Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
JAnder
Helper II
Helper II

Workspace Identity with Azure SQL Databases

‎12-12-2025 06:25 AM

I am currently mirroring an Azure SQL Database in a workspace using a Service Principal. There have been a few issues but it mostly works ok. However it was suggested trying a Workspace Identity so we dont need to manage the Service Principal secret.

 

So I have setup the Workspace Identity, it provided a name and it created an Enterprise Application (principal) in Entra. So according to this document

 https://learn.microsoft.com/en-gb/fabric/mirroring/azure-sql-database-tutorial#use-a-login-and-mappe...

I should go to the database and create a login and a user

 

CREATE LOGIN [Workspace Identity Name] FROM EXTERNAL PROVIDER;
CREATE USER [Workspace Identity Name] FOR LOGIN [workspace identity Name];
GRANT SELECT, ALTER ANY EXTERNAL MIRROR, VIEW DATABASE PERFORMANCE STATE, VIEW DATABASE SECURITY STATE TO [Workspace Identity Name];

This should provide the Workspace Identity access to handle mirroring. Very similar to how it was previously set up with a Service Principal.

However I now get the error 

This principal type is not supported in Azure SQL Database

 

I also tried setting it up with the command

CREATE USER [<Name>] FROM EXTERNAL PROVIDER
WITH OBJECT_ID = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX';

and this also fails. 

So I tried creating a group in Entra. Adding the Workspace Identity Service Principal into that group and then applying the permissions to the group. There was no error when applying permissions but the mirror does not work with an error indication it does not have permission.

 

Can anyone clarify how to set up the Workspace Identity with Azure SQL Server? Is there a logical reason why its different to setting up other Service Principals?

 

Labels:
Message 1 of 4
653 Views
0
1 ACCEPTED SOLUTION
JAnder
Helper II
Helper II

‎12-15-2025 05:23 AM

@Zanqueta Thanks for the reply, appreciate you taking the time to do that.

 

I have managed to get the mirroring working. Having the Workspace Identity as part of a group, with the group created as a user on the db with relevant permissions

CREATE USER [Workspace Identity Name] FOR LOGIN [workspace identity Name];
GRANT SELECT, ALTER ANY EXTERNAL MIRROR, VIEW DATABASE PERFORMANCE STATE, VIEW DATABASE SECURITY STATE TO [Workspace Identity Name];

 

This failed for me initially, I expect there may have been a delay getting it all to work.

I set up a connection using the workspace identity and assigned that to a report to see if it would refresh and it did. I then retried assigning the connection to a mirror and it worked as well. 

View solution in original post

Message 3 of 4
482 Views
3 REPLIES 3
JAnder
Helper II
Helper II

‎12-15-2025 05:23 AM

@Zanqueta Thanks for the reply, appreciate you taking the time to do that.

 

I have managed to get the mirroring working. Having the Workspace Identity as part of a group, with the group created as a user on the db with relevant permissions

CREATE USER [Workspace Identity Name] FOR LOGIN [workspace identity Name];
GRANT SELECT, ALTER ANY EXTERNAL MIRROR, VIEW DATABASE PERFORMANCE STATE, VIEW DATABASE SECURITY STATE TO [Workspace Identity Name];

 

This failed for me initially, I expect there may have been a delay getting it all to work.

I set up a connection using the workspace identity and assigned that to a report to see if it would refresh and it did. I then retried assigning the connection to a mirror and it worked as well. 

Message 3 of 4
483 Views
Zanqueta
Solution Sage
Solution Sage
In response to JAnder

‎12-15-2025 08:09 AM

Hi @JAnder , thank you for sharing this information. Please consider marking the answer as the accepted solution so that other community members can easily follow it.

Message 4 of 4
471 Views
0
Zanqueta
Solution Sage
Solution Sage

‎12-12-2025 07:03 AM

Hi @JAnder,

 

Azure SQL Database currently supports Azure AD users and groups, but does not support Enterprise Applications (Service Principals) directly as logins. When you create a Workspace Identity, Fabric registers an Enterprise Application in Microsoft Entra ID, which is essentially a Service Principal. The error:
This principal type is not supported in Azure SQL Database
is expected because Azure SQL does not allow creating logins for Service Principals in the same way as for users or groups.

Logical Difference

  • Service Principal approach: You can use it for token-based authentication in many Azure services, but Azure SQL Database does not allow direct login creation for Service Principals.
  • Workspace Identity: It is an Enterprise Application, so it falls under the same limitation.

Supported Approach

The recommended way is to use an Entra ID group and assign permissions to that group, then add the Workspace Identity to the group. However, for Azure SQL Database to recognise the group, you must:
  1. Ensure Azure AD authentication is enabled on the SQL Server.
  2. Use CREATE USER [GroupName] FROM EXTERNAL PROVIDER; in the database.
  3. Grant the required permissions to that group.
This works because Azure SQL supports Azure AD groups, not Enterprise Applications directly.

Why Your Attempt Failed

You created the group and added the Workspace Identity, but the mirror still failed because:
  • The Workspace Identity might not be using the group token when connecting.
  • Fabric currently does not support group-based token delegation for Workspace Identity in mirroring scenarios (as of current documentation).

Current Limitation

At this time, Workspace Identity cannot authenticate directly to Azure SQL Database for mirroring because Azure SQL does not support Enterprise Applications as principals. The official guidance still recommends using a Service Principal with a managed secret or Managed Identity (for other services), but Managed Identity is not yet supported for Fabric mirroring.

What You Can Do

 

If this response was helpful in any way, I’d gladly accept a 👍much like the joy of seeing a DAX measure work first time without needing another FILTER.

Please mark it as the correct solution. It helps other community members find their way faster (and saves them from another endless loop 🌀.

 

Message 2 of 4
633 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All