLake RBAC.

 

Regards,

Dinesh

Message 5 of 7
179 Views
EduardD
Helper IV
Helper IV
In response to v-dineshya

Monday

Dinesh, thank you. it is not secure by design,
1.  this enable option should be very granular and must be availalbe for specific worspace or lakehouse not for the whole tenant.

2. more secure setting would assume both services to be part of the same vnet to have secure communications. 

 

Message 6 of 7
142 Views
0
v-dineshya
Community Support
Community Support
In response to EduardD

Tuesday

Hi @EduardD ,

Thank you for the update. We would recommend submitting your detailed feedback and ideas through Microsoft's official feedback channels, such as Microsoft Fabric Ideas. Feedback submitted through these channels is frequently reviewed by the product teams and can contribute to meaningful improvements.

https://ideas.fabric.microsoft.com/ideas/search-ideas/ 

 

Thank you for being a valued member in Microsoft Fabric Community Forum

Regards,

Dinesh

Message 7 of 7
100 Views
0
v-dineshya
Community Support
Community Support

Friday

Hi @EduardD ,

Thank you for reaching out to the Microsoft Community Forum.

 

Fabric natively allows internal access via Spark, Lakehouse, etc, but external tools—like Dataverse links, ADLS API, Databricks require this setting enabled. It acts as a master switch authorizing external apps to access OneLake.

 

PowerShell, REST, SDK or Power Automate advises enabling it to allow non-Fabric identity access (service principals and external applications).

 

Dataverse “Link to Fabric” fails without Premium capacity, Fabric Admin rights and this OneLake external-access setting enabled.

 

Please try below workarounds.

 

1. Configure tenant setting to only selected AAD groups, limiting exposure. Denied users within groups get blocked.

 

2. Enable Workspace outbound access protection (preview), blocks external shortcuts unless a Managed Private Endpoint is defined. Ensures fine-grained control.

 

3. Apply per-item/folder RBAC (OneLake security preview) to restrict what external apps can see. DefaultReader vs restricted roles.

 

4. Keep data in ADLS Gen2 with ADLS-specific auth, and use a shortcut into OneLake. Avoids enabling external-access toggle.

 

5. Grant internal-only API access under Fabric capacity without external toggle. For some features, SP can operate via internal APIs without changing global setting.

 

Please refer below links.

OneLake tenant settings - Microsoft Fabric | Microsoft Learn

Secure and manage OneLake shortcuts - Microsoft Fabric | Microsoft Learn

About tenant settings - Microsoft Fabric | Microsoft Learn

Workspace outbound access protection for OneLake - Microsoft Fabric | Microsoft Learn

Get started with OneLake security (preview) - Microsoft Fabric | Microsoft Learn

 

I hope this information helps. Please do let us know if you have any further queries.

 

Regards,

Dinesh

 

Message 2 of 7
271 Views
0
v-dineshya
Community Support
Community Support
In response to v-dineshya

Monday

Hi @EduardD ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. And, if you have any further query do let us know.

 

Regards,

Dinesh

Message 3 of 7
150 Views
0

Helpful resources

Announcements
November Fabric Update Carousel

Fabric Monthly Update - November 2025

Check out the November 2025 Fabric update to learn about new features.

Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All