This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 14.000000000000002%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
We have set up a scan in Purview to scan a small number of folders and file Fabric OneLake. But we always get an Internal Server Error. This has always worked fine in the past when scanning a fileshare in regular ADLS Gen2 storage. But with a Fabric Onelake data source we simply cannot get it to work.
We followed the prerequisite setup steps: authentication, Service Principal, security groups, permissions, tenants, Entra ID, Fabric API enabling, checked firewall etc etc. but whatever we try we consistently get the same single error in Ingestion Stage log:
Ingestion.InternalServerError,https://app.fabric.microsoft.com/groups/xxxxxxxxxxxx/lakehouses/yyyyyyyyyyyyyyyy/files,"Failed to ingest asset with type fabric_lakehouse and qualified name 'https://app.fabric.microsoft.com/groups/xxxxxxxxxxx/lakehouses/ff6fecc9-f446-4076-85cf-ad4d5f0b5e7a/yyyyyyyyyyyyyy/files' due to invalid data payload to data map. Please contact support for help."
There's also a Scan Monitor Error log with 1 line - error msg "Forbidden":
Timestamp,ErrorCode,OperationName,OperationItem,Message
2025-06-11T13:02:11.617Z, AuthenticationFailed,Enumerate,https://app.fabric.microsoft.com/groups/xxxxxxxxxxxxxx/lakehouses/yyyyyyyyyyyyyyyyy/files,"ADLS Gen2 operation failed for: Storage operation '' on container 'xxxxxxxxxxxxxxxxxx' and path 'yyyyyyyyyyyyyyyy/Files' get failed with 'Operation returned an invalid status code 'Forbidden''. Possible root causes: (1). It's possible because the service principal or managed identity don't have enough permission to access the data. (2). It's possible because some IP address ranges of Purview are not allowed by your Azure Storage firewall settings. Purview IP ranges please refer https://docs.microsoft.com/en-us/azure/data-factory/azure-integration-runtime-ip-addresses. If you allow trusted Microsoft services to access this storage account option in firewall, you must use https://docs.microsoft.com/en-us/azure/data-factory/connector-azure-blob-storage?tabs=data-factory#managed-identity. For more information on Azure Storage firewalls settings, see https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal.. Account: 'onelake'. FileSystem: 'xxxxxxxxxxxxxxxx'. Path: 'yyyyyyyyyyyyyy/Files'. ErrorCode: 'Forbidden'. Message: 'Forbidden'. RequestId: 'zzzzzzzzzzzzzzz'. TimeStamp: 'Wed, 11 Jun 2025 13:02:10 GMT'.."
No expired or rotated credentials. There's no Azure Policy preventing access to Storage accounts. We're not using a self-hosted integration runtime. We're not using IP range restrictions, or Firewall.
We've wasted hours and hours on this! Please help!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 99%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
Hi @global
Mount the Fabric OneLake folder as a shortcut inside a regular ADLS Gen2 container, and scan that container with Purview instead. This bypasses the Fabric schema ingestion issue.
I hope this information helps. Please do let us know if you have any further queries.
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Thank you for the insight @J N S S Kasyap
"This bypasses the Fabric schema ingestion issue"...
Please tell me more! Is this limitation documented anywhere?
The worst case scenario I have read about is "sub-item level metadata scanning is now available in preview" (see here)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 79%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAF%3C/text%3E%3C/svg%3E)
"Mount the Fabric OneLake folder as a shortcut inside a regular ADLS Gen2 container, and scan that container with Purview instead. This bypasses the Fabric schema ingestion issue. "
I can't find any evidence that we are able to have shortcuts from Fabric to ADLS containers. Can you please refer me to some documentation on the subject?
The only shortcuts I found are to bring ADLS data into Fabric.
@global
When scanning Fabric OneLake Lakehouse resources in Microsoft Purview, you're likely encountering an Ingestion.InternalServerError because Purview currently does not fully support schema-level metadata ingestion for sub-items inside Fabric Lakehouses (e.g., files, tables).
This limitation arises during the Ingestion stage, where Purview fails to map or interpret the nested data structure of Fabric Lakehouse folders. The payload is considered “invalid” because Purview expects metadata it doesn’t yet fully support from Fabric APIs.