Create a workspace with data exfiltration protection enabled

This article describes how to create a workspace with data exfiltration protection enabled and how to manage the approved Azure AD tenants for this workspace.


You cannot change the workspace configuration for managed virtual network and data exfiltration protection after the workspace is created.


  • Permissions to create a workspace resource in Azure.
  • Synapse workspace permissions to create managed private endpoints.
  • Subscriptions registered for the Networking resource provider. Learn more.

Follow the steps listed in Quickstart: Create a Synapse workspace to get started with creating your workspace. Before creating your workspace, use the information below to add data exfiltration protection to your workspace.

Add data exfiltration protection when creating your workspace

  1. On the Networking tab, select the “Enable managed virtual network” checkbox.
  2. Select “Yes” for the “Allow outbound data traffic only to approved targets” option.
  3. Choose the approved Azure AD tenants for this workspace.
  4. Review the configuration and create the workspace. Screenshot that shows a Create Synapse workspace with 'Enable manage virtual network' selected.

Manage approved Azure Active Directory tenants for the workspace

  1. From the workspace’s Azure portal, navigate to “Approved Azure AD tenants”. The list of approved Azure AD tenants for the workspace will be listed here. The workspace’s tenant is included by default and is not listed.
  2. Use “+Add” to include new tenants to the approved list.
  3. To remove an Azure AD tenant from the approved list, select the tenant and select on “Delete” and then “Save”. Create a workspace with data exfiltration protection

Connecting to Azure resources in approved Azure AD tenants

You can create managed private endpoints to connect to Azure resources that reside in Azure AD tenants, which are approved for a workspace. Follow the steps listed in the guide for creating managed private endpoints.


Resources in tenants other than the workspace's tenant must not have blocking firewall rules in place for the SQL pools to connect to them. Resources within the workspace’s managed virtual network, such as Spark clusters, can connect over managed private links to firewall-protected resources.

Known limitations

Users can provide an environment configuration file to install Python packages from public repositories like PyPI. In data exfiltration protected workspaces, connections to outbound repositories are blocked. As a result, Python libraries installed from public repositories like PyPI are not supported.

As an alternative, users can upload workspace packages or create a private channel within their primary Azure Data Lake Storage account. For more information, visit Package management in Azure Synapse Analytics

Ingesting data from an Event Hub into Data Explorer pools will not work if your Synapse workspace uses a managed virtual network with data exfiltration protection enabled.

Next steps