Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
FabianSchut
Solution Sage
Solution Sage

Cross tenant trusted workspace

‎11-01-2024 07:34 AM

Hi,

I am trying to set up a trusted workspace in ADLS in two different tenants. In Tenant A, I have an ADLS Storage Account and in Tenant B, I have my Fabric capacity and environment running. Is it possible to add a workspace from Tenant B in the Resource instance rule of Tenant A? I am using this article as a reference: https://blog.fabric.microsoft.com/en-us/blog/introducing-trusted-workspace-access-for-onelake-shortc....

And is it always necessary to add a workspace identity too? Or can I use a SAS token with trusted workspace with an identity?

Labels:
Message 1 of 5
518 Views
0
1 ACCEPTED SOLUTION
FabianSchut
Solution Sage
Solution Sage

‎12-14-2024 02:36 PM

I solved this by using the managed private endpoint in combination with a service principal in the same tenant as the storage account, since the workspaces does not work cross tenant without connecting the two tenants in some way. 
With the private endpoint, I was able to connect to the storage account that had network restrictions. 
With a custom Python script I copied the files from the network restricted storage account to Fabric. 

View solution in original post

Message 5 of 5
138 Views
0
4 REPLIES 4
FabianSchut
Solution Sage
Solution Sage

‎12-14-2024 02:36 PM

I solved this by using the managed private endpoint in combination with a service principal in the same tenant as the storage account, since the workspaces does not work cross tenant without connecting the two tenants in some way. 
With the private endpoint, I was able to connect to the storage account that had network restrictions. 
With a custom Python script I copied the files from the network restricted storage account to Fabric. 

Message 5 of 5
139 Views
0
v-kongfanf-msft
Community Support
Community Support

‎11-03-2024 06:28 PM

Hi @FabianSchut ,

 

Yes, you can add tenant B's workspace to tenant A's resource instance rule.

  • The article you referenced mentions that Microsoft Fabric will soon support Fabric Workspace Identity (FWI) to improve authentication security in the connector. You will be able to add the Fabric Workspace Identifier (FWI) as a trusted identifier for ADLS Gen2 storage accounts. This means that you can use the workspace identifier for secure connections without having to add the workspace identifier each time.
  • You can use SAS tokens in conjunction with a trusted workspace that has an identifying SAS tokens are a common authentication method that can be used in conjunction with a trusted workspace to ensure secure access.

Best Regards,
Adamk Kong

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 5
436 Views
FabianSchut
Solution Sage
Solution Sage
In response to v-kongfanf-msft

‎11-06-2024 01:48 PM

Hi @v-kongfanf-msft,

 

Unfortunately, I did not get this setup working. I've added the workspace from tenant A in the network settings from tenant B. When I try to setup the connection in tenant A with a SAS-token, I get an invalid credentials error. I've tried all different access rights with the SAS-token.
What I think goes wrong in this case, is that a connection is not set on workspace level, but Fabric tenant level. When I add a workspace as trusted, the connection does not use that trusted workspace. It may only work if I use Workspace Identity as an authorization method. However, I cannot add the Workspace Identity from tenant A in tenant B as a Blob Data Reader for example.
What is the best way to add the Workspace Identity from tenant A in tenant B?

Message 3 of 5
362 Views
0
v-kongfanf-msft
Community Support
Community Support
In response to FabianSchut

‎11-07-2024 06:24 PM

Hi @FabianSchut ,

 

You can try to manage user identity and control user access to resources with the help of IAM.

 

Refer to below document:

Configure the Grit IAM B2B2C solution with Azure Active Directory B2C - Azure AD B2C | Microsoft Lea...

Azure identity & access security best practices | Microsoft Learn

 

Best Regards,
Adamk Kong

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Message 4 of 5
325 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All