Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Calling all Data Engineers! Fabric Data Engineer (Exam DP-700) live sessions are back! Starting October 16th. Sign up.

Reply
garddolau
Advocate III
Advocate III

Tenant Setting - Allow apps running outside of Fabric to access data via OneLake

‎06-24-2025 05:37 AM

Hi All,

 

This setting is currently blocking executing a notebook with a service principal with the notebook then accessing the OneLake to read in a delta table.  We want to leave this setting disabled and have notebooks executed via service principal rather than users.  Anyone know if there is a way to get this scenario to work?

 

(a) Tenant Setting - Allow apps running outside of Fabric to access data via OneLake is disabled ( Config below works fine if this setting is chnaged to enabled )

 

(b) I have a data pipeline which is owned by a service principal

(c) It calls a notebook and when submitted it runs the notebook as the service principal

(d) The notebook then tries to load from a delta table using 

df = spark.read.format("delta").load(f"abfss://f7a05b05-fd99-41e1-950d-a0fd4066581b@onelake.dfs.fabric.microsoft.com/f2ffe3a0-7d01-4b80-a14d-092ca6833aa6/Tables/dbo/table")

 

(e) The service principal as an admin on the workspace

(f) We get error:

 

Spark_System_ABFS_OperationFailed:
An operation with ADLS Gen2 has failed. This is typically due to a permissions issue. 1. Please ensure that for all ADLS Gen2 resources referenced in the Spark job, that the user running the code has RBAC roles "Storage Blob Data Contributor" on storage accounts the job is expected to read and write from. 2. Check the logs for this Spark application. Inspect the logs for the ADLS Gen2 storage account name that is experiencing this issue.
 
Py4JJavaError: An error occurred while calling o6422.load. : Operation failed: "Bad Request", 400, HEAD, http://onelake.dfs.fabric.microsoft.com/f7a05b05-fd99-41e1-950d-a0fd4066581b/f2ffe3a0-7d01-4b80-a14d... at org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.completeExecute(AbfsRestOperation.java:231) at org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.lambda$execute$0(AbfsRestOperation.java:191) at org.apache.hadoop.fs.statistics.impl.IOStatisticsBinding.trackDurationOfInvocation(IOStatisticsBinding.java:464) at org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.execute(AbfsRestOperation.java:189) at org.apache.hadoop.fs.azurebfs.services.AbfsClient.getPathStatus(AbfsClient.java:779) at org.apache.hadoop.fs.azurebfs.AzureBlobFileSystemStore.getFileStatus(AzureBlobFileSystemStore.java:1067) at org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.getFileStatus(AzureBlobFileSystem.java:650) at org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.getFileStatus(AzureBlobFileSystem.java:640) at org.apache.hadoop.fs.FileSystem.exists(FileSystem.java:1759) at org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.exists(AzureBlobFileSystem.java:1236) at org.apache.spark.sql.delta.storage.HadoopFileSystemLogStore.listFrom(HadoopFileSystemLogStore.scala:87) at org.apache.spark.sql.delta.Checkpoints.findLastCompleteCheckpointBefore(Checkpoints.scala:443) at org.apache.spark.sql.delta.Checkpoints.findLastCompleteCheckpointBefore$(Checkpoints.scala:431) at org.apache.spark.sql.delta.DeltaLog.findLastCompleteCheckpointBefore(DeltaLog.scala:74) at org.apache.spark.sql.delta.Checkpoints.$anonfun$loadMetadataFromFile$1(Checkpoints.scala:398) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.DeltaLog.recordFrameProfile(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.$anonfun$recordDeltaOperationInternal$1(DeltaLogging.scala:137) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation(SynapseLoggingShim.scala:111) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation$(SynapseLoggingShim.scala:93) at org.apache.spark.sql.delta.DeltaLog.recordOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperationInternal(DeltaLogging.scala:136) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation(DeltaLogging.scala:126) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation$(DeltaLogging.scala:116) at org.apache.spark.sql.delta.DeltaLog.recordDeltaOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.Checkpoints.loadMetadataFromFile(Checkpoints.scala:375) at org.apache.spark.sql.delta.Checkpoints.$anonfun$loadMetadataFromFile$1(Checkpoints.scala:386) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.DeltaLog.recordFrameProfile(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.$anonfun$recordDeltaOperationInternal$1(DeltaLogging.scala:137) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation(SynapseLoggingShim.scala:111) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation$(SynapseLoggingShim.scala:93) at org.apache.spark.sql.delta.DeltaLog.recordOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperationInternal(DeltaLogging.scala:136) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation(DeltaLogging.scala:126) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation$(DeltaLogging.scala:116) at org.apache.spark.sql.delta.DeltaLog.recordDeltaOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.Checkpoints.loadMetadataFromFile(Checkpoints.scala:375) at org.apache.spark.sql.delta.Checkpoints.$anonfun$loadMetadataFromFile$1(Checkpoints.scala:386) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.DeltaLog.recordFrameProfile(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.$anonfun$recordDeltaOperationInternal$1(DeltaLogging.scala:137) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation(SynapseLoggingShim.scala:111) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation$(SynapseLoggingShim.scala:93) at org.apache.spark.sql.delta.DeltaLog.recordOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperationInternal(DeltaLogging.scala:136) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation(DeltaLogging.scala:126) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation$(DeltaLogging.scala:116) at org.apache.spark.sql.delta.DeltaLog.recordDeltaOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.Checkpoints.loadMetadataFromFile(Checkpoints.scala:375) at org.apache.spark.sql.delta.Checkpoints.$anonfun$loadMetadataFromFile$1(Checkpoints.scala:386) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.DeltaLog.recordFrameProfile(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.$anonfun$recordDeltaOperationInternal$1(DeltaLogging.scala:137) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation(SynapseLoggingShim.scala:111) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation$(SynapseLoggingShim.scala:93) at org.apache.spark.sql.delta.DeltaLog.recordOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperationInternal(DeltaLogging.scala:136) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation(DeltaLogging.scala:126) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation$(DeltaLogging.scala:116) at org.apache.spark.sql.delta.DeltaLog.recordDeltaOperation(DeltaLog.scala:74) at org.apache.spark.sql.delta.Checkpoints.loadMetadataFromFile(Checkpoints.scala:375) at org.apache.spark.sql.delta.Checkpoints.readLastCheckpointFile(Checkpoints.scala:369) at org.apache.spark.sql.delta.Checkpoints.readLastCheckpointFile$(Checkpoints.scala:368) at org.apache.spark.sql.delta.DeltaLog.readLastCheckpointFile(DeltaLog.scala:74) at org.apache.spark.sql.delta.SnapshotManagement.$anonfun$getSnapshotAtInit$2(SnapshotManagement.scala:575) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.DeltaLog.recordFrameProfile(DeltaLog.scala:74) at org.apache.spark.sql.delta.SnapshotManagement.$anonfun$getSnapshotAtInit$1(SnapshotManagement.scala:573) at org.apache.spark.sql.delta.SnapshotManagement.withSnapshotLockInterruptibly(SnapshotManagement.scala:78) at org.apache.spark.sql.delta.SnapshotManagement.withSnapshotLockInterruptibly$(SnapshotManagement.scala:75) at org.apache.spark.sql.delta.DeltaLog.withSnapshotLockInterruptibly(DeltaLog.scala:74) at org.apache.spark.sql.delta.SnapshotManagement.getSnapshotAtInit(SnapshotManagement.scala:573) at org.apache.spark.sql.delta.SnapshotManagement.getSnapshotAtInit$(SnapshotManagement.scala:572) at org.apache.spark.sql.delta.DeltaLog.getSnapshotAtInit(DeltaLog.scala:74) at org.apache.spark.sql.delta.SnapshotManagement.$init$(SnapshotManagement.scala:69) at org.apache.spark.sql.delta.DeltaLog.<init>(DeltaLog.scala:80) at org.apache.spark.sql.delta.DeltaLog$.$anonfun$apply$4(DeltaLog.scala:861) at org.apache.spark.sql.catalyst.plans.logical.AnalysisHelper$.allowInvokingTransformsInAnalyzer(AnalysisHelper.scala:323) at org.apache.spark.sql.delta.DeltaLog$.$anonfun$apply$3(DeltaLog.scala:856) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.DeltaLog$.recordFrameProfile(DeltaLog.scala:655) at org.apache.spark.sql.delta.metering.DeltaLogging.$anonfun$recordDeltaOperationInternal$1(DeltaLogging.scala:137) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation(SynapseLoggingShim.scala:111) at com.microsoft.spark.telemetry.delta.SynapseLoggingShim.recordOperation$(SynapseLoggingShim.scala:93) at org.apache.spark.sql.delta.DeltaLog$.recordOperation(DeltaLog.scala:655) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperationInternal(DeltaLogging.scala:136) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation(DeltaLogging.scala:126) at org.apache.spark.sql.delta.metering.DeltaLogging.recordDeltaOperation$(DeltaLogging.scala:116) at org.apache.spark.sql.delta.DeltaLog$.recordDeltaOperation(DeltaLog.scala:655) at org.apache.spark.sql.delta.DeltaLog$.createDeltaLog$1(DeltaLog.scala:855) at org.apache.spark.sql.delta.DeltaLog$.$anonfun$apply$5(DeltaLog.scala:874) at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4792) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3599) at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2379) at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2342) at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2257) at com.google.common.cache.LocalCache.get(LocalCache.java:4000) at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4789) at org.apache.spark.sql.delta.DeltaLog$.getDeltaLogFromCache$1(DeltaLog.scala:873) at org.apache.spark.sql.delta.DeltaLog$.apply(DeltaLog.scala:883) at org.apache.spark.sql.delta.DeltaLog$.forTable(DeltaLog.scala:755) at org.apache.spark.sql.delta.catalog.DeltaTableV2.$anonfun$deltaLog$1(DeltaTableV2.scala:99) at org.apache.spark.sql.delta.catalog.DeltaTableV2$.withEnrichedUnsupportedTableException(DeltaTableV2.scala:407) at org.apache.spark.sql.delta.catalog.DeltaTableV2.deltaLog$lzycompute(DeltaTableV2.scala:99) at org.apache.spark.sql.delta.catalog.DeltaTableV2.deltaLog(DeltaTableV2.scala:97) at org.apache.spark.sql.delta.catalog.DeltaTableV2.$anonfun$initialSnapshot$4(DeltaTableV2.scala:152) at scala.Option.getOrElse(Option.scala:189) at org.apache.spark.sql.delta.catalog.DeltaTableV2.$anonfun$initialSnapshot$1(DeltaTableV2.scala:152) at org.apache.spark.sql.delta.catalog.DeltaTableV2$.withEnrichedUnsupportedTableException(DeltaTableV2.scala:407) at org.apache.spark.sql.delta.catalog.DeltaTableV2.initialSnapshot$lzycompute(DeltaTableV2.scala:151) at org.apache.spark.sql.delta.catalog.DeltaTableV2.initialSnapshot(DeltaTableV2.scala:131) at org.apache.spark.sql.delta.catalog.DeltaTableV2.toBaseRelation$lzycompute(DeltaTableV2.scala:243) at org.apache.spark.sql.delta.catalog.DeltaTableV2.toBaseRelation(DeltaTableV2.scala:241) at org.apache.spark.sql.delta.sources.DeltaDataSource.$anonfun$createRelation$5(DeltaDataSource.scala:250) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile(DeltaLogging.scala:169) at org.apache.spark.sql.delta.metering.DeltaLogging.recordFrameProfile$(DeltaLogging.scala:167) at org.apache.spark.sql.delta.sources.DeltaDataSource.recordFrameProfile(DeltaDataSource.scala:49) at org.apache.spark.sql.delta.sources.DeltaDataSource.createRelation(DeltaDataSource.scala:209) at org.apache.spark.sql.execution.datasources.DataSource.resolveRelation(DataSource.scala:346) at org.apache.spark.sql.DataFrameReader.loadV1Source(DataFrameReader.scala:236) at org.apache.spark.sql.DataFrameReader.$anonfun$load$2(DataFrameReader.scala:219) at scala.Option.getOrElse(Option.scala:189) at org.apache.spark.sql.DataFrameReader.load(DataFrameReader.scala:219) at org.apache.spark.sql.DataFrameReader.load(DataFrameReader.scala:188) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at py4j.reflection.MethodInvoker.invoke(MethodInvoker.java:244) at py4j.reflection.ReflectionEngine.invoke(ReflectionEngine.java:374) at py4j.Gateway.invoke(Gateway.java:282) at py4j.commands.AbstractCommand.invokeMethod(AbstractCommand.java:132) at py4j.commands.CallCommand.execute(CallCommand.java:79) at py4j.GatewayConnection.run(GatewayConnection.java:238) at java.base/java.lang.Thread.run(Thread.java:829)
 
 
 
Labels:
Message 1 of 9
931 Views
0
8 REPLIES 8
v-mdharahman
Community Support
Community Support

‎06-25-2025 01:52 AM

Hi @garddolau,

Thanks for reaching out to the Microsoft fabric community forum.

Based on the behavior you're describing, the issue is related to how Fabric handles authentication contexts when accessing OneLake from a notebook executed via a service principal with the key tenant setting currently disabled.

Even though your notebook is running inside Fabric and the service principal has admin access to the workspace, when the setting "Allow apps running outside of Fabric to access data via OneLake" is disabled, Fabric enforces stricter access control to OneLake storage endpoints wven for service principals operating within Fabric boundaries.

This means the service principal needs to authenticate as a “Fabric identity” for OneLake access to work. But with the tenant setting disabled, only identities marked explicitly as Fabric users or runtime identities (like managed identities) are allowed to access OneLake endpoints internally.

 

To allow this scenario without enabling the tenant setting, you must assign the service principal the “Fabric runtime” identity permissions. You can proceed by:

* Ensuring the service principal has the required OneLake permissions. Fpor this go to the relevant Lakehouse storage account via Microsoft Purview or Azure portal. Then assign “Storage Blob Data Contributor” role to the service principal at the right scope (container or workspace level). Also assign Workspace permissions to the service principal (which you've already done).

* Also ensure the service principal is enabled as a Fabric runtime identity. Go to Fabric Admin Portal -> Access control. Under Runtime Identities, ensure your service principal is explicitly registered here. This step is critical because, with the tenant setting disabled, Fabric treats all other identities as external unless they are in this list.

* If necessary, configure a Lakehouse-level ACL for the service principal. Within the Fabric UI, open the Lakehouse, then go to Manage Access -> Add your service principal and assign the Viewer or Contributor role.

 

Once these steps are complete, your service principal should be able to read the Delta table from OneLake without needing to enable the tenant setting.

 

If I misunderstand your needs or you still have problems on it, please feel free to let us know.  

Best Regards,
Hammad.
Community Support Team

Message 2 of 9
885 Views
0
garddolau
Advocate III
Advocate III
In response to v-mdharahman

‎06-25-2025 04:32 AM

Hi, thanks for your prompt reply. I can;t find the option for  Go to Fabric Admin Portal -> Access control. Under Runtime Identities

 

Is it under fabric tenant settings or somewhere else?

 

Thanks,

Darren

Message 3 of 9
877 Views
0
v-mdharahman
Community Support
Community Support
In response to garddolau

‎06-26-2025 12:12 AM

Hi @garddolau,

The “Runtime Identities” setting is not listed under the same section shown in the below image (which is focused on Developer and Admin API settings).

The “Runtime Identities” configuration is managed under Microsoft Fabric Admin Portal → Access Control → Runtime Identities.

 

Best Regards,

Hammad.

Message 6 of 9
831 Views
0
garddolau
Advocate III
Advocate III
In response to v-mdharahman

‎06-26-2025 02:59 AM

Hi Hammad, I can't still find the Access Control section.  Can you provide a screen shot of where it is please?

Thanks

Message 7 of 9
814 Views
0
v-mdharahman
Community Support
Community Support
In response to garddolau

‎08-11-2025 03:10 AM

Hi @garddolau,

As we went through the steps to access 'Runtime Configuration", we were also unable to find the Access Control section. 

As none of the above help, at this point it may be worth opening a support ticket with Microsoft. You can reach out to Microsoft Support by raising a ticket with Microsoft Support. Please refer below link on how to raise a contact support or support ticket.
How to create a Fabric and Power BI Support ticket - Power BI | Microsoft Learn

 

Best Regards,

Hammad.

 

Message 8 of 9
503 Views
0
v-mdharahman
Community Support
Community Support
In response to v-mdharahman

‎08-15-2025 01:22 PM

Hi @garddolau,

As we haven’t heard back from you, so just following up to our previous message. I'd like to confirm, has your issue been resolved or were you able to raise a support ticket with Microsoft Fabric Support?

If yes, you are welcome to share your workaround so that other users can benefit as well.  And if you're still looking for guidance, feel free to give us an update, we’re here for you.

 

Best Regards,

Hammad.

Message 9 of 9
410 Views
0
lbendlin
Super User
Super User
In response to garddolau

‎06-25-2025 01:36 PM

one of these?

lbendlin_0-1750883773681.png

 

Message 4 of 9
867 Views
0
garddolau
Advocate III
Advocate III
In response to lbendlin

‎06-26-2025 03:01 AM

Thanks, the service principal is already a member of thoes and it works find for all other Fabric activities just not access on OneLake within the notebook

Message 5 of 9
812 Views
0

Helpful resources

Announcements
FabCon Global Hackathon Carousel

FabCon Global Hackathon

Join the Fabric FabCon Global Hackathon—running virtually through Nov 3. Open to all skill levels. $10,000 in prizes!

September Fabric Update Carousel

Fabric Monthly Update - September 2025

Check out the September 2025 Fabric update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All