fabric git with vs code

safrasmusthafa

I have the Fabric and Data Engineering extensions in VS Code, which allow me to add Fabric items like notebooks and warehouses and push them directly to a Fabric workspace. Instead, I want to restrict users so they can only push to Git or Azure DevOps. Is there a way to prevent users from pushing changes to Fabric directly while still allowing them to create new items?

deborshi_nag

Hi @safrasmusthafa

Unfortunately there isn’t a VS Code–specific switch to “force Git-only” publishing. The Fabric VS Code extensions can create/update items and also push directly to a Fabric workspace whenever the signed-in user has sufficient Fabric permissions. To block direct publishes, you need to enforce this at the Fabric workspace / tenant governance layer, not in VS Code.

You have the following workarounds:

1) Use Workspace roles to block direct publishing

Give developers Viewer access on target workspaces (e.g., DEV/UAT/PROD) and reserve Contributor/Member/Admin for your CI/CD service principal or release managers only. Viewers can’t create/modify items or publish; they can still see items for reference. This forces changes to flow through Git + pipelines.

2) Enforce tenant admin settings for Git integration and item creation

In the Admin portal → Tenant settings, you can:

Enable Git integration (Azure DevOps or GitHub) for specific groups.
Disable or scope “Users can create Fabric items” for production-facing capacities/workspaces, so only CI/CD identities can create there. (This doesn’t stop item creation in sandboxes you allow.)

3) Connect workspaces to Git and funnel changes via CI/CD

Use Fabric’s Git integration (Workspace settings → Git integration) to sync with Azure DevOps/GitHub. Restrict the connect/disconnect/switch-branch actions to Workspace Admins, and allow Contributors only to commit to Git (not publish to workspace). Combine with deployment pipelines so only pipeline runs publish into controlled workspaces.

4) Service principal–based publishing

Publish to Fabric through service principals in pipelines. Assign the SP Contributor/Member on target workspaces; end users remain Viewer there. SPs can call the Fabric REST APIs or deployment pipelines to create/update items as part of releases, while users cannot.

Hope this helps - please appreciate leaving a Kudos or accepting as a Solution!

svenchio

@safrasmusthafa if you are looking for an ON/OFF switch wthin your VS Code extension titled "Only push to code" or in Fabric, sorry to inform, there's No such thing, fruthermore, the “publish” action from VS Code is just a call to the same Fabric APIs the web UI uses. If a user has edit rights on the workspace, they can write from any client (portal, VS Code, REST, etc.) and Git integration tenant settings only control whether users can sync workspace ↔ Git, not whether they can edit the workspace itself.

There's however, another similar solution ... use Git-enabled sanboxes for your developers to interact with Fabric freely (Creating items and pushing the final version to feature branches) and have one Integration workspace RESTRICTED to be able to create items from long-live branches (e.g. main) and automate the UpdateFromGit with code using a service principal, so, this way, you funnel your developement and prevent unaccounted/unexpected changes on the workspace you're trying to have close control off and at the same time allowing developers to do their job! How's that sound as an alternative? I can share a bit more on this if interested... meanwhile, hope you find this info useful and would appreciate a thumbs-up. Best of lucks!

safrasmusthafa

hi thanks for reply, yes please share more details.

suparnababu8

Hi @safrasmusthafa

Currenlty, there is no a built in Fabric settings as of today that blocks direct pushes from VS Code while still allowing item creation. In fabric permissions are workspace level, not extension specific. Your users are pusing directly to MS Fabric workspaces bcz, they have contributor access.

So, there is no buitl in toggle system in MS Fabric as on today to distable the work items to push from VS code extensiopn. This may come from workspace settings. I would recommend you please submit your diea here Fabric Ideas - Microsoft Fabric CommunityIf your idea got enough votes, Microsoft may conder this and bring this ready made feature in up coming releases.

Hope this helps you

Thank you!!

Did I answer your question? Mark my post as a solution!

Proud to be a Super User!