Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us at FabCon Vienna from September 15-18, 2025, for the ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM. Get registered

Reply
carlton7372
Helper I
Helper I

Operation failed: "Forbidden", 403 When attempting to access LakeHouse files

‎04-07-2025 08:04 AM

When attempting to access files from one of my applications I get the following ExecutionError:

ExecutionError: An error occurred while calling o539.ls. : Operation failed: "Forbidden", 403, GET, https://onelake.dfs.fabric.microsoft.com/DataEngineeringWKSP?upn=false&resource=filesystem&m..." target="_blank" rel="noopener noreferrer">https://onelake.dfs.fabric.microsoft.com/DataEngineeringWKSP?upn=false&resource=filesystem&m..., Forbidden, "User is not authorized to perform current operation for workspace '0963db25-ad19-489b-944e-82d6fc013b87', artifact 'b8f5e9cd-3c39-44b8-8982-ddecef9e829c'."

 

The application has successfully registered ok. 

 

To resolve this, it has been suggested that  I log into the Microsoft Fabric portal, navigate to the lakehouse’s “Manage Access” settings, and add the required identity with an appropriate role (such as Storage Blob Data Contributor or the equivalent Fabric data access role) ensuring that its OAuth token is issued and includes a valid UPN claim; once these permissions are set,  and the GET operation should succeed without a 403 error.

 

However, when I access the LakeHouse settings I don't see the option to add an identity, see image. Can someone please provide some guidance.

 

carlton7372_0-1744038242791.png

 

I also can't see anywhere to modify Workspace Setting to permit access
 
carlton7372_0-1744039768998.png

 

 
 
Labels:
Message 1 of 9
1,027 Views
0
1 ACCEPTED SOLUTION
v-menakakota
Community Support
Community Support

‎04-07-2025 11:49 PM

Hi @carlton7372 ,

Thank you for reaching out to us on the Microsoft Fabric Community Forum.


The suggestion to use "Manage Access" and add a role like "Storage Blob Data Contributor" is a bit off,Fabric doesn’t use that exact role. Instead, permissions come from either the workspace level or a special OneLake data access setting (which might be why you’re stuck).

You’re looking in the wrong spot—there’s a workspace-level "Manage Access" and a Lakehouse-level "Manage OneLake data access (preview)" that might not be turned on yet.

 Go to your workspace. Click Manage Access (top-right corner or settings gear). See if you’re an Admin, Member, or Contributor. If you’re just a Viewer, you’ll need someone with more rights to help.


vmenakakota_2-1744094629843.png

 


Open the Lakehouse inside the workspace. Check for a button like "Manage OneLake data access (preview)" in the ribbon. If you see it, enable it and add your app’s identity with a role (e.g., read access to all folders).

vmenakakota_3-1744094779869.png

Here is the documentation link for more understanding:

Get started with OneLake data access roles (preview) - Microsoft Fabric | Microsoft Learn


If this post was helpful, please give us Kudos and consider marking Accept as solution to assist other members in finding it more easily.





View solution in original post

Message 2 of 9
971 Views
0
8 REPLIES 8
carlton7372
Helper I
Helper I

‎04-08-2025 02:58 AM

Thanks again for getting in touch.

 

Did you mean something like this

 

carlton7372_0-1744106274661.png

 

Message 8 of 9
949 Views
v-menakakota
Community Support
Community Support
In response to carlton7372

‎04-08-2025 03:14 AM

Yes

 

Message 9 of 9
944 Views
0
carlton7372
Helper I
Helper I

‎04-08-2025 02:30 AM

By way of an update, I'm also getting the error:"

{"error":{"code":"Unauthorized","message":"Authentication Failed with Bearer token is not present in the request"}}
Message 7 of 9
955 Views
0
v-menakakota
Community Support
Community Support

‎04-07-2025 11:49 PM

Hi @carlton7372 ,

Thank you for reaching out to us on the Microsoft Fabric Community Forum.


The suggestion to use "Manage Access" and add a role like "Storage Blob Data Contributor" is a bit off,Fabric doesn’t use that exact role. Instead, permissions come from either the workspace level or a special OneLake data access setting (which might be why you’re stuck).

You’re looking in the wrong spot—there’s a workspace-level "Manage Access" and a Lakehouse-level "Manage OneLake data access (preview)" that might not be turned on yet.

 Go to your workspace. Click Manage Access (top-right corner or settings gear). See if you’re an Admin, Member, or Contributor. If you’re just a Viewer, you’ll need someone with more rights to help.


vmenakakota_2-1744094629843.png

 


Open the Lakehouse inside the workspace. Check for a button like "Manage OneLake data access (preview)" in the ribbon. If you see it, enable it and add your app’s identity with a role (e.g., read access to all folders).

vmenakakota_3-1744094779869.png

Here is the documentation link for more understanding:

Get started with OneLake data access roles (preview) - Microsoft Fabric | Microsoft Learn


If this post was helpful, please give us Kudos and consider marking Accept as solution to assist other members in finding it more easily.





Message 2 of 9
972 Views
0
carlton7372
Helper I
Helper I
In response to v-menakakota

‎04-08-2025 12:36 AM

Hi V-menakakota,

 

Thanks for getting in touch.

 

I should have mentioned that I have created service principle to access the onelake via Databricks using the following code:

 

url = "abfss://DataEngineeringWKSP@onelake.dfs.fabric.microsoft.com/sqlite_lakehouse.Lakehouse"
mount_folder = "/mnt/lake"

# OAuth configuration settings for OneLake
configs = {
    "fs.azure.account.auth.type": "OAuth",
    "fs.azure.account.oauth.provider.type": "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider",
    "fs.azure.account.oauth2.client.id": "ac8db0b1-a061-4899-994b-81253d864bc8",
    "fs.azure.account.oauth2.client.secret": "fNi8Q~1Q.B-Ey12zs066D_G3.E6bslnE_LqY-aFs",
}

mounted_list = dbutils.fs.mounts()
mounted_exist = False

for item in mounted_list:
    if mount_folder in item.mountPoint:
        mounted_exist = True
        break

if not mounted_exist:
    dbutils.fs.mount(source=url, mount_point=mount_folder, extra_configs=configs)
 
As a result I need to add the Service Principal, but unfortunately it's not possible to add the service principle where you suggested - you only add People or Email addresses
 
carlton7372_0-1744097782979.png

 

Message 3 of 9
962 Views
0
v-menakakota
Community Support
Community Support
In response to carlton7372

‎04-08-2025 02:48 AM

Hi @carlton7372 ,

We really apologies for the inconvenience, as you mentioned it's not possible to add the service principle we can add only email. Paste in the Application ID of your Service Principal as a guest user (appid@tenant.onmicrosoft.com). Assign it the Member or Contributor role.
If it doesn’t recognize your app ID or gives an error, it’s because Service Principals must be first granted directory access in Entra ID.
Go to Entra ID (Azure Active Directory). Find your app under App registration. Under API permissions, grant it Microsoft Graph . Then in Enterprise Applications, ensure it’s allowed to access Microsoft Fabric



If this post was helpful, please give us Kudos and consider marking Accept as solution to assist other members in finding it more easily.

 

Message 4 of 9
953 Views
0
carlton7372
Helper I
Helper I
In response to v-menakakota

‎04-08-2025 03:23 AM

Hi V,

 

I have added it here, but I'm still getting the Forbidden error

 

carlton7372_0-1744107803080.png

 

Message 5 of 9
936 Views
0
adurasno
Microsoft Employee
Microsoft Employee
In response to carlton7372

‎05-06-2025 02:50 PM

Hi! Did you ever find a solution? I am facing the same issue

Message 6 of 9
458 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June FBC25 Carousel

Fabric Monthly Update - June 2025

Check out the June 2025 Fabric update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All