Microsoft Fabric introduces new settings for short-lived user-delegated SAS tokens, enhancing security for applications using Microsoft OneLake. Public Preview begins late September 2024, with settings available in late August. Admins can control token generation and workspace admins manage token acceptance. Tokens have a one-hour lifetime and require an Entra ID. Preparation involves reviewing settings and deciding on enabling features.
MC873746 – Coming soon for Microsoft Fabric: Two new settings in the Fabric Admin portal that are designed to enhance security and flexibility for applications interacting with Microsoft OneLake.
When this will happen:
Public Preview: Microsoft will begin rolling out late September 2024 and expect to complete by late September 2024. You can start saving your settings in late August 2024.
When the General Availability release timeline is known, Microsoft will update you.
How this will affect your organization:
Before this rollout: Users could not generate SAS tokens in OneLake.
After this rollout: Admins will have support for short-lived user-delegated OneLake shared access signature (SAS) tokens in public preview. This functionality allows applications to request a user delegation key backed by a Microsoft Entra ID, which can then be used to build a OneLake SAS token. This token can be handed off to provide delegated access to another tool, node, or user, ensuring secure and controlled access. OneLake SAS tokens are constructed and used similarly to Azure Storage SAS tokens, with a few key differences:
The usage of OneLake SAS in a Fabric tenant is controlled by two tenant switches:
Both switches must be turned on to allow the use of OneLake SAS in a workspace.
Scenarios supported by SAS
Delegated access with SAS tokens allows applications without native support for Microsoft Entra to gain temporary access to specific folders or files in OneLake. SAS tokens are commonly used for data integration workloads by granting external engines temporary permissions to write data to a staging location. Many ISVs also use SAS tokens to grant their users temporary scoped-down access to their data.
New tenant settings
1. Use Short-lived user-delegated SAS tokens (Preview):
2. Authenticate with OneLake user-delegated SAS tokens (Preview):
What you need to do to prepare:
1. Review and decide on settings:
2. Action for tenant admins:
If you have any questions or need further assistance, please do not hesitate to contact our support team.
This rollout will happen automatically by the specified dates with no admin action required before the rollout. You may want to notify your admins about this change and update any relevant documentation.
Explore Microsoft Fabric documentation. Before rollout, Microsoft will update this post with links to new documentation.
Previous Power BI Changelog Messages
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.