Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

We've captured the moments from FabCon & SQLCon that everyone is talking about, and we are bringing them to the community, live and on-demand. Starts on April 14th. Register now

Reply
Anonymous
Not applicable

Connect to Azure App Configuration from Notebook using Workspace Identity

‎01-21-2026 02:35 PM

Hi,

 

I want to connect to Azure App Configuration from Notebook. Am using defautazurecredential to get token ,also passed Workspace Identity in parameter like below but unable to get token.

 

%pip install azure-appconfiguration azure-identity
from azure.appconfiguration import AzureAppConfigurationClient
from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential(
    CLIENT_ID="xx-xx" 
) #passing here workspace identity

client = AzureAppConfigurationClient(endpoint, credential)
setting = client.get_configuration_setting(
    key="xyz"
)
Getting below error
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue. ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
Labels:
Message 1 of 12
1,200 Views
0
1 ACCEPTED SOLUTION
v-karpurapud
Community Support
Community Support

‎01-26-2026 09:51 PM

Hi @Anonymous 

Thank you for contacting the Microsoft Fabric community forum.

 

This issue occurs because Microsoft Fabric notebooks do not provide access to the IMDS endpoint. As a result, ManagedIdentityCredential does not function, and any credential chain that depends on IMDS—including DefaultAzureCredential, even with a client_id—will fail.

Fabric workspace identity is different from Managed Identity. It uses OIDC workload identity, so you need to use WorkloadIdentityCredential instead.

 

The main issue here is this line: os.environ.get("AZURE_FEDERATED_TOKEN_FILE", "xx")
 

When the notebook session uses workspace identity, Fabric automatically sets AZURE_FEDERATED_TOKEN_FILE. By specifying a default value like "xx", you replace the correct value with an invalid path, causing the error:

token_file_path must be passed in or set AZURE_FEDERATED_TOKEN_FILE

 

To resolve this, first enable workspace identity in the Fabric workspace settings and restart the notebook session to ensure environment variables are set.

 

Next, set up the necessary permissions on the App Configuration resource by assigning the Fabric workspace identity the App Configuration Data Reader role or higher.

 

Then, use WorkloadIdentityCredential without passing any manual parameters. Fabric will automatically set AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_FEDERATED_TOKEN_FILE, so you do not need to set them yourself.

 

Here is an example of how the code should look in a Fabric notebook:

 

from azure.appconfiguration import AzureAppConfigurationClient

from azure.identity import WorkloadIdentityCredential

endpoint = " https://<your-app-config-name>.azconfig.io "

credential = WorkloadIdentityCredential()

client = AzureAppConfigurationClient(endpoint, credential)

setting = client.get_configuration_setting(key="test1")

print(setting.value)

 

With workspace identity enabled and the correct RBAC permissions, this code will authenticate and retrieve values from Azure App Configuration successfully.

 

If you have any further questions, please let us know and we’ll be happy to help.
 

Best Regards,

Microsoft Fabric Community Support Team.

View solution in original post

Message 10 of 12
1,070 Views
11 REPLIES 11
v-karpurapud
Community Support
Community Support

‎02-02-2026 10:45 PM

Hi @Anonymous 

We have not received a response from you regarding the query and were following up to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions.

 

Thank You.

Message 12 of 12
915 Views
0
v-karpurapud
Community Support
Community Support

‎01-30-2026 02:41 AM

Hi @Anonymous 

I wanted to check if you’ve had a chance to review the information provided. If you have any further questions, please let us know. Has your issue been resolved? If not, please share more details so we can assist you further.

Thank You.

Message 11 of 12
1,010 Views
0
v-karpurapud
Community Support
Community Support

‎01-26-2026 09:51 PM

Hi @Anonymous 

Thank you for contacting the Microsoft Fabric community forum.

 

This issue occurs because Microsoft Fabric notebooks do not provide access to the IMDS endpoint. As a result, ManagedIdentityCredential does not function, and any credential chain that depends on IMDS—including DefaultAzureCredential, even with a client_id—will fail.

Fabric workspace identity is different from Managed Identity. It uses OIDC workload identity, so you need to use WorkloadIdentityCredential instead.

 

The main issue here is this line: os.environ.get("AZURE_FEDERATED_TOKEN_FILE", "xx")
 

When the notebook session uses workspace identity, Fabric automatically sets AZURE_FEDERATED_TOKEN_FILE. By specifying a default value like "xx", you replace the correct value with an invalid path, causing the error:

token_file_path must be passed in or set AZURE_FEDERATED_TOKEN_FILE

 

To resolve this, first enable workspace identity in the Fabric workspace settings and restart the notebook session to ensure environment variables are set.

 

Next, set up the necessary permissions on the App Configuration resource by assigning the Fabric workspace identity the App Configuration Data Reader role or higher.

 

Then, use WorkloadIdentityCredential without passing any manual parameters. Fabric will automatically set AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_FEDERATED_TOKEN_FILE, so you do not need to set them yourself.

 

Here is an example of how the code should look in a Fabric notebook:

 

from azure.appconfiguration import AzureAppConfigurationClient

from azure.identity import WorkloadIdentityCredential

endpoint = " https://<your-app-config-name>.azconfig.io "

credential = WorkloadIdentityCredential()

client = AzureAppConfigurationClient(endpoint, credential)

setting = client.get_configuration_setting(key="test1")

print(setting.value)

 

With workspace identity enabled and the correct RBAC permissions, this code will authenticate and retrieve values from Azure App Configuration successfully.

 

If you have any further questions, please let us know and we’ll be happy to help.
 

Best Regards,

Microsoft Fabric Community Support Team.

Message 10 of 12
1,071 Views
Anonymous
Not applicable

‎01-22-2026 02:10 PM
from azure.appconfiguration import AzureAppConfigurationClient
from azure.identity import WorkloadIdentityCredential
import os

tenant_id = os.environ.get("AZURE_TENANT_ID","xx")
client_id = os.environ.get("AZURE_CLIENT_ID", "xx")
token_file = os.environ.get("AZURE_FEDERATED_TOKEN_FILE")

print("Tenant ID:", tenant_id)
print("Client ID:", client_id)
print("Token file:", token_file)

credential = WorkloadIdentityCredential(
    tenant_id=tenant_id ,
    client_id=client_id,
    token_file_path=token_file
)

endpoint = "test"
client = AzureAppConfigurationClient(endpoint, credential)
setting = client.get_configuration_setting(key="test1") Tried above solution and also by passing values , getting error as  'token_file_path' is required. Please pass it in or set the AZURE_FEDERATED_TOKEN_FILE environment variable. Expecting a token file path. Can you suggest on this
Message 9 of 12
1,136 Views
0
Vinodh247
Super User
Super User

‎01-21-2026 04:35 PM

DefaultAzureCredential + ManagedIdentity does not work in Fabric Notebooks. Use WorkloadIdentityCredential.

 

This fails because Fabric workspace identity does not expose the IMDS endpoint, so ManagedIdentityCredential will never work in a Notebook. Passing CLIENT_ID to DefaultAzureCredential does not switch it to workspace identity; it still tries Environment -> IMDS and fails, exactly as your error shows. In Fabric, workspace identity is implemented using OIDC workload identity, not MI. Use WorkloadIdentityCredential explicitly and do not rely on IMDS.

 

Correct approach should be as below:

from azure.appconfiguration import AzureAppConfigurationClient
from azure.identity import WorkloadIdentityCredential

credential = WorkloadIdentityCredential()

client = AzureAppConfigurationClient(endpoint, credential)
setting = client.get_configuration_setting(key="xyz")

 

Prerequisites:

  • Workspace identity must be enabled in Fabric.

  • That identity must have App Configuration Data Reader (or higher) on the App Configuration resource.

  • Do not pass client id manually unless you have multiple identities.

 

Please 'Kudos' and 'Accept as Solution' if this answered your query.

Regards,
Vinodh
Microsoft MVP [Fabric]
LI: https://www.linkedin.com/in/vinodh-kumar-173582132
Blog: vinsdata.in
Message 2 of 12
1,168 Views
0
Anonymous
Not applicable
In response to Vinodh247

‎01-22-2026 02:16 PM

Tried above solution and also by passing values , getting error as  'token_file_path' is required. Please pass it in or set the AZURE_FEDERATED_TOKEN_FILE environment variable. Expecting a token file path. Can you suggest on this?

Message 3 of 12
1,135 Views
0
KimTutein
Advocate III
Advocate III
In response to Anonymous

‎02-02-2026 03:56 AM

I have the same problem and would allso appreciate guidance on setting and getting the Azure_FEDERATED_TOKEN_FILE. It is not availeble in the notebook even though the workspace has a workspace identy:

 

KimTutein_0-1770033375319.png

 

Message 4 of 12
944 Views
0
v-karpurapud
Community Support
Community Support
In response to KimTutein

‎02-02-2026 10:57 PM

Hi @KimTutein 

This usually means that the notebook session is not running with workspace identity, even if it is enabled at the workspace level. Please review the steps I shared earlier, especially the notebook-level configuration. In the notebook Run settings, make sure Workspace identity is selected, then restart the notebook session so the environment variables are set. After restarting, check for AZURE_FEDERATED_TOKEN_FILE in a regular Python cell (not a %pip cell). If it's still None, the session isn't using workspace identity. This variable is set by Fabric only when the session starts and can't be set manually.

If you have any further questions, please let us know and we’ll be happy to help.
 

Best Regards,

Microsoft Fabric Community Support Team.



Message 5 of 12
910 Views
0
KimTutein
Advocate III
Advocate III
In response to v-karpurapud

‎02-02-2026 11:10 PM

Hi @v-karpurapud 

 

Thank you very much for your reply - it is highly appreciated.

 

I am unsure of how I change the "notebook run session". Could you please explain me the steps with perhaps a screendump or two?

What I have done:

- added workspace identety to the workspace

- (as I want to try to use the workspace identety towards a Microsoft Foundry endpoint I have added the identry as an AI user in the Foundry project)

 

Any guidance would be highly appreciated

Message 6 of 12
908 Views
0
v-karpurapud
Community Support
Community Support
In response to KimTutein

‎02-09-2026 02:54 AM

Hi @KimTutein 

 

To clarify the reference to “notebook run session,” the steps I mentioned earlier apply only to Python (non-Spark) notebooks in Microsoft Fabric. In Spark / PySpark notebooks, there is currently no option to change the run session or select an identity, which is why you are not seeing any related setting or UI option.

 

Because Spark notebooks do not support Workspace Identity, identity-related environment variables such as AZURE_FEDERATED_TOKEN_FILE are not injected, and restarting the session will not change this behavior. If Workspace Identity is required (for example, to use WorkloadIdentityCredential with Azure App Configuration or Microsoft Foundry), the supported approach is to use a Python (non-Spark) notebook, where the run session identity can be configured and the variables are provided automatically.

 

Best Regards,

Microsoft Fabric Community Support Team.

 

 

Message 7 of 12
686 Views
KimTutein
Advocate III
Advocate III
In response to v-karpurapud

‎02-09-2026 05:23 AM

Thank you @v-karpurapud. That clearyfied it for me. 

Recards

Kim

Message 8 of 12
649 Views

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

March Fabric Update Carousel

Fabric Monthly Update - March 2026

Check out the March 2026 Fabric update to learn about new features.

View All