A new Data Days event is coming soon!
This time we’re going bigger than ever. Fabric, Power BI, SQL, AI and more. We're covering it all. You won't want to miss it.
Learn moreDid you hear? There's a new SQL AI Developer certification (DP-800). Start preparing now and be one of the first to get certified. Register now
- Microsoft Fabric Community
- Fabric Updates Blog
- Fabric Workspace Identity: Removing Default Contri...
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Fabric Workspace Identity: Removing Default Contributor Access for Workspace Identity
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
A Fabric workspace identity is an automatically managed service principal that can be associated with a Fabric workspace. Fabric workspaces with a workspace identity can securely read or write to firewall-enabled Azure Data Lake Storage Gen2 accounts through trusted workspace access for OneLake shortcuts. Fabric items can use the identity when connecting to resources that support Microsoft Entra authentication. Fabric uses workspace identities to obtain Microsoft Entra tokens without the customer having to manage any credentials.
Previously, a workspace identity was automatically assigned the workspace contributor role and had access to workspace items.
As part of our ongoing security hardening efforts and in response to enterprise customer feedback, Workspace identities will no longer have the workspace contributor role by default. This change is designed to make it easier to adhere to the principle of least privilege.
What's Changing?
Effective July 27, 2025, Microsoft Fabric will remove the default 'Contributor' role assignment from Workspace Identities; this affects both:
- New Workspace Identities will no longer be granted Contributor role automatically.
- Existing Workspace Identities will no longer have the Contributor role.
Why the change?
Removing the workspace contributor role granted by default to workspace identities will reduce accidental, unintended, or unauthorized modifications to Fabric items and data. This may be possible if the workspace identity token is retrieved and then directly used to create or modify Fabric items.
If your workload depends on Workspace Identity, for automating tasks such as refreshing datasets or reports and assumes default Contributor permissions, you must now explicitly assign RBAC roles to these identities.
Important: Modifying the application associated with a Workspace Identity (e.g., changing app registration, permissions, or tenant) is not a supported scenario and may make the identity inoperative.
Admin Responsibilities and Best Practices
As a Fabric Admin, you should proactively:
- Review all active Workspace identities:
- Go to Admin Portal > Fabric identities and audit identities in use.
- Validate usage scenarios
- Determine if the identity is used for:
- Authentication, trusted access, or a combination of both capabilities in shortcuts and data pipelines, or Fabric warehouse T-SQL COPY: No RBAC role is needed.
- Automation: Assign roles explicitly to the workspace identity (see below).
- Determine if the identity is used for:
- Enforce least privilege
- Use roles like Viewer instead of Contributor or Member, unless write access is strictly necessary.
Assigning role to workspace identity explicitly
As admins or developer, you can still assign a role to the workspace identity explicitly by following these steps:
- Navigate to the Workspace.
- Go to Settings > Manage Access > Add people or groups.
- Add the Workspace Identity explicitly to the Contributor or custom role.
| Role | Action Required |
| Fabric Developers | Review all scripts, apps, or tools using Workspace Identity for automation. Add explicit role assignments if needed. |
| Fabric Admins | Audit all workspace identities via the Admin Portal. Update RBAC assignments according to the organization's access control policies. |
| Security Teams | Reassess any existing role assumptions or threat models related to automated workloads in Fabric. |
Rollout Timeline
This update will be rolled out incrementally starting July 27, 2025, and will affect all tenants globally. Fabric admins should also have received targeted notifications in the M365 admin center.
This change is a security-forward step in reinforcing explicit access management in Microsoft Fabric. We recommend that admins and developers begin reviewing current configurations immediately to ensure uninterrupted workflows and improved compliance.
We appreciate your partnership and feedback as we continue to enhance the Fabric security model.
Learn More
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
-
Fabric Platform
581 -
Announcements
444 -
Microsoft Fabric
443 -
Data Factory
282 -
Data Engineering
229 -
OneLake
196 -
Data Warehouse
194 -
Real-Time Intelligence
168 -
Data Science
142 -
Community
123 -
Lakehouse
117 -
Apache Spark
100 -
AI
91 -
Databases
87 -
Fabric Public APIs
64 -
Monthly Update
47 -
Data Lake
42 -
Roadmap
37 -
Activator
34 -
Semantic Model
10 -
Community Challenge
10 -
Fabric IQ
8 -
Power BI
7 -
Apache Iceberg
6 -
Fabric Workload
6 -
Security and Compliance
4 -
Developer
3 -
Admin
3 -
Data Loss Prevention
3 -
Warehouse
3 -
Fabric ML
2 -
Information Protection
2 -
Power BI Reports
1 -
Web Modeling
1 -
OneLake Catalog
1 -
One Lake
1 -
Pipelines
1 -
How To
1 -
Capacities
1 -
Machine Learning
1 -
Security
1 -
Governance
1 -
Events
1