Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Fabric items historically depend on an item's owner to access connections and enable certain item experiences. For example, SQL Analytics Endpoint delegated mode uses the Lakehouse item owner. This dependency causes items to stop working when the owner leaves the organization or when their credentials expire.
The Fabric UI provides a straightforward way to transfer ownership when remediation is needed. However, it does not remove the underlying dependency on a user principal, so the item can still be affected by future changes to that user principal.
To address this gap, Microsoft Fabric introduces identities associated with an item. Instead of depending on owner, items in scope will now use these associated Identities.
- If an item was previously owned by a user, you can now update the associated identity to a Service Principal or Managed Identity.
- For automating identity updates for an item, users can now use APIs .
Items that support associated identities
Items listed below will use the associated identity for all purposes that the owner was previously used for, such as access to connections and more.
- Lakehouse
- Eventstream (except those using Azure or Fabric Events as a source)
These items now rely on an associated identity instead of the owner.
Benefits of associated identities
Using associated identities provides several improvements:
- You can assign a service principal or managed identity to an item that previously depended on a user identity.
- You can automate identity updates by using APIs instead of relying on manual ownership takeover.
Associate an identity with an item
You can associate an identity with an item during creation or after creation.
During item creation
- When you create an item, Fabric automatically assigns the calling identity as the item's associated identity.
- You can continue to use the existing Create Item API for this process.
After item creation
If an item was originally created by a user, you can update its associated identity to a service principal or a managed identity.
Use the following API to set the identity:
POST https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/items/{itemId}/identities/default/assign?beta=trueThis would set the identity of the item and all its child items to the calling user.
Note
The calling identity must have Write permissions on the item and all its child items.
- Additional API documentation can be found here.
Sample Request
POST https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/items/{itemId}/identities/default/assign?beta=true
Content-Type: application/json
Sample Request body
{
"assignmentType": "Caller"
}
Response (202 Accepted). The operation is processed asynchronously. Check the operation status using the long‑running operation URL returned in the Location header.
Sample headers
The API starts a long-running operation. The response includes headers such as:
Location: https://api.fabric.microsoft.com/v1/operations/{operationId}
x-ms-operation-id: {operationId}
Retry-After: 5
Poll the Location URL to track progress.
Response (200 OK from long-running operation)
{
"assignmentStatus": [
{
"itemId": "db1b0-3af8-4b17-8e7e-663e61e3257",
"status": "Succeeded"
},
{
"itemId": "8eedb1b0-3af8-4b17-8e7e-663e61e12211",
"parentItemId": "db1b0-3af8-4b17-8e7e-663e61e3257",
"status": "Succeeded"
}
]
}
Important
When a child identity assignment fails, the operation stops. The response includes error details in the errorInfo property.
View the identity associated with an item
To view the identity associated with an item, you can do the following:
- As a user, you can use the Get and List Item APIs to view the identity associated with one or more items.
Sample GET
The following shows an example using the GET item API
Request
GET https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/items/{itemId}?include=defaultIdentity
Sample response
{
"id": "bbbbbbbb-1111-2222-3333-aaaaaaaaaaaa",
"displayName": "Item 1",
"type": "Lakehouse",
"defaultIdentity": {
"id": "aaaabbbb-1111-2222-3333-aaaaaabbbbbb",
"type": "ServicePrincipal",
"displayName": "DefaultIdentityTest",
"servicePrincipalDetails": {
"aadAppId": "bbbbaaaa-1111-2222-3333-bbbbbbaaaaaa"
}
}
}
Sample LIST
- Use this API to retrieve all items in a workspace. When you specify include=defaultIdentity, each item includes its default identity.
Request
GET https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/items?include=defaultIdentity
Sample response
{
"value": [
{
"id": "cccccccc-1111-3333-2222-bbbbbbbbbbbb",
"displayName": "Lakehouse",
"description": "A lakehouse used by the analytics team.",
"type": "Lakehouse",
"workspaceId": "ccccbbbb-1111-2222-3333-ccccccbbbbbb",
"defaultIdentity": {
"id": "bbbbcccc-3333-2222-1111-bbbbbbcccccc",
"type": "User",
"displayName": "Jane Doe",
"userDetails": {
"userPrincipalName": "jane.doe@contoso.com"
}
}
}
]
}
Admin GET API
The Admin Get item API can also be used to inventory identity assignments across workspaces.
GET https://api.fabric.microsoft.com/v1/admin/workspaces/{workspaceId}/items/{itemId}
Limitations
- Items associated with an Azure Managed Identity rely on the identity’s authentication tokens. Changes to token validity (such as when credentials are updated) may require the identity to be re-associated.
Known issues
- Attempting to call APIs to associate identities using the following URL, which includes the item type, may currently result in an error.
POST https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/lakehouses/{lakehouseId}/identities/default/assign?beta={beta}`
FAQ
What are the different types of identities I can associate with an Item?
Currently, user principals, service principals and Managed identities are supported.
How many identities can I associate with an Item?
You can associate one identity with each item.
What will I see in the UI?
The identity that you set will appear as the owner of the item in item settings.