A new Data Days event is coming soon!
This time we’re going bigger than ever. Fabric, Power BI, SQL, AI and more. We're covering it all. You won't want to miss it.
Learn moreDid you hear? There's a new SQL AI Developer certification (DP-800). Start preparing now and be one of the first to get certified. Register now
- Microsoft Fabric Community
- Fabric updates blogs
- Fabric Updates Blog
- Support for Workspace Identity Authentication and ...
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Support for Workspace Identity Authentication and Trusted Access to ADLS Gen2 in Semantic Models
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
We are excited to announce support for workspace identity authentication to Azure Data Lake Storage Gen2 in semantic models. Semantic models in import mode can now leverage secure credential free authentication and trusted access to ADLS Gen2 storage accounts.
What is workspace identity?
Workspace identity in Fabric is an automatically managed service principal associated with workspaces (excluding My Workspaces). When you create a workspace identity, Fabric generates a service principal in Microsoft Entra ID, enabling seamless authentication and trusted access to firewall-enabled storage accounts.
Previously, workspace identity facilitated authentication and trusted access in OneLake shortcuts, data pipelines, and DW Copy scenarios. Now, we're extending its capability to semantic models. Workspace identity support streamlines the authentication process, eliminates the need for managing secrets or certificates, and enhances security and credential management efficiency.
Using workspace identity in semantic models
Here are the steps to use workspace identity in semantic models for authentication and trusted access.
Step 1: Create the Workspace Identity
Creating a workspace identity is straightforward and can be done in the workspace settings of any workspace except personal workspaces (My Workspace):
- Navigate to your workspace and open the workspace settings.
- Select the Workspace identity tab.
- Click on the + Workspace identity button.
You can also create the workspace identity using the Workspaces – Provision Identity REST API. Workspace admins can create and delete the workspace identity. Admins, members, and contributors can configure workspace identity as an authentication method in supported items, such as semantic models.
Step 2: Grant Permissions to the Storage Account
To enable the workspace identity to access ADLS Gen2 storage accounts:
- Sign in to the Azure portal and navigate to the storage account.
- Select the Access control (IAM) tab and click on Role assignments.
- Click the Add button and choose Add role assignment.
- Select the appropriate role (e.g., Storage Blob Data Reader) and assign it to the workspace identity.
Complete the assignment by selecting Review + assign.
Step 3: Create and configure a data connection with workspace identity authentication method
- Navigate to the Manage connections and gateways experience
- Click on the + New button
- Select Cloud connections and provide the connection name and type Azure data lake storage Gen 2
- Provide the Server and full path to the storage data
- Select workspace identity as the authentication method
- Click on Create to create the connection.
If the storage account is firewall-enabled, then you can only configure workspace identity as the authentication method in Manage connections and gateways experience. To use other authentication methods such as service principal and organizational account in connections to a firewall-enabled storage account, you can use shortcut or pipeline creation experiences to create the connection. Later, you can bind this connection to semantic models.
Step 4: Create a semantic model and bind it to the data connection
To create semantic models using workspace identity authentication:
- Create the semantic model in Power BI Desktop that connects to the ADLS Gen2 storage account using the steps listed in Analyze data in Azure Data Lake Storage Gen2 by using Power BI. You can use organizational account to connect to Azure Data Lake Storage Gen2 in PBI Desktop.
- Import the model to the workspace configured with the Workspace Identity.
- Navigate to the model settings and expand the Gateway and cloud connections section.
- Under Cloud connections, select the data connection created in the previous step for the ADLS Gen2 storage account.
- Click Apply and then refresh the model to finalize the configuration.
Workspace identity can be created in any type of workspace such as Pro, Premium, and Fabric capacity, except for personal workspaces (My workspace). However, trusted access is only supported in workspaces associated with Fabric capacities.
Next steps
We believe this enhancement will provide a seamless and secure authentication experience. You can learn more about this feature by reading about workspace identity authentication and trusted workspace access.
Stay tuned for more updates and innovations in Microsoft Fabric.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
-
Fabric Platform
580 -
Announcements
440 -
Microsoft Fabric
436 -
Data Factory
279 -
Data Engineering
226 -
OneLake
194 -
Data Warehouse
193 -
Real-Time Intelligence
166 -
Data Science
142 -
Community
122 -
Lakehouse
117 -
Apache Spark
99 -
AI
91 -
Databases
87 -
Fabric Public APIs
64 -
Monthly Update
47 -
Data Lake
41 -
Roadmap
37 -
Activator
34 -
Community Challenge
10 -
Semantic Model
9 -
Fabric IQ
8 -
Apache Iceberg
6 -
Power BI
5 -
Fabric Workload
4 -
Security and Compliance
3 -
Warehouse
3 -
Developer
3 -
Admin
3 -
Data Loss Prevention
2 -
Information Protection
2 -
Fabric ML
2 -
One Lake
1 -
Pipelines
1 -
How To
1 -
Capacities
1 -
Machine Learning
1 -
Security
1 -
Governance
1 -
Events
1 -
Power BI Reports
1 -
OneLake Catalog
1