Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Did you hear? There's a new SQL AI Developer certification (DP-800). Start preparing now and be one of the first to get certified. Register now

Dhara_M

Enable Azure Resource Manager (ARM) API Authentication Using Fabric Workspace Identity

Submitted by on ‎03-31-2026 03:04 PM

Problem Statement

Microsoft Fabric Workspace Identity is positioned as a secure, secretless authentication mechanism for Fabric workloads. However, Fabric Notebooks currently cannot acquire Azure Resource Manager (ARM) access tokens (https://management.azure.com) using Workspace Identity via notebookutils.credentials.getToken().

This limitation prevents Fabric notebooks—whether executed interactively or via pipelines—from calling ARM APIs for essential operations such as:

  • Azure subscription discovery
  • Resource group and resource enumeration
  • Governance, metadata, and automation use cases

The behavior is consistent across execution modes and identity contexts and appears to be a by-design restriction, as ARM is not a supported token audience today.

Current State / Workaround

The only functional workaround is to:

  • Create a client secret for the Fabric Workspace Identity (Entra app registration),
  • Store it in Azure Key Vault, and
  • Use ClientSecretCredential in notebook code to acquire ARM tokens.

While technically viable, this approach:

  • Reintroduces secret management and rotation
  • Is functionally equivalent to using a traditional Service Principal
  • Undermines the core value of Workspace Identity as a managed, secretless identity

Why This Matters (Customer Impact)

This limitation significantly restricts real-world enterprise scenarios, including:

  • Centralized Azure governance and inventory solutions built on Fabric
  • Automated metadata-driven pipelines
  • Secure cross-subscription orchestration without secrets
  • Compliance-driven environments where secret-based authentication is discouraged or prohibited

Customers adopting Fabric as a unified analytics and orchestration platform expect parity with Azure managed identity patterns, including secure ARM access without client secrets.

Proposed Enhancement

Enable native ARM token acquisition using Fabric Workspace Identity, for example:

This would align Fabric Workspace Identity with Azure Managed Identity capabilities and unlock critical governance and automation scenarios.

Expected Benefits

  • True end-to-end secretless authentication for Fabric workloads
  • Improved security posture (no secrets, no rotation overhead)
  • Greater adoption of Fabric for enterprise-scale governance and automation
  • Reduced need for custom authentication patterns and workarounds
Status: New
See more ideas labeled with:
Comment