Bicep resource definition
The workspaces resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Synapse/workspaces resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Synapse/workspaces@2021-06-01' = {
scope: resourceSymbolicName or scope
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
location: 'string'
name: 'string'
properties: {
azureADOnlyAuthentication: bool
cspWorkspaceAdminProperties: {
initialWorkspaceAdminObjectId: 'string'
}
defaultDataLakeStorage: {
accountUrl: 'string'
createManagedPrivateEndpoint: bool
filesystem: 'string'
resourceId: 'string'
}
encryption: {
cmk: {
kekIdentity: {
userAssignedIdentity: 'string'
useSystemAssignedIdentity: any(...)
}
key: {
keyVaultUrl: 'string'
name: 'string'
}
}
}
managedResourceGroupName: 'string'
managedVirtualNetwork: 'string'
managedVirtualNetworkSettings: {
allowedAadTenantIdsForLinking: [
'string'
]
linkedAccessCheckOnTargetResource: bool
preventDataExfiltration: bool
}
privateEndpointConnections: [
{
properties: {
privateEndpoint: {}
privateLinkServiceConnectionState: {
description: 'string'
status: 'string'
}
}
}
]
publicNetworkAccess: 'string'
purviewConfiguration: {
purviewResourceId: 'string'
}
sqlAdministratorLogin: 'string'
sqlAdministratorLoginPassword: 'string'
trustedServiceBypassEnabled: bool
virtualNetworkProfile: {
computeSubnetId: 'string'
}
workspaceRepositoryConfiguration: {
accountName: 'string'
collaborationBranch: 'string'
hostName: 'string'
lastCommitId: 'string'
projectName: 'string'
repositoryName: 'string'
rootFolder: 'string'
tenantId: 'string'
type: 'string'
}
}
tags: {
{customized property}: 'string'
}
}
Property Values
Microsoft.Synapse/workspaces
| Name |
Description |
Value |
| identity |
Identity of the workspace |
ManagedIdentity |
| location |
The geo-location where the resource lives |
string (required) |
| name |
The resource name |
string (required) |
| properties |
Workspace resource properties |
WorkspaceProperties |
| scope |
Use when creating a resource at a scope that is different than the deployment scope. |
Set this property to the symbolic name of a resource to apply the extension resource. |
| tags |
Resource tags |
Dictionary of tag names and values. See Tags in templates |
CspWorkspaceAdminProperties
| Name |
Description |
Value |
| initialWorkspaceAdminObjectId |
AAD object ID of initial workspace admin |
string |
CustomerManagedKeyDetails
DataLakeStorageAccountDetails
| Name |
Description |
Value |
| accountUrl |
Account URL |
string |
| createManagedPrivateEndpoint |
Create managed private endpoint to this storage account or not |
bool |
| filesystem |
Filesystem name |
string |
| resourceId |
ARM resource Id of this storage account |
string |
EncryptionDetails
KekIdentityProperties
| Name |
Description |
Value |
| userAssignedIdentity |
User assigned identity resource Id |
string |
| useSystemAssignedIdentity |
Boolean specifying whether to use system assigned identity or not |
any |
ManagedIdentity
| Name |
Description |
Value |
| type |
The type of managed identity for the workspace |
'None'
'SystemAssigned'
'SystemAssigned,UserAssigned' |
| userAssignedIdentities |
The user assigned managed identities. |
UserAssignedManagedIdentities |
ManagedVirtualNetworkSettings
| Name |
Description |
Value |
| allowedAadTenantIdsForLinking |
Allowed Aad Tenant Ids For Linking |
string[] |
| linkedAccessCheckOnTargetResource |
Linked Access Check On Target Resource |
bool |
| preventDataExfiltration |
Prevent Data Exfiltration |
bool |
PrivateEndpoint
PrivateEndpointConnection
PrivateEndpointConnectionProperties
PrivateLinkServiceConnectionState
| Name |
Description |
Value |
| description |
The private link service connection description. |
string |
| status |
The private link service connection status. |
string |
PurviewConfiguration
| Name |
Description |
Value |
| purviewResourceId |
Purview Resource ID |
string |
UserAssignedManagedIdentities
UserAssignedManagedIdentity
VirtualNetworkProfile
| Name |
Description |
Value |
| computeSubnetId |
Subnet ID used for computes in workspace |
string |
WorkspaceKeyDetails
| Name |
Description |
Value |
| keyVaultUrl |
Workspace Key sub-resource key vault url |
string |
| name |
Workspace Key sub-resource name |
string |
WorkspaceProperties
| Name |
Description |
Value |
| azureADOnlyAuthentication |
Enable or Disable AzureADOnlyAuthentication on All Workspace subresource |
bool |
| cspWorkspaceAdminProperties |
Initial workspace AAD admin properties for a CSP subscription |
CspWorkspaceAdminProperties |
| defaultDataLakeStorage |
Workspace default data lake storage account details |
DataLakeStorageAccountDetails |
| encryption |
The encryption details of the workspace |
EncryptionDetails |
| managedResourceGroupName |
Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.' |
string |
| managedVirtualNetwork |
Setting this to 'default' will ensure that all compute for this workspace is in a virtual network managed on behalf of the user. |
string |
| managedVirtualNetworkSettings |
Managed Virtual Network Settings |
ManagedVirtualNetworkSettings |
| privateEndpointConnections |
Private endpoint connections to the workspace |
PrivateEndpointConnection[] |
| publicNetworkAccess |
Enable or Disable public network access to workspace |
'Disabled'
'Enabled' |
| purviewConfiguration |
Purview Configuration |
PurviewConfiguration |
| sqlAdministratorLogin |
Login for workspace SQL active directory administrator |
string |
| sqlAdministratorLoginPassword |
SQL administrator login password |
string |
| trustedServiceBypassEnabled |
Is trustedServiceBypassEnabled for the workspace |
bool |
| virtualNetworkProfile |
Virtual Network profile |
VirtualNetworkProfile |
| workspaceRepositoryConfiguration |
Git integration settings |
WorkspaceRepositoryConfiguration |
WorkspaceRepositoryConfiguration
| Name |
Description |
Value |
| accountName |
Account name |
string |
| collaborationBranch |
Collaboration branch |
string |
| hostName |
GitHub Enterprise host name. For example: https://github.mydomain.com |
string |
| lastCommitId |
The last commit ID |
string |
| projectName |
VSTS project name |
string |
| repositoryName |
Repository name |
string |
| rootFolder |
Root folder to use in the repository |
string |
| tenantId |
The VSTS tenant ID |
string
Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
| type |
Type of workspace repositoryID configuration. Example WorkspaceVSTSConfiguration, WorkspaceGitHubConfiguration |
string |
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
ARM template resource definition
The workspaces resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Synapse/workspaces resource, add the following JSON to your template.
{
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2021-06-01",
"name": "string",
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {
}
}
},
"location": "string",
"properties": {
"azureADOnlyAuthentication": "bool",
"cspWorkspaceAdminProperties": {
"initialWorkspaceAdminObjectId": "string"
},
"defaultDataLakeStorage": {
"accountUrl": "string",
"createManagedPrivateEndpoint": "bool",
"filesystem": "string",
"resourceId": "string"
},
"encryption": {
"cmk": {
"kekIdentity": {
"userAssignedIdentity": "string",
"useSystemAssignedIdentity": {}
},
"key": {
"keyVaultUrl": "string",
"name": "string"
}
}
},
"managedResourceGroupName": "string",
"managedVirtualNetwork": "string",
"managedVirtualNetworkSettings": {
"allowedAadTenantIdsForLinking": [ "string" ],
"linkedAccessCheckOnTargetResource": "bool",
"preventDataExfiltration": "bool"
},
"privateEndpointConnections": [
{
"properties": {
"privateEndpoint": {
},
"privateLinkServiceConnectionState": {
"description": "string",
"status": "string"
}
}
}
],
"publicNetworkAccess": "string",
"purviewConfiguration": {
"purviewResourceId": "string"
},
"sqlAdministratorLogin": "string",
"sqlAdministratorLoginPassword": "string",
"trustedServiceBypassEnabled": "bool",
"virtualNetworkProfile": {
"computeSubnetId": "string"
},
"workspaceRepositoryConfiguration": {
"accountName": "string",
"collaborationBranch": "string",
"hostName": "string",
"lastCommitId": "string",
"projectName": "string",
"repositoryName": "string",
"rootFolder": "string",
"tenantId": "string",
"type": "string"
}
},
"tags": {
"{customized property}": "string"
}
}
Property Values
Microsoft.Synapse/workspaces
| Name |
Description |
Value |
| apiVersion |
The api version |
'2021-06-01' |
| identity |
Identity of the workspace |
ManagedIdentity |
| location |
The geo-location where the resource lives |
string (required) |
| name |
The resource name |
string (required) |
| properties |
Workspace resource properties |
WorkspaceProperties |
| tags |
Resource tags |
Dictionary of tag names and values. See Tags in templates |
| type |
The resource type |
'Microsoft.Synapse/workspaces' |
CspWorkspaceAdminProperties
| Name |
Description |
Value |
| initialWorkspaceAdminObjectId |
AAD object ID of initial workspace admin |
string |
CustomerManagedKeyDetails
DataLakeStorageAccountDetails
| Name |
Description |
Value |
| accountUrl |
Account URL |
string |
| createManagedPrivateEndpoint |
Create managed private endpoint to this storage account or not |
bool |
| filesystem |
Filesystem name |
string |
| resourceId |
ARM resource Id of this storage account |
string |
EncryptionDetails
KekIdentityProperties
| Name |
Description |
Value |
| userAssignedIdentity |
User assigned identity resource Id |
string |
| useSystemAssignedIdentity |
Boolean specifying whether to use system assigned identity or not |
any |
ManagedIdentity
| Name |
Description |
Value |
| type |
The type of managed identity for the workspace |
'None'
'SystemAssigned'
'SystemAssigned,UserAssigned' |
| userAssignedIdentities |
The user assigned managed identities. |
UserAssignedManagedIdentities |
ManagedVirtualNetworkSettings
| Name |
Description |
Value |
| allowedAadTenantIdsForLinking |
Allowed Aad Tenant Ids For Linking |
string[] |
| linkedAccessCheckOnTargetResource |
Linked Access Check On Target Resource |
bool |
| preventDataExfiltration |
Prevent Data Exfiltration |
bool |
PrivateEndpoint
PrivateEndpointConnection
PrivateEndpointConnectionProperties
PrivateLinkServiceConnectionState
| Name |
Description |
Value |
| description |
The private link service connection description. |
string |
| status |
The private link service connection status. |
string |
PurviewConfiguration
| Name |
Description |
Value |
| purviewResourceId |
Purview Resource ID |
string |
UserAssignedManagedIdentities
UserAssignedManagedIdentity
VirtualNetworkProfile
| Name |
Description |
Value |
| computeSubnetId |
Subnet ID used for computes in workspace |
string |
WorkspaceKeyDetails
| Name |
Description |
Value |
| keyVaultUrl |
Workspace Key sub-resource key vault url |
string |
| name |
Workspace Key sub-resource name |
string |
WorkspaceProperties
| Name |
Description |
Value |
| azureADOnlyAuthentication |
Enable or Disable AzureADOnlyAuthentication on All Workspace subresource |
bool |
| cspWorkspaceAdminProperties |
Initial workspace AAD admin properties for a CSP subscription |
CspWorkspaceAdminProperties |
| defaultDataLakeStorage |
Workspace default data lake storage account details |
DataLakeStorageAccountDetails |
| encryption |
The encryption details of the workspace |
EncryptionDetails |
| managedResourceGroupName |
Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.' |
string |
| managedVirtualNetwork |
Setting this to 'default' will ensure that all compute for this workspace is in a virtual network managed on behalf of the user. |
string |
| managedVirtualNetworkSettings |
Managed Virtual Network Settings |
ManagedVirtualNetworkSettings |
| privateEndpointConnections |
Private endpoint connections to the workspace |
PrivateEndpointConnection[] |
| publicNetworkAccess |
Enable or Disable public network access to workspace |
'Disabled'
'Enabled' |
| purviewConfiguration |
Purview Configuration |
PurviewConfiguration |
| sqlAdministratorLogin |
Login for workspace SQL active directory administrator |
string |
| sqlAdministratorLoginPassword |
SQL administrator login password |
string |
| trustedServiceBypassEnabled |
Is trustedServiceBypassEnabled for the workspace |
bool |
| virtualNetworkProfile |
Virtual Network profile |
VirtualNetworkProfile |
| workspaceRepositoryConfiguration |
Git integration settings |
WorkspaceRepositoryConfiguration |
WorkspaceRepositoryConfiguration
| Name |
Description |
Value |
| accountName |
Account name |
string |
| collaborationBranch |
Collaboration branch |
string |
| hostName |
GitHub Enterprise host name. For example: https://github.mydomain.com |
string |
| lastCommitId |
The last commit ID |
string |
| projectName |
VSTS project name |
string |
| repositoryName |
Repository name |
string |
| rootFolder |
Root folder to use in the repository |
string |
| tenantId |
The VSTS tenant ID |
string
Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
| type |
Type of workspace repositoryID configuration. Example WorkspaceVSTSConfiguration, WorkspaceGitHubConfiguration |
string |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template |
Description |
Azure Synapse Proof-of-Concept
 |
This template creates a proof of concept environment for Azure Synapse, including SQL Pools and optional Apache Spark Pools |
The workspaces resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Synapse/workspaces resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Synapse/workspaces@2021-06-01"
name = "string"
parent_id = "string"
identity {
type = "string"
identity_ids = [
"string"
]
}
location = "string"
tags = {
{customized property} = "string"
}
body = {
properties = {
azureADOnlyAuthentication = bool
cspWorkspaceAdminProperties = {
initialWorkspaceAdminObjectId = "string"
}
defaultDataLakeStorage = {
accountUrl = "string"
createManagedPrivateEndpoint = bool
filesystem = "string"
resourceId = "string"
}
encryption = {
cmk = {
kekIdentity = {
userAssignedIdentity = "string"
useSystemAssignedIdentity = ?
}
key = {
keyVaultUrl = "string"
name = "string"
}
}
}
managedResourceGroupName = "string"
managedVirtualNetwork = "string"
managedVirtualNetworkSettings = {
allowedAadTenantIdsForLinking = [
"string"
]
linkedAccessCheckOnTargetResource = bool
preventDataExfiltration = bool
}
privateEndpointConnections = [
{
properties = {
privateEndpoint = {
}
privateLinkServiceConnectionState = {
description = "string"
status = "string"
}
}
}
]
publicNetworkAccess = "string"
purviewConfiguration = {
purviewResourceId = "string"
}
sqlAdministratorLogin = "string"
sqlAdministratorLoginPassword = "string"
trustedServiceBypassEnabled = bool
virtualNetworkProfile = {
computeSubnetId = "string"
}
workspaceRepositoryConfiguration = {
accountName = "string"
collaborationBranch = "string"
hostName = "string"
lastCommitId = "string"
projectName = "string"
repositoryName = "string"
rootFolder = "string"
tenantId = "string"
type = "string"
}
}
}
}
Property Values
Microsoft.Synapse/workspaces
| Name |
Description |
Value |
| identity |
Identity of the workspace |
ManagedIdentity |
| location |
The geo-location where the resource lives |
string (required) |
| name |
The resource name |
string (required) |
| parent_id |
The ID of the resource to apply this extension resource to. |
string (required) |
| properties |
Workspace resource properties |
WorkspaceProperties |
| tags |
Resource tags |
Dictionary of tag names and values. |
| type |
The resource type |
"Microsoft.Synapse/workspaces@2021-06-01" |
CspWorkspaceAdminProperties
| Name |
Description |
Value |
| initialWorkspaceAdminObjectId |
AAD object ID of initial workspace admin |
string |
CustomerManagedKeyDetails
DataLakeStorageAccountDetails
| Name |
Description |
Value |
| accountUrl |
Account URL |
string |
| createManagedPrivateEndpoint |
Create managed private endpoint to this storage account or not |
bool |
| filesystem |
Filesystem name |
string |
| resourceId |
ARM resource Id of this storage account |
string |
EncryptionDetails
KekIdentityProperties
| Name |
Description |
Value |
| userAssignedIdentity |
User assigned identity resource Id |
string |
| useSystemAssignedIdentity |
Boolean specifying whether to use system assigned identity or not |
any |
ManagedIdentity
| Name |
Description |
Value |
| type |
The type of managed identity for the workspace |
'None'
'SystemAssigned'
'SystemAssigned,UserAssigned' |
| userAssignedIdentities |
The user assigned managed identities. |
UserAssignedManagedIdentities |
ManagedVirtualNetworkSettings
| Name |
Description |
Value |
| allowedAadTenantIdsForLinking |
Allowed Aad Tenant Ids For Linking |
string[] |
| linkedAccessCheckOnTargetResource |
Linked Access Check On Target Resource |
bool |
| preventDataExfiltration |
Prevent Data Exfiltration |
bool |
PrivateEndpoint
PrivateEndpointConnection
PrivateEndpointConnectionProperties
PrivateLinkServiceConnectionState
| Name |
Description |
Value |
| description |
The private link service connection description. |
string |
| status |
The private link service connection status. |
string |
PurviewConfiguration
| Name |
Description |
Value |
| purviewResourceId |
Purview Resource ID |
string |
UserAssignedManagedIdentities
UserAssignedManagedIdentity
VirtualNetworkProfile
| Name |
Description |
Value |
| computeSubnetId |
Subnet ID used for computes in workspace |
string |
WorkspaceKeyDetails
| Name |
Description |
Value |
| keyVaultUrl |
Workspace Key sub-resource key vault url |
string |
| name |
Workspace Key sub-resource name |
string |
WorkspaceProperties
| Name |
Description |
Value |
| azureADOnlyAuthentication |
Enable or Disable AzureADOnlyAuthentication on All Workspace subresource |
bool |
| cspWorkspaceAdminProperties |
Initial workspace AAD admin properties for a CSP subscription |
CspWorkspaceAdminProperties |
| defaultDataLakeStorage |
Workspace default data lake storage account details |
DataLakeStorageAccountDetails |
| encryption |
The encryption details of the workspace |
EncryptionDetails |
| managedResourceGroupName |
Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.' |
string |
| managedVirtualNetwork |
Setting this to 'default' will ensure that all compute for this workspace is in a virtual network managed on behalf of the user. |
string |
| managedVirtualNetworkSettings |
Managed Virtual Network Settings |
ManagedVirtualNetworkSettings |
| privateEndpointConnections |
Private endpoint connections to the workspace |
PrivateEndpointConnection[] |
| publicNetworkAccess |
Enable or Disable public network access to workspace |
'Disabled'
'Enabled' |
| purviewConfiguration |
Purview Configuration |
PurviewConfiguration |
| sqlAdministratorLogin |
Login for workspace SQL active directory administrator |
string |
| sqlAdministratorLoginPassword |
SQL administrator login password |
string |
| trustedServiceBypassEnabled |
Is trustedServiceBypassEnabled for the workspace |
bool |
| virtualNetworkProfile |
Virtual Network profile |
VirtualNetworkProfile |
| workspaceRepositoryConfiguration |
Git integration settings |
WorkspaceRepositoryConfiguration |
WorkspaceRepositoryConfiguration
| Name |
Description |
Value |
| accountName |
Account name |
string |
| collaborationBranch |
Collaboration branch |
string |
| hostName |
GitHub Enterprise host name. For example: https://github.mydomain.com |
string |
| lastCommitId |
The last commit ID |
string |
| projectName |
VSTS project name |
string |
| repositoryName |
Repository name |
string |
| rootFolder |
Root folder to use in the repository |
string |
| tenantId |
The VSTS tenant ID |
string
Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
| type |
Type of workspace repositoryID configuration. Example WorkspaceVSTSConfiguration, WorkspaceGitHubConfiguration |
string |
Usage Examples
A basic example of deploying Synapse Workspace.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westeurope"
}
variable "sql_administrator_login" {
type = string
description = "The SQL administrator login name for the Synapse workspace"
}
variable "sql_administrator_login_password" {
type = string
description = "The SQL administrator login password for the Synapse workspace"
sensitive = true
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "storageAccount" {
type = "Microsoft.Storage/storageAccounts@2021-09-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
kind = "StorageV2"
properties = {
}
sku = {
name = "Standard_LRS"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
data "azapi_resource_action" "listKeys" {
type = "Microsoft.Storage/storageAccounts@2022-09-01"
resource_id = azapi_resource.storageAccount.id
action = "listKeys"
response_export_values = ["*"]
}
data "azapi_resource" "blobService" {
type = "Microsoft.Storage/storageAccounts/blobServices@2022-09-01"
parent_id = azapi_resource.storageAccount.id
name = "default"
}
resource "azapi_resource" "container" {
type = "Microsoft.Storage/storageAccounts/blobServices/containers@2022-09-01"
name = var.resource_name
parent_id = data.azapi_resource.blobService.id
body = {
properties = {
metadata = {
key = "value"
}
}
}
response_export_values = ["*"]
}
resource "azapi_resource" "workspace" {
type = "Microsoft.Synapse/workspaces@2021-06-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
identity {
type = "SystemAssigned"
identity_ids = []
}
body = {
properties = {
defaultDataLakeStorage = {
accountUrl = azapi_resource.storageAccount.output.properties.primaryEndpoints.dfs
filesystem = azapi_resource.container.name
}
managedVirtualNetwork = ""
publicNetworkAccess = "Enabled"
sqlAdministratorLogin = var.sql_administrator_login
sqlAdministratorLoginPassword = var.sql_administrator_login_password
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}