Solved: How does Trusted Workspace Access works in fabric ...

RohanM13323 · ‎01-09-2026

So I was searching for a way where we can access a ADLS storage account which is behind a firewall from fabric, Initially i tried MPE (managed private endpoint) in fabric. But it didint work. And later i came across this ray of hope trusted workspace Access documentation

And problem solved this works really well. But my question is. How is the traffic flow happening behind the scenes in trusted workspace access ? Like how is it different from a private endpoint.

deborshi_nag · ‎01-09-2026

Hi @RohanM13323

Glad that Trusted Workspace Access TWA worked for you. I have seen other enterprises use TWA as well. It lets Fabric access firewall-enabled ADLS Gen2 storage accounts. It is a basically a whitelisting process on the storage account.

In the storage firewall when you add “Allow access from Azure resource instances” and point it at that exact Fabric workspace,

this whitelists the Fabric workspace as an allowed Azure resource instance.

The process can use the Workspace identity or a service principal that you assign which is used to obtain the Microsoft Entra token for authenticating to the ADLS Gen2. Hence you need to assign the Contributor/Storage Blob Data Reader to this identity on the storage account.

When your Fabric item calls the ADLS endpoint

- The request is authenticated first using the workspace identity

- The firewall checks that it is coming from the specified Fabric workspace

- The network traffic takes the Azure backbone path

Hope this helps - please appreciate leaving a Kudos or accepting as a Solution!

I trust this will be helpful. If you found this guidance useful, you are welcome to acknowledge with a Kudos or by marking it as a Solution.

View solution in original post

deborshi_nag · ‎01-12-2026

Hi @RohanM13323

The key thing to understand is that the "Azure backbone" is a physical network infrastructure. Traffic is routed over it based on Microsoft's internal routing tables.

Check this link

Microsoft global network - Azure | Microsoft Learn

Let me give you an analogy to explain the difference between Internet traffic and traffic over Microsoft backbone. Imagine public Internet as commercial airport where you fly on planes shared by everyone, whereas Microsoft backbone is a private corporate jet and hanger, where Microsoft owns the planes, pilots and runways.

Hope that makes sense, please appreciate leaving a Kudos or accepting as a Solution!

I trust this will be helpful. If you found this guidance useful, you are welcome to acknowledge with a Kudos or by marking it as a Solution.

View solution in original post

deborshi_nag · ‎01-09-2026

Hi @RohanM13323

Glad that Trusted Workspace Access TWA worked for you. I have seen other enterprises use TWA as well. It lets Fabric access firewall-enabled ADLS Gen2 storage accounts. It is a basically a whitelisting process on the storage account.

In the storage firewall when you add “Allow access from Azure resource instances” and point it at that exact Fabric workspace,

this whitelists the Fabric workspace as an allowed Azure resource instance.

The process can use the Workspace identity or a service principal that you assign which is used to obtain the Microsoft Entra token for authenticating to the ADLS Gen2. Hence you need to assign the Contributor/Storage Blob Data Reader to this identity on the storage account.

When your Fabric item calls the ADLS endpoint

- The request is authenticated first using the workspace identity

- The firewall checks that it is coming from the specified Fabric workspace

- The network traffic takes the Azure backbone path

Hope this helps - please appreciate leaving a Kudos or accepting as a Solution!

I trust this will be helpful. If you found this guidance useful, you are welcome to acknowledge with a Kudos or by marking it as a Solution.

RohanM13323 · ‎01-11-2026

@deborshi_nag Thanks for the detailed reply.

One doubt.. When u meant the "it takes the azure backbone path". Do you mean the traffic does not go through public internet. But rather through azure network. Is this correct ? Sorry i dont have much expertise in networking 😅

deborshi_nag · ‎01-12-2026

Hi @RohanM13323

The key thing to understand is that the "Azure backbone" is a physical network infrastructure. Traffic is routed over it based on Microsoft's internal routing tables.

Check this link

Microsoft global network - Azure | Microsoft Learn

Let me give you an analogy to explain the difference between Internet traffic and traffic over Microsoft backbone. Imagine public Internet as commercial airport where you fly on planes shared by everyone, whereas Microsoft backbone is a private corporate jet and hanger, where Microsoft owns the planes, pilots and runways.

Hope that makes sense, please appreciate leaving a Kudos or accepting as a Solution!

I trust this will be helpful. If you found this guidance useful, you are welcome to acknowledge with a Kudos or by marking it as a Solution.

RohanM13323 · ‎01-12-2026

Thanks @deborshi_nag The anology helped me understand it better 😊

How does Trusted Workspace Access works in fabric behind the scenes ?

Helpful resources

Fabric Data Days 2026

Fabric Monthly Update - June 2026

Get Fabric or SQL Certified for Free.

How does Trusted Workspace Access works in fabric behind the scenes ?

Helpful resources

Fabric Data Days 2026

Fabric Monthly Update - June 2026