Synapse Workspace Linked Service Microsoft office inside a Managed Virtual Network or REST API

Stephen Connell 21 Reputation points
2022-02-04T14:05:09.26+00:00

Hopefully someone will have some experience of trying similar things and can offer some help.

Background

I have an Azure Synapse Analytics Workspace inside a Managed Virtual Network with Data Exfiltration Protection enabled. Public network access has been disabled. I have a customer VNET to with Private endpoints and a Virtual Machine to connect to the workspace. This works fine and I can connect to and configure a range of services e.g.:

  • Azure SQL
  • On-premises SQL using a Self Hosted IR
  • Azure Key Safe

So I'm comfortable with the concepts in general.

I have questions about connecting to other sources.

Connections

Connections to Microsoft Office for the collection of Graph data.

I have POC on another Synapse Workspace that collects BasicDataSet_v0.Message_v0 and BasicDataSet_v0.User_v0. However when I attempt to connect to the Microsoft Office Connection as a linked service from within the Managed Virtual Network I cannot connect.

{
    "name": "Office3651",
    "type": "Microsoft.Synapse/workspaces/linkedservices",
    "properties": {
        "annotations": [],
        "type": "Office365",
        "typeProperties": {
            "office365TenantId": "[TENANT GUID]",
            "servicePrincipalTenantId": "[TENANT GUID]",
            "servicePrincipalId": "[SERVICE PRINCIPAL GUID]",
            "encryptedCredential": "ew0KICAiVmVyc2lvbiI6ICIyMDE3LTExLTMwIiwNCiAgIlByb3RlY3Rpb25Nb2RlIjogIktleSIsDQogICJTZWNyZXRDb250ZW50VHlwZSI6ICJQbGFpbnRleHQiLA0KICAiQ3JlZGVudGlhbElkIjogIlNZTkFQU0VAQUJFNEVBODktM0E5MS00RjExLTgzOTItMjcyOURFNTY2NDk3XzhhMGViNzIyLTRmNTAtNGQ4Zi1iYTVhLTYwYWNiNzQyYjMzMiINCn0="
        },
        "connectVia": {
            "referenceName": "AutoResolveIntegrationRuntime",
            "type": "IntegrationRuntimeReference"
        }
    }
}

The error I get attempting to validate the connection is:

One or more errors occurred.
An error occurred while sending the request.
Unable to connect to the remote server
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 51.105.5.65:443
Activity ID: 218a9020-6de9-4436-b61b-0e62c6b9c147.

As indicated I can get this to work without a Managed VNET.

I get similar experiences for REST Api connections, these are connections which I have used outside of a Manage VNET

The connection to the REST service failed. Endpoint=https://***URL***/, Reason=.
A task was canceled.
Activity ID: 7bc36bd7-d135-4636-8303-89acc84ef711.

Request

If anyone has tried similar or has found documentation for a more detailed exploration of how to create linked services I would be very grateful. It becomes harder to justify the use of the Managed VNET if these are hard limitations.

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,362 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. KranthiPakala-MSFT 46,422 Reputation points Microsoft Employee
    2022-02-23T23:14:58.57+00:00

    Hello @Stephen Connell ,

    Thanks for sharing update from support request. As it turns out at this time the product feature you are looking is not supported. May I request you to please log your feedback in IDEAS forum here: IDEAS forum.

    Product group does monitor the request and they can plan for the implementation in future. Once you log the feature request you will also be notified on the status of the request. Please do share your the link once the feedback is posted as it would help others up-vote and comment on it to increase the priority.

    Thanks
    Kranthi

    2 people found this answer helpful.
    0 comments
  2. Stephen Connell 21 Reputation points
    2022-02-21T13:12:03.593+00:00

    I have with support from the team here managed to get a partial working solution.
    For rest API, OData, and a lot of other services too numerous to mention here; the solution is to set up a Self Hosted Integration Runtime (SHIR). This SHIR has a node on a virtual machine which sits in a Custom VNET with Data Link and Private Endpoints. This then allows the connection of these services using the SHIR rather than an Azure Auto Resolve Integration Runtime.

    While this allows for many services to connect it does not allow Office 365 connections as this will not permit connections using SHIR. The only work around is to not use Microsoft Graph Data Connect but use the API and SHIR or not deploy Data Exfiltration Protection. I am informed it is in the plan to fix this but don't have details on the time frame for this resolution.