Connect to your Microsoft Fabric tenant from Microsoft Purview in a different tenant (Preview)

Important

Scanning a Microsoft Fabric tenant will bring in metadata and lineage from Fabric items including Power BI. The experience of registering a Fabric tenant and setting up a scan is similar to Power BI tenant and shared among all Fabric items. The scanning of Fabric items other than Power BI is currently in preview. The Supplemental Terms of Use for Microsoft Azure Previews include additional legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability.

This article outlines how to register a Microsoft Fabric tenant that's in a different tenant from your Microsoft Purview resource, and how to authenticate and interact with the Fabric source in Microsoft Purview. For more information about Microsoft Purview in general, read the introductory article.

Note

For scanning a Power BI tenant, see our Power BI documentation.

Supported capabilities

Metadata Extraction Full Scan Incremental Scan Scoped Scan Classification Labeling Access Policy Lineage Data Sharing Live view
Yes Yes Yes Yes No No No Yes No No
Experiences Fabric items Available in scan Available in live view (same tenant only)
Real-Time Analytics KQL Database Yes Yes
KQL Queryset Yes Yes
Data Science Experiment Yes Yes
ML model Yes Yes
Data Factory Data pipeline Yes Yes
Dataflow Gen2 Yes Yes
Data Engineering Lakehouse Yes Yes
Notebook Yes Yes
Spark Job Definition Yes Yes
SQL analytics endpoint Yes Yes
Data Warehouse Warehouse Yes Yes
Power BI Dashboard Yes Yes
Dataflow Yes Yes
Datamart Yes Yes
Semantic model (Dataset) Yes Yes
Report Yes Yes
Paginated report Yes

Supported scenarios for Fabric scans

Scenarios Microsoft Purview public access allowed/denied Fabric public access allowed /denied Runtime option Authentication option Deployment checklist
Public access with Azure IR Allowed Allowed Azure Runtime Delegated authentication / Service principal Review deployment checklist
Public access with Self-hosted IR Allowed Allowed SHIR or Kubernetes SHIR Service principal Review deployment checklist
Private access Denied Allowed Managed VNet IR (v2 only) Delegated authentication / Service principal Review deployment checklist

Note

The supported scenarios above apply for non-Power BI items in Fabric. See the Power BI documentation for supported scenarios applicable for Power BI items.

Known limitations

  • Currently for all Fabric items besides Power BI, only item level metadata and lineage will be scanned, scanning metadata and lineage of sub level items like Lakehouse tables or files isn't supported.
  • For self-hosted integration runtime, the standard self-hosted integration runtime with minimal version 5.40.8836.1 or Kubernetes supported self-hosted integration runtime is supported.
  • Empty workspaces are skipped.

Prerequisites

Before you start, make sure you have the following:

Authentication options

  • Service Principal
  • Delegated Authentication

Deployment checklist

The deployment checklist is a summary of all the steps you'll need to take to set up a cross-tenant Fabric source. You can use it during setup or for troubleshooting, to confirm you've followed all the necessary steps to connect.

Scan cross-tenant Fabric by using delegated authentication in a public network

  1. Make sure the Fabric tenant ID is entered correctly during the registration. By default, the Fabric tenant ID that exists in the same Microsoft Entra instance as Microsoft Purview will be populated.

  2. Make sure your Fabric metadata model is up to date by enabling metadata scanning.

  3. From the Azure portal, validate if the Microsoft Purview account network is set to public access.

  4. From the Fabric tenant admin portal, make sure the Fabric tenant is configured to allow a public network.

  5. Check your instance of Azure Key Vault to make sure:

    1. There are no typos in the password or secret.
    2. Microsoft Purview managed identity has get and list access to secrets.
  6. Review your credential to validate that the:

    1. Client ID matches the Application (Client) ID of the app registration.
    2. For delegated auth, username includes the user principal name, such as johndoe@contoso.com.
  7. In the Fabric Microsoft Entra tenant, validate the following Fabric admin user settings:

    1. The user is assigned to the Fabric administrator role.
    2. If the user is recently created, sign in with the user at least once, to make sure that the password is reset successfully, and the user can successfully initiate the session.
    3. There are no multifactor authentication or conditional access policies enforced on the user.
  8. In the Fabric Microsoft Entra tenant, validate the following app registration settings:

    1. The app registration exists in your Microsoft Entra tenant where the Fabric tenant is located.
    2. If service principal is used, under API permissions, the following delegated permissions are assigned with read for the following APIs:
      • Microsoft Graph openid
      • Microsoft Graph User.Read
    3. If delegated authentication is used, under API permissions, the following delegated permissions and grant admin consent for the tenant is set up with read for the following APIs:
      • Power BI Service Tenant.Read.All
      • Microsoft Graph openid
      • Microsoft Graph User.Read
    4. Under Authentication:
      1. Supported account types > Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) is selected.
      2. Implicit grant and hybrid flows > ID tokens (used for implicit and hybrid flows) is selected.
      3. Allow public client flows is enabled.
  9. In Fabric tenant, from Microsoft Entra tenant, make sure Service Principal is member of the new security group.

  10. On the Fabric Tenant Admin portal, validate if Allow service principals to use read-only admin APIs is enabled for the new security group.

Register the Fabric tenant

  1. From the options on the left, select Data Map.

  2. Select Register, and then select Fabric as your data source.

    Screenshot that shows the list of data sources available to choose.

  3. Give your Fabric instance a friendly name. The name must be 3 to 63 characters long, and must contain only letters, numbers, underscores, and hyphens. Spaces aren't allowed.

  4. Edit the Tenant ID field, to replace with the tenant for the cross-tenant Fabric that you want to register and scan. By default, Microsoft Purview's tenant ID is populated.

    Screenshot that shows the registration experience for cross-tenant Fabric.

Authentication to scan

To be able to scan your Microsoft Fabric tenant and review its metadata, you'll first need to create a way to authenticate with the Fabric tenant, and then give Microsoft Purview the authentication information.

Authenticate to Fabric tenant

In Microsoft Entra tenant, where Fabric tenant is located:

  1. In the Azure portal, search for Microsoft Entra ID.

  2. Create a new security group in your Microsoft Entra ID, by following Create a basic group and add members using Microsoft Entra ID.

    Tip

    You can skip this step if you already have a security group you want to use.

  3. Select Security as the Group Type.

    Screenshot of security group type.

  4. Select Members, then select + Add members.

  5. Search for your Microsoft Purview managed identity or service principal and select it.

    Screenshot showing how to add catalog by searching for its name.

    You should see a success notification showing you that it was added.

    Screenshot showing successful addition of  catalog managed identity.

Associate the security group with Fabric tenant

  1. Log into the Fabric admin portal.

  2. Select the Tenant settings page.

    Important

    You need to be a Fabric Admin to see the tenant settings page.

  3. Select Admin API settings > Allow service principals to use read-only admin APIs.

  4. Select Specific security groups.

  5. Select Admin API settings > Enhance admin APIs responses with detailed metadata and Enhance admin APIs responses with DAX and mashup expressions > Enable the toggle to allow Microsoft Purview Data Map automatically discover the detailed metadata of Fabric datasets as part of its scans.

    Important

    After you update the Admin API settings on your Fabric tenant, wait around 15 minutes before registering a scan and test connection.

    Caution

    When you allow the security group you created to use read-only admin APIs, you also allow it to access the metadata (e.g. dashboard and report names, owners, descriptions, etc.) for all of your Fabric artifacts in this tenant. Once the metadata has been pulled into the Microsoft Purview, Microsoft Purview's permissions, not Fabric permissions, determine who can see that metadata.

    Note

    You can remove the security group from your developer settings, but the metadata previously extracted won't be removed from the Microsoft Purview account. You can delete it separately, if you wish.

Configure credentials for scans in Microsoft Purview

Service principal

  1. Create an app registration in your Microsoft Entra tenant where Fabric is located. Provide a web URL in the Redirect URI.

    Screenshot how to create App in Microsoft Entra ID for cross tenant.

  2. Take note of the client ID (app ID).

    Screenshot that shows how to create a service principle.

  3. From the Microsoft Entra dashboard, select the newly created application, and then select App permissions. Assign the application the following delegated permissions:

    • Microsoft Graph openid
    • Microsoft Graph User.Read

    Screenshot of delegated permissions on Microsoft Graph.

  4. From the Microsoft Entra dashboard, select the newly created application, and then select Authentication. Under Supported account types, select Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant).

    Screenshot of account type support multitenant.

  5. Under Implicit grant and hybrid flows, select ID tokens (used for implicit and hybrid flows).

    Screenshot of ID token hybrid flows.

  6. Under Advanced settings, enable Allow Public client flows.

  7. In the tenant where Microsoft Purview is created go to the instance of Azure Key Vault.

  8. Select Settings > Secrets, and then select + Generate/Import.

    Screenshot of the instance of Azure Key Vault.

  9. Enter a name for the secret. For Value, type the newly created secret for the App registration. Select Create to complete.

  10. Under Certificates & secrets, create a new secret and save it securely for next steps.

  11. In Azure portal, navigate to your Azure key vault.

  12. Select Settings > Secrets and select + Generate/Import.

    Screenshot how to navigate to Azure Key Vault.

  13. Enter a name for the secret and for Value, type the newly created secret for the App registration. Select Create to complete.

    Screenshot how to generate an Azure Key Vault secret for SPN.

  14. If your key vault isn't connected to Microsoft Purview yet, you need to create a new key vault connection.

  15. Next, in Microsoft Purview, go to the Credentials page under Management to create a new credential.

    Tip

    Alternatively, you can create a new credential during the scanning process.

  16. Create your new Credential by selecting + New.

  17. Provide required parameters:

    • Name: Provide a unique name for credential
    • Authentication method: Service principal
    • Tenant ID: Your Fabric tenant ID
    • Client ID: Use Service Principal Client ID (App ID) you created earlier
    • Key Vault Connection: the Microsoft Purview connection to the Key Vault where you created your secret earlier.
    • Secret name: the name of the secret you created earlier.

    Screenshot of the new credential menu, showing Fabric credential for SPN with all required values supplied.

  18. Once all the details have been filled in, select Create.

Delegated authentication

  1. Create a user account in the Microsoft Entra tenant where the Fabric tenant is located, and assign the user to this role: Fabric Administrator. Take note of the username and sign in to change the password.

  2. Go to the instance of Azure Key Vault in the tenant where Microsoft Purview is created.

  3. Select Settings > Secrets, and then select + Generate/Import.

    Screenshot of the instance of Azure Key Vault.

  4. Enter a name for the secret. For Value, type the newly created password for the Microsoft Entra user. Select Create to complete.

    Screenshot that shows how to generate a secret in Azure Key Vault.

  5. If your key vault isn't connected to Microsoft Purview yet, you need to create a new key vault connection.

  6. Create an app registration in your Microsoft Entra tenant where Fabric is located. Provide a web URL in the Redirect URI.

    Screenshot how to create App in Microsoft Entra ID for cross tenant.

  7. Take note of the client ID (app ID).

    Screenshot that shows how to create a service principle.

  8. From the Microsoft Entra dashboard, select the newly created application, and then select App permissions. Assign the application the following delegated permissions, and grant admin consent for the tenant:

    • Fabric Service Tenant.Read.All
    • Microsoft Graph openid
    • Microsoft Graph User.Read

    Screenshot of delegated permissions on Fabric and Microsoft Graph.

  9. From the Microsoft Entra dashboard, select the newly created application, and then select Authentication. Under Supported account types, select Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant).

    Screenshot of account type support multitenant.

  10. Under Implicit grant and hybrid flows, select ID tokens (used for implicit and hybrid flows).

    Screenshot of ID token hybrid flows.

  11. Under Advanced settings, enable Allow Public client flows.

  12. Next, in Microsoft Purview, go to the Credentials page under Management to create a new credential.

    Tip

    Alternatively, you can create a new credential during the scanning process.

  13. Create your new Credential by selecting + New.

  14. Provide required parameters:

    • Name: Provide a unique name for credential
    • Authentication method: Delegated auth
    • Client ID: Use Service Principal Client ID (App ID) you created earlier
    • User name: Provide the username of Fabric Administrator you created earlier
    • Key Vault Connection: the Microsoft Purview connection to the Key Vault where you created your secret earlier.
    • Secret name: the name of the secret you created earlier.

    Screenshot of the new credential menu, showing Fabric credential for Delegated Auth with all required values supplied.

  15. Once all the details have been filled in, select Create.

Create scan

  1. In the Microsoft Purview Studio, go to the Data map in the left menu. Go to Sources.

  2. Select the registered Fabric source from cross-tenant.

  3. Select + New scan.

  4. Give your scan a name. Then select the option to include or exclude the personal workspaces.

    Note

    If you switch the configuration of a scan to include or exclude a personal workspace, you trigger a full scan of the Fabric source.

  5. Select Azure AutoResolveIntegrationRuntime from the dropdown list.

  6. For the Credential, select the credential you created for your service principal or delegated authentication.

    Screenshot that shows the Fabric scan setup, using Azure integration runtime for cross-tenant.

  7. Select Test connection before continuing to the next steps.

    If the test fails, select View Report to see the detailed status and troubleshoot the problem:

    1. Access - Failed status means that the user authentication failed. Validate if the username and password are correct. Review if the credential contains the correct client (app) ID from the app registration.
    2. Assets (+ lineage) - Failed status means that the authorization between Microsoft Purview and Fabric has failed. Make sure that the user is added to the Fabric administrator role.
    3. Detailed metadata (Enhanced) - Failed status means that the Fabric admin portal is disabled for the following setting: Enhance admin APIs responses with detailed metadata.

    Tip

    For more troubleshooting, see the deployment checklist to make sure you've covered every step in your scenario.

  8. Set up a scan trigger. Your options are Recurring or Once.

    Screenshot of the Microsoft Purview scan scheduler.

  9. On Review new scan, select Save and run to launch your scan.

View your scans and scan runs

To view existing scans:

  1. Go to the Microsoft Purview portal. On the left pane, select Data map.
  2. Select the data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.
  3. Select the scan that has results you want to view. The pane shows you all the previous scan runs, along with the status and metrics for each scan run.
  4. Select the run ID to check the scan run details.

Manage your scans

To edit, cancel, or delete a scan:

  1. Go to the Microsoft Purview portal. On the left pane, select Data Map.

  2. Select the data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.

  3. Select the scan that you want to manage. You can then:

    • Edit the scan by selecting Edit scan.
    • Cancel an in-progress scan by selecting Cancel scan run.
    • Delete your scan by selecting Delete scan.

Note

  • Deleting your scan does not delete catalog assets created from previous scans.

Next steps

Now that you've registered your source, see the following guides to learn more about Microsoft Purview and your data.