Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
garddolau
Advocate II
Advocate II

Tenant Setting - Allow apps running outside of Fabric to access data via OneLake

‎06-24-2025 05:37 AM

Hi All,

 

This setting is currently blocking executing a notebook with a service principal with the notebook then accessing the OneLake to read in a delta table.  We want to leave this setting disabled and have notebooks executed via service principal rather than users.  Anyone know if there is a way to get this scenario to work?

 

(a) Tenant Setting - Allow apps running outside of Fabric to access data via OneLake is disabled ( Config below works fine if this setting is chnaged to enabled )

 

(b) I have a data pipeline which is owned by a service principal

(c) It calls a notebook and when submitted it runs the notebook as the service principal

(d) The notebook then tries to load from a delta table using 

df = spark.read.format("delta").load(f"abfss://f7a05b05-fd99-41e1-950d-a0fd4066581b@onelake.dfs.fabric.microsoft.com/f2ffe3a0-7d01-4b80-a14d-092ca6833aa6/Tables/dbo/table")

 

(e) The service principal as an admin on the workspace

(f) We get error:

 

Spark_System_ABFS_OperationFailed:
An operation with ADLS Gen2 has failed. This is typically due to a permissions issue. 1. Please ensure that for all ADLS Gen2 resources referenced in the Spark job, that the user running the code has RBAC roles "Storage Blob Data Contributor" on storage accounts the job is expected to read and write from. 2. Check the logs for this Spark application. Inspect the logs for the ADLS Gen2 storage account name that is experiencing this issue.
 
Py4JJavaError: An error occurred while calling o6422.load. : Operation failed: "Bad Request", 400, HEAD, http://onelake.dfs.fabric.microsoft.com/f7a05b05-fd99-41e1-950d-a0fd4066581b/f2ffe3a0-7d01-4b80-a14d... at org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.completeExecute(AbfsRestOperation.java:231) at org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.lambda$execute$0(AbfsRestOperation.java:191) at org.apache.hadoop.fs.statistics.impl.IOStatisticsBinding.trackDurationOfInvocation(IOStatisticsBinding.java:464) at org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.execute(AbfsRestOperation.java:189) at org.apache.hadoop.fs.azurebfs.services.AbfsClient.getPathStatus(AbfsClient.java:779) at org.apache.hadoop.fs.azurebfs.AzureBlobFileSystemStore.getFileStatus(AzureBlobFileSystemStore.java:1067) at org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.getFileStatus(AzureBlobFileSystem.java:650) at org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.getFileStatus(AzureBlobFileSystem.java:640) at org.apache.hadoop.fs.FileSystem.exists(FileSystem.java:1759) at org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.exists(AzureBlobFileSystem.java:1236) at org.apache.spark.sql.delta.storage.HadoopFileSystemLogStore.listFrom(HadoopFileSystemLogStore.scala:87) at org.apache.spark.sql.delta.Checkpoints.findLastCompleteCheckpointBefore(Checkpoints.scala:443) at org.apache.spark.sql.delta.Checkpoints.findLastCompleteCheckpointBefore$(Checkpoints.scala:431) at org.apache.spark.sql.delta.DeltaLog.findLastCompleteCheckpointBefore(DeltaLog.scala:74) at org.apache.spark.sql.delta.Checkpoints.$anonfun$loadMetadataFromFile$1(Checkpoints.scala:398) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.DeltaLog.recordFrameProfile(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.$anonfun$recordDeltaOperationInternal$1(DeltaLogging.scala:137) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation(SynapseLoggingShim.scala:111) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation$(SynapseLoggingShim.scala:93) at org.apache.spark.sql.delta.DeltaLog.recordOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperationInternal(DeltaLogging.scala:136) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation(DeltaLogging.scala:126) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation$(DeltaLogging.scala:116) at org.apache.spark.sql.delta.DeltaLog.recordDeltaOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.Checkpoints.loadMetadataFromFile(Checkpoints.scala:375) at org.apache.spark.sql.delta.Checkpoints.$anonfun$loadMetadataFromFile$1(Checkpoints.scala:386) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.DeltaLog.recordFrameProfile(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.$anonfun$recordDeltaOperationInternal$1(DeltaLogging.scala:137) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation(SynapseLoggingShim.scala:111) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation$(SynapseLoggingShim.scala:93) at org.apache.spark.sql.delta.DeltaLog.recordOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperationInternal(DeltaLogging.scala:136) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation(DeltaLogging.scala:126) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation$(DeltaLogging.scala:116) at org.apache.spark.sql.delta.DeltaLog.recordDeltaOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.Checkpoints.loadMetadataFromFile(Checkpoints.scala:375) at org.apache.spark.sql.delta.Checkpoints.$anonfun$loadMetadataFromFile$1(Checkpoints.scala:386) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.DeltaLog.recordFrameProfile(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.$anonfun$recordDeltaOperationInternal$1(DeltaLogging.scala:137) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation(SynapseLoggingShim.scala:111) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation$(SynapseLoggingShim.scala:93) at org.apache.spark.sql.delta.DeltaLog.recordOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperationInternal(DeltaLogging.scala:136) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation(DeltaLogging.scala:126) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation$(DeltaLogging.scala:116) at org.apache.spark.sql.delta.DeltaLog.recordDeltaOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.Checkpoints.loadMetadataFromFile(Checkpoints.scala:375) at org.apache.spark.sql.delta.Checkpoints.$anonfun$loadMetadataFromFile$1(Checkpoints.scala:386) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.DeltaLog.recordFrameProfile(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.$anonfun$recordDeltaOperationInternal$1(DeltaLogging.scala:137) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation(SynapseLoggingShim.scala:111) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation$(SynapseLoggingShim.scala:93) at org.apache.spark.sql.delta.DeltaLog.recordOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperationInternal(DeltaLogging.scala:136) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation(DeltaLogging.scala:126) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation$(DeltaLogging.scala:116) at org.apache.spark.sql.delta.DeltaLog.recordDeltaOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.Checkpoints.loadMetadataFromFile(Checkpoints.scala:375) at org.apache.spark.sql.delta.Checkpoints.readLastCheckpointFile(Checkpoints.scala:369) at org.apache.spark.sql.delta.Checkpoints.readLastCheckpointFile$(Checkpoints.scala:368) at org.apache.spark.sql.delta.DeltaLog.readLastCheckpointFile(DeltaLog.scala:74) at org.apache.spark.sql.delta.SnapshotManagement.$anonfun$getSnapshotAtInit$2(SnapshotManagement.scala:575) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.DeltaLog.recordFrameProfile(DeltaLog.scala:74) at org.apache.spark.sql.delta.SnapshotManagement.$anonfun$getSnapshotAtInit$1(SnapshotManagement.scala:573) at org.apache.spark.sql.delta.SnapshotManagement.withSnapshotLockInterruptibly(SnapshotManagement.scala:78) at org.apache.spark.sql.delta.SnapshotManagement.withSnapshotLockInterruptibly$(SnapshotManagement.scala:75) at org.apache.spark.sql.delta.DeltaLog.withSnapshotLockInterruptibly(DeltaLog.scala:74) at org.apache.spark.sql.delta.SnapshotManagement.getSnapshotAtInit(SnapshotManagement.scala:573) at org.apache.spark.sql.delta.SnapshotManagement.getSnapshotAtInit$(SnapshotManagement.scala:572) at org.apache.spark.sql.delta.DeltaLog.getSnapshotAtInit(DeltaLog.scala:74) at org.apache.spark.sql.delta.SnapshotManagement.$init$(SnapshotManagement.scala:69) at org.apache.spark.sql.delta.DeltaLog.<init>(DeltaLog.scala:80) at org.apache.spark.sql.delta.DeltaLog$.$anonfun$apply$4(DeltaLog.scala:861) at org.apache.spark.sql.catalyst.plans.logical.AnalysisHelper$.allowInvokingTransformsInAnalyzer(AnalysisHelper.scala:323) at org.apache.spark.sql.delta.DeltaLog$.$anonfun$apply$3(DeltaLog.scala:856) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.DeltaLog$.recordFrameProfile(DeltaLog.scala:655) at org.apache.spark.sql.delta.metering.DeltaLogging.$anonfun$recordDeltaOperationInternal$1(DeltaLogging.scala:137) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation(SynapseLoggingShim.scala:111) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation$(SynapseLoggingShim.scala:93) at org.apache.spark.sql.delta.DeltaLog$.recordOperation(DeltaLog.scala:655) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperationInternal(DeltaLogging.scala:136) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation(DeltaLogging.scala:126) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation$(DeltaLogging.scala:116) at org.apache.spark.sql.delta.DeltaLog$.recordDeltaOperation(DeltaLog.scala:655) at org.apache.spark.sql.delta.DeltaLog$.createDeltaLog$1(DeltaLog.scala:855) at org.apache.spark.sql.delta.DeltaLog$.$anonfun$apply$5(DeltaLog.scala:874) at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4792) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3599) at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2379) at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2342) at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2257) at com.google.common.cache.LocalCache.get(LocalCache.java:4000) at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4789) at org.apache.spark.sql.delta.DeltaLog$.getDeltaLogFromCache$1(DeltaLog.scala:873) at org.apache.spark.sql.delta.DeltaLog$.apply(DeltaLog.scala:883) at org.apache.spark.sql.delta.DeltaLog$.forTable(DeltaLog.scala:755) at org.apache.spark.sql.delta.catalog.DeltaTableV2.$anonfun$deltaLog$1(DeltaTableV2.scala:99) at org.apache.spark.sql.delta.catalog.DeltaTableV2$.withEnrichedUnsupportedTableException(DeltaTableV2.scala:407) at org.apache.spark.sql.delta.catalog.DeltaTableV2.deltaLog$lzycompute(DeltaTableV2.scala:99) at org.apache.spark.sql.delta.catalog.DeltaTableV2.deltaLog(DeltaTableV2.scala:97) at org.apache.spark.sql.delta.catalog.DeltaTableV2.$anonfun$initialSnapshot$4(DeltaTableV2.scala:152) at scala.Option.getOrElse(Option.scala:189) at org.apache.spark.sql.delta.catalog.DeltaTableV2.$anonfun$initialSnapshot$1(DeltaTableV2.scala:152) at org.apache.spark.sql.delta.catalog.DeltaTableV2$.withEnrichedUnsupportedTableException(DeltaTableV2.scala:407) at org.apache.spark.sql.delta.catalog.DeltaTableV2.initialSnapshot$lzycompute(DeltaTableV2.scala:151) at org.apache.spark.sql.delta.catalog.DeltaTableV2.initialSnapshot(DeltaTableV2.scala:131) at org.apache.spark.sql.delta.catalog.DeltaTableV2.toBaseRelation$lzycompute(DeltaTableV2.scala:243) at org.apache.spark.sql.delta.catalog.DeltaTableV2.toBaseRelation(DeltaTableV2.scala:241) at org.apache.spark.sql.delta.sources.DeltaDataSource.$anonfun$createRelation$5(DeltaDataSource.scala:250) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.sources.DeltaDataSource.recordFrameProfile(DeltaDataSource.scala:49) at org.apache.spark.sql.delta.sources.DeltaDataSource.createRelation(DeltaDataSource.scala:209) at org.apache.spark.sql.execution.datasources.DataSource.resolveRelation(DataSource.scala:346) at org.apache.spark.sql.DataFrameReader.loadV1Source(DataFrameReader.scala:236) at org.apache.spark.sql.DataFrameReader.$anonfun$load$2(DataFrameReader.scala:219) at scala.Option.getOrElse(Option.scala:189) at org.apache.spark.sql.DataFrameReader.load(DataFrameReader.scala:219) at org.apache.spark.sql.DataFrameReader.load(DataFrameReader.scala:188) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at py4j.reflection.MethodInvoker.invoke(MethodInvoker.java:244) at py4j.reflection.ReflectionEngine.invoke(ReflectionEngine.java:374) at py4j.Gateway.invoke(Gateway.java:282) at py4j.commands.AbstractCommand.invokeMethod(AbstractCommand.java:132) at py4j.commands.CallCommand.execute(CallCommand.java:79) at py4j.GatewayConnection.run(GatewayConnection.java:238) at java.base/java.lang.Thread.run(Thread.java:829)
 
 
 
Labels:
Message 1 of 7
370 Views
0
6 REPLIES 6
v-mdharahman
Community Support
Community Support

‎06-25-2025 01:52 AM

Hi @garddolau,

Thanks for reaching out to the Microsoft fabric community forum.

Based on the behavior you're describing, the issue is related to how Fabric handles authentication contexts when accessing OneLake from a notebook executed via a service principal with the key tenant setting currently disabled.

Even though your notebook is running inside Fabric and the service principal has admin access to the workspace, when the setting "Allow apps running outside of Fabric to access data via OneLake" is disabled, Fabric enforces stricter access control to OneLake storage endpoints wven for service principals operating within Fabric boundaries.

This means the service principal needs to authenticate as a “Fabric identity” for OneLake access to work. But with the tenant setting disabled, only identities marked explicitly as Fabric users or runtime identities (like managed identities) are allowed to access OneLake endpoints internally.

 

To allow this scenario without enabling the tenant setting, you must assign the service principal the “Fabric runtime” identity permissions. You can proceed by:

* Ensuring the service principal has the required OneLake permissions. Fpor this go to the relevant Lakehouse storage account via Microsoft Purview or Azure portal. Then assign “Storage Blob Data Contributor” role to the service principal at the right scope (container or workspace level). Also assign Workspace permissions to the service principal (which you've already done).

* Also ensure the service principal is enabled as a Fabric runtime identity. Go to Fabric Admin Portal -> Access control. Under Runtime Identities, ensure your service principal is explicitly registered here. This step is critical because, with the tenant setting disabled, Fabric treats all other identities as external unless they are in this list.

* If necessary, configure a Lakehouse-level ACL for the service principal. Within the Fabric UI, open the Lakehouse, then go to Manage Access -> Add your service principal and assign the Viewer or Contributor role.

 

Once these steps are complete, your service principal should be able to read the Delta table from OneLake without needing to enable the tenant setting.

 

If I misunderstand your needs or you still have problems on it, please feel free to let us know.  

Best Regards,
Hammad.
Community Support Team

Message 2 of 7
324 Views
0
garddolau
Advocate II
Advocate II
In response to v-mdharahman

‎06-25-2025 04:32 AM

Hi, thanks for your prompt reply. I can;t find the option for  Go to Fabric Admin Portal -> Access control. Under Runtime Identities

 

Is it under fabric tenant settings or somewhere else?

 

Thanks,

Darren

Message 3 of 7
316 Views
0
v-mdharahman
Community Support
Community Support
In response to garddolau

‎06-26-2025 12:12 AM

Hi @garddolau,

The “Runtime Identities” setting is not listed under the same section shown in the below image (which is focused on Developer and Admin API settings).

The “Runtime Identities” configuration is managed under Microsoft Fabric Admin Portal → Access Control → Runtime Identities.

 

Best Regards,

Hammad.

Message 6 of 7
270 Views
0
garddolau
Advocate II
Advocate II
In response to v-mdharahman

‎06-26-2025 02:59 AM

Hi Hammad, I can't still find the Access Control section.  Can you provide a screen shot of where it is please?

Thanks

Message 7 of 7
253 Views
0
lbendlin
Super User
Super User
In response to garddolau

‎06-25-2025 01:36 PM

one of these?

lbendlin_0-1750883773681.png

 

Message 4 of 7
306 Views
0
garddolau
Advocate II
Advocate II
In response to lbendlin

‎06-26-2025 03:01 AM

Thanks, the service principal is already a member of thoes and it works find for all other Fabric activities just not access on OneLake within the notebook

Message 5 of 7
251 Views
0

Helpful resources

Announcements
Fabric July 2025 Monthly Update Carousel

Fabric Monthly Update - July 2025

Check out the July 2025 Fabric update to learn about new features.

July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

View All