Connect to your Microsoft Fabric tenant in the same tenant as Microsoft Purview (Preview)

Important

Scanning a Microsoft Fabric tenant will bring in metadata and lineage from Fabric items including Power BI. The experience of registering a Fabric tenant and setting up a scan is similar to Power BI tenant and shared among all Fabric items. The scanning of Fabric items other than Power BI is currently in preview. The Supplemental Terms of Use for Microsoft Azure Previews include additional legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability.

This article outlines how to register a Microsoft Fabric tenant that's in the same tenant as your Microsoft Purview resource, and how to authenticate and interact with the Fabric source in Microsoft Purview. For more information about Microsoft Purview in general, read the introductory article.

Note

Starting from December 13th 2023, scanning Fabric tenants registered with the Fabric data source in Microsoft Purview will capture metadata and lineage from Fabric items including Power BI. The new feature will become available in all Microsoft Purview public cloud regions in the following days.

For scanning a Power BI tenant, see our Power BI documentation.

Supported capabilities

Metadata Extraction	Full Scan	Incremental Scan	Scoped Scan	Classification	Labeling	Access Policy	Lineage	Data Sharing	Live view
Yes	Yes	Yes	No	No	No	No	Yes	No	Yes

Experiences	Fabric items	Available in scan	Available in live view (same tenant only)
Real-Time Analytics	KQL Database	Yes	Yes
	KQL Queryset	Yes	Yes
Data Science	Experiment	Yes	Yes
	ML model	Yes	Yes
Data Factory	Data pipeline	Yes	Yes
	Dataflow Gen2	Yes	Yes
Data Engineering	Lakehouse	Yes	Yes
	Notebook	Yes	Yes
	Spark Job Definition	Yes	Yes
	SQL analytics endpoint	Yes	Yes
Data Warehouse	Warehouse	Yes	Yes
Power BI	Dashboard	Yes	Yes
	Dataflow	Yes	Yes
	Datamart	Yes	Yes
	Semantic model (Dataset)	Yes	Yes
	Report	Yes	Yes
	Paginated report	Yes

Supported scenarios for Fabric scans

Scenarios	Microsoft Purview public access allowed/denied	Fabric public access allowed /denied	Runtime option	Authentication option	Deployment checklist
Public access with Azure IR	Allowed	Allowed	Azure Runtime	Managed Identity / Delegated authentication / Service principal	Review deployment checklist
Private access	Denied	Allowed	Managed VNet IR (v2 only)	Managed Identity / Delegated authentication / Service principal	Review deployment checklist

Known limitations

• Currently scanning with a self-hosted integration runtime isn't supported.
• Currently for all Fabric items besides Power BI, only item level metadata and lineage will be scanned, scanning metadata and lineage of sub level items like Lakehouse tables or files isn't supported.
• Empty workspaces are skipped.

Prerequisites

Before you start, make sure you have the following prerequisites:

• An Azure account with an active subscription. Create an account for free.

• An active Microsoft Purview account.

Authentication options

• Managed Identity
• Service Principal
• Delegated Authentication

Deployment checklist

Use any of the following deployment checklists during the setup or for troubleshooting purposes, based on your scenario:

Public access with Azure IR

Scan same-tenant Fabric using Azure IR and Managed Identity in public network

1. Make sure Fabric and Microsoft Purview accounts are in the same tenant.

2. Make sure Fabric tenant ID is entered correctly during the registration.

3. Make sure your Fabric Metadata model is up to date by enabling metadata scanning.

4. From Azure portal, validate if Microsoft Purview account Network is set to public access.

5. From Fabric tenant Admin Portal, make sure Fabric tenant is configured to allow public network.

6. In Microsoft Entra tenant, create a security group.

7. From Microsoft Entra tenant, make sure Microsoft Purview account MSI is member of the new security group.

8. On the Fabric Tenant Admin portal, validate if Allow service principals to use read-only admin APIs is enabled for the new security group.

Private access with Managed VNet IR (v2 only)

Scan same-tenant Fabric using Managed VNet IR (v2 only) with Managed Identity, Delegated Authentication or Service Principal in a private network

1. Make sure Fabric and Microsoft Purview accounts are in the same tenant.

2. Make sure Fabric tenant ID is entered correctly during the registration.

3. Make sure your Fabric Metadata model is up to date by enabling metadata scanning.

4. Check your Azure Key Vault to make sure:

   1. There are no typos in the password.
   2. Microsoft Purview Managed Identity has get/list access to secrets.

5. Review your credential to validate:

   1. Client ID matches Application (Client) ID of the app registration.
   2. Username includes the user principal name such as johndoe@contoso.com.

6. If Delegated Authentication is used, validate Fabric admin user settings to make sure:

   1. User is assigned to Fabric Administrator role.
   2. If user is recently created, sign in with the user at least once to make sure password is reset successfully and user can successfully initiate the session.
   3. There's no MFA or Conditional Access Policies are enforced on the user.

7. Validate App registration settings to make sure:

   1. App registration exists in your Microsoft Entra tenant.

   2. If service principal is used, under API permissions, the following delegated permissions are assigned with read for the following APIs:

      • Microsoft Graph openid
      • Microsoft Graph User.Read

   3. If delegated authentication is used, under API permissions, the following delegated permissions and grant admin consent for the tenant is set up with read for the following APIs:

      • Power BI Service Tenant.Read.All
      • Microsoft Graph openid
      • Microsoft Graph User.Read

   4. Under Authentication, Allow public client flows is enabled.

8. In Microsoft Entra tenant, create a security group.

9. From Microsoft Entra tenant, make sure Service Principal is member of the new security group.

10. On the Fabric Tenant Admin portal, validate if Allow service principals to use read-only admin APIs is enabled for the new security group.

Register Fabric tenant

This section describes how to register a Fabric tenant in Microsoft Purview for same-tenant scenario.

1. Select the Data Map on the left navigation.

2. Then select Register.

   Select Fabric as your data source.

   

3. Give your Fabric instance a friendly name and select a collection.

   The name must be between 3-63 characters long and must contain only letters, numbers, underscores, and hyphens. Spaces aren't allowed.

   By default, the system will find the Fabric tenant that exists in the same Microsoft Entra tenant.

Authentication to scan

To be able to scan your Microsoft Fabric tenant and review its metadata, you'll first need to create a way to authenticate with the Fabric tenant, and then give Microsoft Purview the authentication information.

Authenticate to Fabric tenant

In Microsoft Entra tenant, where Fabric tenant is located:

1. In the Azure portal, search for Microsoft Entra ID.

2. Create a new security group in your Microsoft Entra ID, by following Create a basic group and add members using Microsoft Entra ID.

   Tip

   You can skip this step if you already have a security group you want to use.

3. Select Security as the Group Type.

   

4. Add any relevant users to the security group:

   • If you're using Managed Identity as authentication method, add your Microsoft Purview managed identity to this security group. Select Members, then select + Add members.

     

   • If you're using delegated authentication or service principal as authentication method, add your service principal to this security group. Select Members, then select + Add members.

5. Search for your Microsoft Purview managed identity or service principal and select it.

   

   You should see a success notification showing you that it was added.

   

Associate the security group with Fabric tenant

1. Log into the Fabric admin portal.

2. Select the Tenant settings page.

   Important

   You need to be a Fabric Admin to see the tenant settings page.

3. Select Admin API settings > Allow service principals to use read-only admin APIs.

4. Select Specific security groups.

5. Select Admin API settings > Enhance admin APIs responses with detailed metadata and Enhance admin APIs responses with DAX and mashup expressions > Enable the toggle to allow Microsoft Purview Data Map automatically discover the detailed metadata of Fabric datasets as part of its scans.

   Important

   After you update the Admin API settings on your Fabric tenant, wait around 15 minutes before registering a scan and test connection.

   Caution

   When you allow the security group you created (that has your Microsoft Purview managed identity as a member) to use read-only admin APIs, you also allow it to access the metadata (e.g. dashboard and report names, owners, descriptions, etc.) for all of your Fabric artifacts in this tenant. Once the metadata has been pulled into the Microsoft Purview, Microsoft Purview's permissions, not Fabric permissions, determine who can see that metadata.

   Note

   You can remove the security group from your developer settings, but the metadata previously extracted won't be removed from the Microsoft Purview account. You can delete it separately, if you wish.

Configure credentials for scans in Microsoft Purview

Managed identity

If you've followed all the steps to authenticate Microsoft Purview to Fabric, no other authentication steps are needed for Managed Identities.

Service principal

1. In the Azure portal, select Microsoft Entra ID and create an App Registration in the tenant. Provide a web URL in the Redirect URI. For information about the Redirect URI see this documentation from Microsoft Entra ID.

   

2. Take note of Client ID(App ID).

   

3. From Microsoft Entra dashboard, select newly created application and then select App registration. From API Permissions, assign the application the following delegated permissions:

   • Microsoft Graph openid
   • Microsoft Graph User.Read

   

4. Under Advanced settings, enable Allow Public client flows.

5. Under Certificates & secrets, create a new secret and save it securely for next steps.

6. In Azure portal, navigate to your Azure key vault.

7. Select Settings > Secrets and select + Generate/Import.

   

8. Enter a name for the secret and for Value, type the newly created secret for the App registration. Select Create to complete.

   

9. If your key vault isn't connected to Microsoft Purview yet, you'll need to create a new key vault connection.

10. Now that your secret is created, in Microsoft Purview, go to the Credentials page under Management.

    Tip

    Alternatively, you can create a new credential during the scanning process.

11. Create your new Credential by selecting + New.

12. Provide required parameters:

    • Name: Provide a unique name for credential
    • Authentication method: Service principal
    • Tenant ID: Your Fabric tenant ID
    • Client ID: Use Service Principal Client ID (App ID) you created earlier
    • Key Vault Connection: the Microsoft Purview connection to the Key Vault where you created your secret earlier.
    • Secret name: the name of the secret you created earlier.

    

13. Once all the details have been filled in, select Create.

Delegated authentication

1. Create a user account in Microsoft Entra tenant and assign the user to Microsoft Entra role, Fabric Administrator. Take note of username and sign in to change the password.

2. Navigate to your Azure key vault.

3. Select Settings > Secrets and select + Generate/Import.

   

4. Enter a name for the secret and for Value, type the newly created password for the Microsoft Entra user. Select Create to complete.

   

5. If your key vault isn't connected to Microsoft Purview yet, you'll need to create a new key vault connection

6. Create an App Registration in your Microsoft Entra tenant. Provide a web URL in the Redirect URI.

   

7. Take note of Client ID(App ID).

   

8. From Microsoft Entra dashboard, select newly created application and then select API permissions. Assign the application the following delegated permissions, and grant admin consent for the tenant:

   • Fabric Service Tenant.Read.All
   • Microsoft Graph openid
   • Microsoft Graph User.Read

   

9. Under Advanced settings, enable Allow Public client flows.

10. Next, in Microsoft Purview, go to the Credentials page under Management to create a new credential.

    Tip

    Alternatively, you can create a new credential during the scanning process.

11. Create your new Credential by selecting + New.

12. Provide required parameters:

    • Name: Provide a unique name for credential
    • Authentication method: Delegated auth
    • Client ID: Use Service Principal Client ID (App ID) you created earlier
    • User name: Provide the username of Fabric Administrator you created earlier
    • Key Vault Connection: the Microsoft Purview connection to the Key Vault where you created your secret earlier.
    • Secret name: the name of the secret you created earlier.

    

13. Once all the details have been filled in, select Create.

Create scan

1. In the Microsoft Purview Studio, navigate to the Data map in the left menu.

2. Navigate to Sources.

3. Select the registered Fabric source.

4. Select + New scan.

5. Give your scan a name.

6. Select either your managed identity credential, or the credential you created for your service principal or delegated authentication.

   

7. Select Test Connection before continuing to next steps. If Test Connection failed, select View Report to see the detailed status and troubleshoot the problem.

   1. Access - Failed status means the user authentication failed. Scans using managed identity will always pass because no user authentication required. If using service principal or delegated authentication, make sure your Key Vault credential was correctly set up and that Microsoft Purview has access to the key vault.
   2. Assets (+ lineage) - Failed status means the Microsoft Purview - Fabric authorization has failed. Make sure the Microsoft Purview managed identity is added to the security group associated in Fabric admin portal.
   3. Detailed metadata (Enhanced) - Failed status means the Fabric admin portal is disabled for the following setting - Enhance admin APIs responses with detailed metadata

   Tip

   For more troubleshooting, see the deployment checklist to make sure you've covered every step in your scenario.

8. Set up a scan trigger. Your options are Recurring, and Once.

   

9. On Review new scan, select Save and run to launch your scan.

View your scans and scan runs

To view existing scans:

1. Go to the Microsoft Purview portal. On the left pane, select Data map.
2. Select the data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.
3. Select the scan that has results you want to view. The pane shows you all the previous scan runs, along with the status and metrics for each scan run.
4. Select the run ID to check the scan run details.

Manage your scans

To edit, cancel, or delete a scan:

1. Go to the Microsoft Purview portal. On the left pane, select Data Map.

2. Select the data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.

3. Select the scan that you want to manage. You can then:

   • Edit the scan by selecting Edit scan.
   • Cancel an in-progress scan by selecting Cancel scan run.
   • Delete your scan by selecting Delete scan.

Note

• Deleting your scan does not delete catalog assets created from previous scans.

Next steps

Now that you've registered your source, follow the below guides to learn more about Microsoft Purview and your data.

• Data Estate Insights in Microsoft Purview
• Search Data Catalog