Events
31 Mar, 23 - 2 Apr, 23
The biggest Fabric, Power BI, and SQL learning event. March 31 – April 2. Use code FABINSIDER to save $400.
Register todayThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
A Fabric workspace identity is an automatically managed service principal that can be associated with a Fabric workspace. Fabric workspaces with a workspace identity can securely read or write to firewall-enabled Azure Data Lake Storage Gen2 accounts through trusted workspace access for OneLake shortcuts. Fabric items can use the identity when connecting to resources that support Microsoft Entra authentication. Fabric uses workspace identities to obtain Microsoft Entra tokens without the customer having to manage any credentials.
Workspace identities can be created in the workspace settings of any workspace except My workspaces. A workspace identity is automatically assigned the workspace contributor role and has access to workspace items.
When you create a workspace identity, Fabric creates a service principal in Microsoft Entra ID to represent the identity. An accompanying app registration is also created. Fabric automatically manages the credentials associated with workspace identities, thereby preventing credential leaks and downtime due to improper credential handling.
Note
Fabric workspace identity is generally available. You can create a workspace identity in any workspace except My workspace.
While Fabric workspace identities share some similarities with Azure managed identities, their lifecycle, administration, and governance are different. A workspace identity has an independent lifecycle that is managed entirely in Fabric. A Fabric workspace can optionally be associated with an identity. When the workspace is deleted, the identity gets deleted. The name of the workspace identity is always the same as the name of the workspace it's associated with.
You must be a workspace admin to be able to create and manage a workspace identity. The workspace you're creating the identity for can't be a My Workspace.
When the workspace identity has been created, the tab displays the workspace identity details and the list of authorized users.
The sections of the workspace identity configuration are described in the following sections.
Detail | Description |
---|---|
Name | Workspace identity name. The workspace identity name is the same as the workspace name. |
ID | The workspace identity GUID. This is a unique identifier for the identity. |
Role | The workspace role assigned to the identity. Workspace identities are automatically assigned the contributor role upon creation. |
State | The state of the workspace. Possible values: Active, Inactive, Deleting, Unusable, Failed, DeleteFailed |
For information, see Access control.
When an identity is deleted, Fabric items relying on the workspace identity for trusted workspace access or authentication will break. Deleted workspace identities cannot be restored.
Note
When a workspace is deleted, its workspace identity is deleted as well. If the workspace is restored after deletion, the workspace identity is not restored. If you want the restored workspace to have a workspace identity, you must create a new one.
Workspace identity currently can be used in two ways:
For authentication: See Authenticate with workspace identity
For trusted workspace access: Shortcuts in a workspace that has a workspace identity can be used for trusted service access. For more information, see trusted workspace access.
The following sections describe who can use the workspace identity, and how you can monitor it in Microsoft Purview and Azure.
Workspace identity can be created and deleted by workspace admins. The workspace identity has the workspace contributor role on the workspace.
Workspace identity is supported for authentication to target resources in connections. Only users with an admin, member, or contributor role in the workspace can configure the workspace identity for authentication in connections.
Application Administrators or users with higher roles can view, modify, and delete the service principal and app registration associated with the workspace identity in Azure.
Warning
Modifying or deleting the service principal or app registration in Azure is not recommended, as it will cause Fabric items relying on workspace identity to stop working.
Fabric administrators can administer the workspace identities created in their tenant on the Fabric identities tab in the admin portal.
Note
Workspace identities cannot be restored after deletion. Be sure to review the consequences of deleting a workspace identity described in Delete a workspace identity.
You can view the audit events generated upon the creation and deletion of workspace identity in Purview Audit Log. To access the log
The application associated with the workspace identity can be viewed under both Enterprise applications and App registrations in the Azure portal.
The application associated with the workspace identity can be seen in Enterprise Applications in the Azure portal. Fabric Identity Management app is its configuration owner.
Warning
Modifications to the application made here will cause the workspace identity to stop working.
To view the audit logs and sign-in logs for this identity:
The application associated with the workspace identity can be seen under App registrations in the Azure portal. No modifications should be made there, as this will cause the workspace identity to stop working.
The following sections describe scenarios involving workspace identities that might occur.
The workspace identity can be deleted in the workspace settings. When an identity is deleted, Fabric items relying on the workspace identity for trusted workspace access or authentication will break. Deleted workspace identities can't be restored.
When a workspace is deleted, its workspace identity is deleted as well. If the workspace is restored after deletion, the workspace identity is not restored. If you want the restored workspace to have a workspace identity, you must create a new one.
When a workspace gets renamed, the workspace identity is also renamed to match the workspace name. However its Microsoft Entra application and service principal remain the same. Note that there can be multiple application and app registration objects with same name in a tenant.
If you can't create a workspace identity because the creation button is disabled, make sure you have the workspace administrator role.
If you run into issues the first time you create a workspace identity in your tenant, try the following steps:
Events
31 Mar, 23 - 2 Apr, 23
The biggest Fabric, Power BI, and SQL learning event. March 31 – April 2. Use code FABINSIDER to save $400.
Register todayTraining
Module
Authenticate your Azure deployment workflow by using workload identities - Training
Learn how to create, manage, and grant permissions to workload identities, which enable your deployment workflows to securely authenticate to Azure.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Documentation
Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric
This article describes how to authenticate using workspace identity.
Manage Fabric identities - Microsoft Fabric
Learn how to view, understand info, and manage Fabric identities as a Fabric administrator.
Learn about Microsoft OneLake Delta table integration in Power BI and Microsoft Fabric - Power BI
Describes using Microsoft OneLake integration to automatically write import data into Delta tables.