Linked Service from Azure Data Factory (ADF) to a Microsoft Fabric Lakehouse

Question

We are attempting to configure a Linked Service from Azure Data Factory (ADF) to a Microsoft Fabric Lakehouse. However, the connection consistently fails with the following error:

“Lakehouse operation failed… ErrorCode: BadRequest, IncomingOperationUntrusted”

⸻

What we have already configured:

• Created a new Fabric Workspace and Lakehouse

• Verified workspace and lakehouse accessibility via UI

• Configured Service Principal (App Registration) with:

• Power BI API permissions:

• Workspace.ReadWrite.All

• Tenant.Read.All

• Admin consent granted

• Added Service Principal to Fabric Workspace with Admin role

• Enabled tenant setting:

• “Service principals can use Fabric APIs”

• Verified Client ID, Tenant ID, and Client Secret are valid

⸻

Additional troubleshooting performed:

• Created a new Lakehouse to rule out resource-level issues

• Retested Linked Service configuration multiple times

• Attempted alternative authentication using Managed Identity, which also failed

⸻

Expected behavior:

ADF Linked Service should successfully connect to Fabric Lakehouse and allow data operations.

⸻

Actual behavior:

Connection fails consistently with “IncomingOperationUntrusted” error, indicating request is not trusted by Fabric backend.

⸻

Request:

• Confirm whether ADF → Fabric Lakehouse integration via Service Principal / Managed Identity is fully supported

• Identify if any additional backend configuration, tenant setting, or regional limitation is required

• Validate if this is a known issue or limitation with Fabric Lakehouse connectors

I have again validated all configurations including RBAC, identity, and correct IDs from scratch. The issue is due to the ADF Fabric Lakehouse connector failing at trust validation, likely because of token audience mismatch. This does not affect Warehouse connectivity which uses same things. It successfully gets connected.  Hoping to raise a support ticket to take a closer look if possible.

Answer 1

ADF → Microsoft Fabric Lakehouse via the Microsoft Fabric Lakehouse connector is supported with both service principal and managed identity, but it requires very specific Fabric and Power BI admin settings and workspace permissions. The “IncomingOperationUntrusted”/BadRequest behavior is consistent with the Fabric backend not trusting the calling principal or token, not with a generic ADF issue.

Based on the documented requirements, validate the following end to end:

1. Confirm supported and required authentication model

• The Microsoft Fabric Lakehouse connector for ADF requires a service principal/app registration for authentication.
• Managed identity is supported, but only when that identity is explicitly granted access in Fabric.
• The connector’s linked service must be configured with:
  • workspaceId = Fabric workspace ID
  • artifactId = Lakehouse object ID
  • type = Lakehouse
  • Appropriate credential object (service principal or managed identity)

See the linked service properties and example configuration:

• type must be Lakehouse.
• workspaceId and artifactId must match the Fabric workspace and Lakehouse IDs.
• The identity used must be supplied as credentials (for user-assigned MI) or via the SPN fields in the UI.

2. Verify Fabric / Power BI tenant-level trust for service principals

Even if the app registration has Power BI API permissions and admin consent, Fabric will reject calls unless tenant settings are correctly configured:

• From the Power BI/Fabric admin portal, the tenant admin must enable Allow service principals to use Power BI APIs.
• If the organization uses a security group allowlist, the service principal used by the Lakehouse connector must be a member of that security group.
• This is explicitly required for the ADF Lakehouse connector; Power BI delegated API permissions are not needed.

If a security group is used:

• Ensure the SPN is in the group that is configured under Allow service principals to use Power BI APIs.
• Be aware of permission caching: after assigning the security group to the workspace, there can be a delay before the SPN is effective. A forced refresh via PowerShell (RefreshUserPermissions) can be used if immediate access is required.

3. Confirm workspace-level RBAC in Fabric

The identity (service principal or managed identity) must be granted at least Contributor on the Fabric workspace that hosts the Lakehouse:

• In the Fabric workspace, select Manage access → Add people or groups.
• Add the service principal or managed identity.
• Assign Contributor, Member, or Admin (Viewer is not sufficient).
• Confirm the identity appears in the Manage access pane.

This is required for:

• Service principal authentication.
• System-assigned managed identity.
• User-assigned managed identity.

4. Validate ADF linked service configuration details

For service principal auth (ADF or Synapse):

• In the linked service UI, select Microsoft Fabric Lakehouse.
• Choose Enter manually and set:
  • Fabric workspace ID = workspaceId from the Fabric URL.
  • Lakehouse object ID = artifactId from the Lakehouse URL.
  • Tenant = Tenant ID from Entra ID.
  • Service principal ID = Application (client) ID (not the display name).
  • Service principal key = client secret value.
• Test the connection and then create the linked service.

For managed identity auth:

• Use the Lakehouse linked service with credentials pointing to the user-assigned managed identity (if used).
• Ensure that identity is added to the Fabric workspace with Contributor or higher.

5. Known behavior and troubleshooting patterns

From the documented guidance and troubleshooting content:

• Fabric Lakehouse operations and data copy errors often relate to:
  • Workspace role not being Contributor/Member/Admin.
  • Service principal not being enabled or not added to the workspace.
  • Incorrect tenant ID, client ID, or secret in the data source settings.
• For service principal authentication, the recommended checks are:
  1. Verify the service principal is enabled in the Fabric Admin Portal tenant settings.
  2. Ensure the service principal is added to the workspace with Contributor or higher.
  3. Update credentials with correct tenant ID, client ID, and secret.
  4. Test the connection.

These align with the symptoms of an “untrusted” incoming operation: the token is valid in Entra ID but not accepted by Fabric because the principal is not allowed to use Fabric/Power BI APIs or not granted workspace access.

6. Supportability and limitations

From the available documentation:

• ADF → Fabric Lakehouse via the Microsoft Fabric Lakehouse connector is supported with service principal and managed identity, provided:
  • Tenant setting Allow service principals to use Power BI APIs is enabled and (if applicable) the SPN is in the allowed security group.
  • The SPN or managed identity has Contributor/Member/Admin on the Fabric workspace.
  • The linked service is configured with correct workspaceId, artifactId, tenant ID, client ID, and secret.
• There is no documented regional limitation or explicit statement that this scenario is unsupported.

If all of the above are confirmed and the “IncomingOperationUntrusted” error persists only for Lakehouse (while Warehouse works with the same principal), the next step is to open a Microsoft support ticket so the Fabric backend logs and token audience/claims can be inspected. The documentation explicitly notes that SPN access can be scoped via security groups and that caching may delay permission propagation, both of which can cause trust-related failures until fully resolved.

---

References:

• Copy and transform data in Microsoft Fabric Lakehouse using Azure Data Factory or Azure Synapse Analytics
• How to ingest data into Fabric using the Azure Data Factory Copy activity
• Change data capture from SAP to Microsoft Fabric OneLake with Azure Data Factory
• Troubleshoot Lakehouse issues for Microsoft Fabric Data Engineering