M365 Changelog: Microsoft Fabric: New tenant settings for short-lived user-delegated SAS tokens (Preview) – Aug 26, 2024

Summary

Microsoft Fabric introduces new settings for short-lived user-delegated SAS tokens, enhancing security for applications using Microsoft OneLake. Public Preview begins late September 2024, with settings available in late August. Admins can control token generation and workspace admins manage token acceptance. Tokens have a one-hour lifetime and require an Entra ID. Preparation involves reviewing settings and deciding on enabling features.

MC873746 – Coming soon for Microsoft Fabric: Two new settings in the Fabric Admin portal that are designed to enhance security and flexibility for applications interacting with Microsoft OneLake.

When this will happen:

Public Preview: Microsoft will begin rolling out late September 2024 and expect to complete by late September 2024. You can start saving your settings in late August 2024.

When the General Availability release timeline is known, Microsoft will update you.

How this will affect your organization:

Before this rollout: Users could not generate SAS tokens in OneLake.

After this rollout: Admins will have support for short-lived user-delegated OneLake shared access signature (SAS) tokens in public preview. This functionality allows applications to request a user delegation key backed by a Microsoft Entra ID, which can then be used to build a OneLake SAS token. This token can be handed off to provide delegated access to another tool, node, or user, ensuring secure and controlled access. OneLake SAS tokens are constructed and used similarly to Azure Storage SAS tokens, with a few key differences:

  • OneLake user delegation keys and SAS tokens cannot exceed a lifetime of one hour.
  • OneLake SAS tokens are always user delegated and must be backed by an Entra ID.
  • OneLake SAS can only grant access to data items in Fabric.

The usage of OneLake SAS in a Fabric tenant is controlled by two tenant switches:

  1. A switch managed by tenant admins that controls the generation of OneLake SAS tokens
  2. A switch automatically delegated to workspace admins that controls the acceptance of OneLake SAS tokens

Both switches must be turned on to allow the use of OneLake SAS in a workspace.

Scenarios supported by SAS

Delegated access with SAS tokens allows applications without native support for Microsoft Entra to gain temporary access to specific folders or files in OneLake. SAS tokens are commonly used for data integration workloads by granting external engines temporary permissions to write data to a staging location. Many ISVs also use SAS tokens to grant their users temporary scoped-down access to their data.

New tenant settings

1. Use Short-lived user-delegated SAS tokens (Preview):

  • Default Status: ON
  • This setting allows the creation of short-lived user-delegated SAS tokens by turning on the user delegation key API for the entire tenant.

2. Authenticate with OneLake user-delegated SAS tokens (Preview):

  • Default Status: OFF
  • This setting enables authentication using OneLake user-delegated SAS tokens. This setting is automatically delegated to workspace admins, allowing them to decide whether their workspace will accept OneLake SAS as a valid authentication method.

What you need to do to prepare:

1. Review and decide on settings:

  • Use short-lived user-delegated SAS tokens: As this setting is turned ON by default, please review its implications and decide if it should remain enabled for your organization.
  • Authenticate with OneLake user-delegated SAS tokens: This setting is OFF by default, and workspace admins will be able to enable this feature. Evaluate its potential benefits and determine if you would like to enable it automatically for all workspaces.

2. Action for tenant admins:

  • In late September 2024, OneLake SAS will be available in public preview. If no actions are taken on the tenant setting, workspace admins will be able to turn ON OneLake SAS authentication for their workspace. Note that Authenticate with OneLake user-delegated SAS tokens is automatically delegated to workspace admins. If you prefer not to have these features available for your organization, please turn OFF the Use short-lived user-delegated SAS tokens setting in Fabric before late September 2024. This will disable OneLake SAS generation for your tenant, ensuring OneLake SAS cannot be used, regardless of the workspace admins setting.
  • Workspace admins will be able to enable authentication with SAS tokens for their workspaces if no action is taken by tenant admins.
  • Microsoft encourages you to assess these new settings and make any necessary changes to align with your organization’s security and access control policies.

If you have any questions or need further assistance, please do not hesitate to contact our support team.

This rollout will happen automatically by the specified dates with no admin action required before the rollout. You may want to notify your admins about this change and update any relevant documentation.

Explore Microsoft Fabric documentation. Before rollout, Microsoft will update this post with links to new documentation.