Integrating with OneLake

teolachev · ‎05-29-2023

1. Can an ADF pipeline outside Fabric (a pipeline created in Azure ADF Service) reference OneLake as a linked service?

2. Can an external app use non-AAD authentication, such as Shared Key authorization or SAS, to access OneLake folders using a SDK, such as Python or Ruby on Falls SDK?

3. To my undestanding, OneLake is married to Power BI workspace security. Please confirm that given that Power BI workspace don't support subfolders, more granular folder-based security is not an option? I understand that tools, such as ADF pipeline, can create subfolders, but I don't see how security can be overwritten from the containing workspace.

4. The launch presentation mentions that OneLake can be georgraphically dispersed to comply with international regulations. Please confirm that the only way this to happen would to buy Power BI capacities, assign capacities to data regions, and allocate workspaces accordingly.

burakkaragoz

Hi @teolachev ,

Hello!!! You have asked very pertinent and detailed questions about integration with OneLake. I have tried to answer each one separately below:

1. OneLake Connection with ADF Pipeline
Currently, Azure Data Factory (ADF) does not directly recognize OneLake as a Linked Service. However, since OneLake is actually an ADLS Gen2 compliant fabric, it can be accessed indirectly through ADLS Gen2 connectivity. In this case, the endpoint and authorization information required for access must be carefully configured.

2. Non-AAD Authentication (Shared Key / SAS / SDK)
OneLake currently only supports Azure Active Directory (AAD) based authentication.
Alternative authentication methods such as Shared Key or SAS Token are not supported.
On the SDK side, the Azure SDK for Python (for example azure-storage-file-datalake) is available. However, these SDKs also rely on AAD authentication.

3. Power BI Workspace Security and Folder Based Authorization
Yes, that's right: OneLake security is integrated with Power BI Workspace security. Because Workspaces do not offer folder-based security, more granular folder-based access control is not available. This is a limitation in terms of flexibility, especially in multi-user environments.

4. Security Settings in Subfolders
You can create subfolders within OneLake, but security settings are inherited from the root directory and overriding them requires manual intervention. No automated or policy-managed folder-based security is currently deployed.

5. Geo-Distribution and Replication
Yes, OneLake can be geographically distributed. However, this cannot be done directly in the OneLake settings. For this you need to purchase

You need to purchase Power BI Premium capacity.
You must position this capacity as a regional tenant and
You should allocate workspaces according to the relevant regions.
This way, data access and replication delays can be optimized.

andrewsommer · ‎04-19-2025

ADF pipelines external to Fabric cannot natively access OneLake. This is a current product limitation.
Non-AAD authentication methods are not supported. You’ll need to authenticate using a Fabric-enrolled identity (user or service principal) with proper workspace permissions.
Folder-based security is not currently supported. Access is governed at the workspace level, and subfolders cannot override or partition permissions independently. However, with OneLake security currently in private preview and coming out later this year security in Fabric will change A LOT.
Yes, the only supported way to control geographic data residency in OneLake is to purchase Power BI (Fabric) capacity, assign that capacity to a specific Azure data region, and create workspaces bound to those capacities.

Please mark this post as solution if it helps you. Appreciate Kudos.