Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Special holiday offer! You and a friend can attend FabCon with a BOGO code. Supplies are limited. Register now.

Reply
rjmsft
New Member

undefined

‎11-14-2025 10:41 PM

Hello,
I'm working with an Azure Fabric workspace and need to connect to various data sources (e.g., Azure Storage, SQL Databases, etc.) using a Service Principal (SPN) for authentication. However, I cannot use Managed Identities (MI) or secrets (due to organizational restrictions), and I’m not allowed to store credentials or manage secrets directly.

I’ve heard that Federated Identity Credentials (FIC) can allow SPNs to authenticate via Managed Identity (MI), but I am unsure how to configure it properly in Azure Fabric to connect to the data sources without relying on secrets.

Specific requirements:
Use SPN for authentication (as Managed Identity is not an option as Data owners allow access only on SPN not WSIs/MIs).

No secrets should be used for authentication or storage.

Access data sources in Azure Fabric workspace securely using the SPN.

Ideally, I want to leverage Federated Identity Credential (FIC) to authenticate using Managed Identity while bypassing secrets.

Has anyone implemented this setup in Azure Fabric or can you guide me on how to:

Set up Federated Identity Credentials for an SPN.

Grant the SPN access to Azure data sources.

Connect to these data sources from Azure Fabric using the SPN without requiring secrets.

Thanks for your help!

Labels:
Message 1 of 8
495 Views
0
1 ACCEPTED SOLUTION
v-sgandrathi
Community Support
Community Support
In response to rjmsft

‎11-24-2025 04:10 AM

Hi @rjmsft,

 

The certificate used for Service Principal + certificate authentication does not have to be created by a specific AME or PME account. The certificate is linked to the App Registration (SPN) itself, not to the user who creates it. From Azure’s perspective, the key points are:

The certificate must be uploaded to SPN - Certificates & secrets - Certificates, and

The authentication process uses the matching private key for that certificate.

This means either AME or PME can generate the certificate, as successful authentication only requires the certificate to be stored on the SPN.

If there are conditional-access or governance policies in your organization about who can manage App Registrations, those are internal policies, not requirements from Fabric or Azure. Use whichever account type your security team allows for managing the SPN.


I understand that when you said you cannot use MI, you meant the Fabric Workspace Identity, not that MI is generally blocked. In this case, the SPN + certificate method is the supported secret-less approach currently, since Fabric does not yet allow using Federated Identity Credentials (FIC) to assume SPNs.

Microsoft identity platform certificate credentials - Microsoft identity platform | Microsoft Learn
Create a self-signed public certificate to authenticate your application - Microsoft identity platfo...
Embed Power BI content in a Power BI embedded analytics application with service principal and a cer...
Microsoft Entra Authentication in Fabric Data Warehouse - Microsoft Fabric | Microsoft Learn
Service principal support in Data Factory - Microsoft Fabric | Microsoft Learn

Thank you.

View solution in original post

Message 5 of 8
290 Views
0
7 REPLIES 7
v-sgandrathi
Community Support
Community Support

‎11-22-2025 11:20 PM

Hi @rjmsft,

 

Just looping back one last time to check if everything's good on your end. Let me know if you need any final support happy to assist if anything’s still open.

 

Thank you.

Message 8 of 8
321 Views
0
v-sgandrathi
Community Support
Community Support

‎11-20-2025 01:35 AM

Hi @rjmsft,

 

Just wanted to follow up and confirm that everything has been going well on this. Please let me know if there’s anything from our end.
Please feel free to reach out Microsoft fabric community forum.

 

Thank you
Sahasra.

Message 7 of 8
359 Views
0
v-sgandrathi
Community Support
Community Support

‎11-16-2025 09:25 PM

Hi @rjmsft,

 

Thanks for your question. To clarify the current platform behavior, Azure Fabric does not support using Federated Identity Credentials (FIC) for Service Principals. Fabric runtimes cannot perform the OIDC token-exchange required for FIC, so an SPN cannot be assumed through FIC inside Notebooks, Pipelines, or Lakehouse engines.

Given your restrictions (no Managed Identities and no secrets), the only supported “secret-less” option today is certificate-based authentication for the SPN. You can upload a certificate to the SPN in Entra ID and use it in Fabric through the Azure Identity SDK. This method is supported in Notebooks, custom code, and partially in Dataflows Gen2.

You can then assign RBAC roles to the SPN on Storage, SQL, or other sources as usual. The certificate simply replaces secrets and enables the SPN to authenticate securely without storing credentials in plain text.

At this time, Fabric does not support FIC-based authentication, so SPN + certificate is the recommended approach for secure, secret-less access.

 

Thank you.

Message 3 of 8
412 Views
0
rjmsft
New Member
In response to v-sgandrathi

‎11-23-2025 10:25 PM

Hi @v-sgandrathi  , Thanks for your response ! Do you have any documentation that could help with SPN +Certificate approach? Is certificate required to be created with AME account or it needs a PME account? It seems the data owners have a condiitonal policy enabled and they check this. Anyways I can check with both of them if I have any documentation to try it out with. Also whem I said I can't use MI I meant Fabrics Workspace Identity

Message 4 of 8
303 Views
0
v-sgandrathi
Community Support
Community Support
In response to rjmsft

‎11-24-2025 04:10 AM

Hi @rjmsft,

 

The certificate used for Service Principal + certificate authentication does not have to be created by a specific AME or PME account. The certificate is linked to the App Registration (SPN) itself, not to the user who creates it. From Azure’s perspective, the key points are:

The certificate must be uploaded to SPN - Certificates & secrets - Certificates, and

The authentication process uses the matching private key for that certificate.

This means either AME or PME can generate the certificate, as successful authentication only requires the certificate to be stored on the SPN.

If there are conditional-access or governance policies in your organization about who can manage App Registrations, those are internal policies, not requirements from Fabric or Azure. Use whichever account type your security team allows for managing the SPN.


I understand that when you said you cannot use MI, you meant the Fabric Workspace Identity, not that MI is generally blocked. In this case, the SPN + certificate method is the supported secret-less approach currently, since Fabric does not yet allow using Federated Identity Credentials (FIC) to assume SPNs.

Microsoft identity platform certificate credentials - Microsoft identity platform | Microsoft Learn
Create a self-signed public certificate to authenticate your application - Microsoft identity platfo...
Embed Power BI content in a Power BI embedded analytics application with service principal and a cer...
Microsoft Entra Authentication in Fabric Data Warehouse - Microsoft Fabric | Microsoft Learn
Service principal support in Data Factory - Microsoft Fabric | Microsoft Learn

Thank you.

Message 5 of 8
291 Views
0
v-sgandrathi
Community Support
Community Support
In response to v-sgandrathi

‎11-26-2025 08:26 PM

Hi @rjmsft,

 

As we have not received a response from you yet, I would like to confirm whether you have successfully resolved the issue or if you require further assistance.

 

Thankyou.

Message 6 of 8
250 Views
0
Vinodh247
Solution Sage
Solution Sage

‎11-15-2025 05:20 PM

 

You cannot configure a Federated Identity Credential on your SPN and expect Fabric Notebooks, Pipelines, or Lakehouse engines to automatically exchange tokens on behalf of your SPN. The runtime does not support this flow today.

 

Current workarounds...

  1. Use a MI on supporting components (like Data Pipeline Copy Activity via Data Gateway + MI) and ask data owners to grant that MI access. ---> You said this is not allowed.

  2. Use certificate based authentication for the SPN: This avoids secrets. Certificates are allowed in strict orgs.
    Fabric supports SPN + certificate in Notebook (via Azure Identity SDK), in Dataflows Gen2 (limited), and in custom code.

  3. Use keyvault with kevault MI, --> but you said secrets are not allowed for storage.

  4. Use external compute (ADF, synapse, func app) that supports federated identity and hand over data to Fabric via ingestion endpoints.

 

So the bottom line guidance is...

• Federated Identity Credential cannot be used directly in Fabric today.
• Fabric cannot assume an SPN via FIC.
• Your only secretless SPN option today is certificate-based authentication.
• Configure the SPN with a certificate, assign RBAC to Storage / SQL, and use the Azure Identity SDK inside Fabric Notebooks or Spark to authenticate.
Example: ClientCertificateCredential(tenant_id, client_id, cert_path)


Please 'Kudos' and 'Accept as Solution' if this answered your query.

Regards,
Vinodh
Microsoft MVP [Fabric]
Message 2 of 8
461 Views

Helpful resources

Announcements
December Fabric Update Carousel

Fabric Monthly Update - December 2025

Check out the December 2025 Fabric Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Kudoed Authors
View All