Linked Service in Azure Data Factory to Microsoft Fabric Lakehouse - SPN is Unauthorized

Question

Linked Service in Azure Data Factory to Microsoft Fabric Lakehouse - SPN is Unauthorized

Tim Knight 45

Jan 30, 2024, 8:39 PM

I am trying to extract data from an on-prem SQL Server and import into a Microsoft Fabric Lakehouse. I am using an Azure Data Factory pipeline instead of the Data Flow or Data Pipeline in Fabric because Fabric doesn't allow the use of Self-Hosted Integration Runtimes, plus I already have Linked Services set up in ADF for on-prem SQL Server. Using the instructions found here, https://learn.microsoft.com/en-us/azure/data-factory/connector-microsoft-fabric-lakehouse?tabs=data-factory, I have created an SPN, added it to Security Group, added the Security Group to the Workspace in Fabric, and allowed SPNs to use Power BI APIs.

User's image

When creating the Linked Service in ADF, I am getting an error of "Unauthorized" for an ADLS Gen2 operation. User's image

ADLS Gen2 operation failed for: Operation returned an invalid status code 'Unauthorized'. Account: ''. FileSystem: 'c40d7397-d326-4a03-b246-773dee1589be'. Path: '153dce78-b89b-4ccd-b778-02087d13456d'. ErrorCode: 'Unauthorized'. Message: 'Unauthorized'. TimeStamp: 'Tue, 30 Jan 2024 20:03:51 GMT'.. Operation returned an invalid status code 'Unauthorized' The ADLS Gen2 file system is not accessible in Fabric, though. It is automatically created and managed by Fabric. How do I grant access to the Lakehouse (and the underlying ADLS Gen2 file System) for the SPN in Fabric? The Workspace is in an F2 Pay-As-You-Go Fabric Capacity, as opposed to a Capacity from a Power BI License, is that a problem?

Accepted answer

1 additional answer

Your answer

Answer 1

PRADEEPCHEEKATLA 90,586

Jan 31, 2024, 3:28 AM

@Tim Knight - Thanks for the question and using MS Q&A platform.It seems like the SPN you created does not have the necessary permissions to access the ADLS Gen2 file system in your Fabric Lakehouse.

Before granting the necessary permission to the SPN experiencing the same error as shown above:

User's image

To grant access to the Lakehouse and the underlying ADLS Gen2 file system for the SPN, you can follow these steps:

Step1: Register an application with the Microsoft Identity platform and add a client secret. Afterwards, make note of these values, which you use to define the linked service: I had created a SPN named: chepra-fabric and note the Application (client) ID, and Client secret value.

User's image

Step2: Grant the service principal necessary permission in Microsoft Fabric workspace.

Find the name of the Microsoft Fabric Lakehouse which you want to connect: Sample_lakehouse_188 then click on Manage permissions and then click on Add user search for necessary SPN: chepra-fabric and click on necessary permissions required and click on Grant as shown below:

Three

Step3: After granting the necessary permission to the SPN, goback to the linked service and Test connection and it will successfully connects without any issue.

Note: In case, if you are experiencing the same issue - please do wait for 5-10mins and retry to test the connection.

Four

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Tim Knight 45 Reputation points

Jan 31, 2024, 4:38 PM
Thank you for your response, but unfortunately, it did not solve the issue.I added the Security Group to the Lakehouse in Fabric.

But the error is still occurring in the ADF Linked Service.

A couple of things I did notice, not sure if they matter.

You are in the Power BI service, I am in Fabric.

Fabric will not allow me to add the SPN, only the Security Group it belongs to.
PRADEEPCHEEKATLA 90,586 Reputation points

Feb 1, 2024, 1:58 AM
@Tim Knight - Can you please help me understand are you using Service Principal on registered application or the Security group?

To answer the follow-up questions.

Power BI & Fabric are from the same page and everything located on the same fabric workspace.

You need to add the service principal registered application to grant the permission and access from the ADF linked service.

Hope this helps.
Tim Knight 45 Reputation points

Feb 1, 2024, 6:26 AM

I am adding the Security Group because Fabric will not allow me to add just the SPN. (The SPN is a member of the Security Group though.
PRADEEPCHEEKATLA 90,586 Reputation points

Feb 7, 2024, 3:41 AM

@Tim Knight - Have you resolved the issue or still experiencing the same?
Tim Knight 45 Reputation points

Feb 7, 2024, 8:19 AM

Not resolved. Fabric will not allow for adding individual SPNs, only Security Groups. See screenshot in previous comment.
Tim Knight 45 Reputation points

Feb 7, 2024, 8:20 AM

Not resolved. Fabric will not allow adding an individual SPN, only Security Group.
PRADEEPCHEEKATLA 90,586 Reputation points

Feb 7, 2024, 9:29 AM

@Tim Knight - I agree that this issue looks strange and I wasn't able to reproduce this issue. If you have a support plan could you please file a support ticket for deeper investigation and do share the SR# with us?
PRADEEPCHEEKATLA 90,586 Reputation points

Feb 8, 2024, 5:25 AM

@Tim Knight - Did you get a chance to open a support ticket?
Tim Knight 45 Reputation points

Feb 8, 2024, 4:53 PM

I do not have the ability to open a support ticket. Our org is non-profit and didn't purchase a support plan.
Connor Beames 0 Reputation points

Feb 21, 2024, 12:20 AM

Not sure if you resolved this, but I was able to get it working by following these instructions and "allowing service principals to access powerbi apis" and "allow apps outside fabric to access data using onelake", waited a bit and was able to grant my spn permissions on the workspace and lakehouse: https://learn.microsoft.com/en-us/fabric/data-factory/how-to-ingest-data-into-fabric-from-azure-data-factory#power-bi-admin-portal
Tim Knight 45 Reputation points

Feb 21, 2024, 12:35 AM

Yes, this is solved using the documentation and guidance provided by Microsoft and @PRADEEPCHEEKATLA . The actual issue was Fabric wasn't synced with Entra, so it couldn't validate the SPN. For some reason it took 4-5 days to synchronize.

Answer 2

Tim Knight 45

Feb 21, 2024, 12:38 AM

This is resolved using the documentation referenced . This issue was Fabric not synchronized with Entra so it was unable to validate the SPN. It took 4-5 to sync up. https://learn.microsoft.com/en-us/azure/data-factory/connector-microsoft-fabric-lakehouse?tabs=data-factory https://learn.microsoft.com/en-us/fabric/data-factory/how-to-ingest-data-into-fabric-from-azure-data-factory#power-bi-admin-portal

PRADEEPCHEEKATLA 90,586 Reputation points

Feb 21, 2024, 3:25 AM

@Tim Knight - Glad to know that your issue has been resolved. And thanks for sharing the solution, which might be beneficial to other community members reading this thread.
Joy SM 0 Reputation points

May 24, 2024, 1:48 PM

Thank you Tim for sharing! This helped me with my issue.

AI Skills Fest

Share via

Linked Service in Azure Data Factory to Microsoft Fabric Lakehouse - SPN is Unauthorized

1 additional answer

Your answer