A change to the Lakehouse security. · Learn Microsoft Fabric

A change to the Lakehouse security.

Hi all, came across a challenge in Fabric in my organization and curious if others are seeing the same thing.

Lakehouses created in autumn 2024 or later seem to behave differently when it comes to access control. Previously, we were able to grant users either Read or ReadAll permissions on the Lakehouse and its SQL endpoint, which allowed them to access the SQL endpoint, the default semantic model, and query the data via Power BI Desktop. This setup worked well and allowed us to give access at the Lakehouse level without exposing the whole workspace.

However, for newer Lakehouses, this no longer seems to work. Users with the same permissions can no longer access the SQL endpoint or the default semantic model from Power BI Desktop. The only workaround we’ve found is giving them Viewer access to the entire workspace, which also gives access to all other lakehouses/items in the workspace, not ideal from a security and governance standpoint.

We also experimented with enabling RBAC on the Lakehouse and assigning access that way, but it didn’t help in this case since it doesn't apply to the SQL endpoint today. Our assumption was that this might be related to the gradual rollout of Microsoft’s broader OneLake security model, and possibly tied to the private preview functionality around more granular access control. With Monday's announcements on User identity mode / Delegated identity mode (link: Fabric March 2025 Feature Summary | Microsoft Fabric Blog | Microsoft Fabric) I'm convinced our first lakehouse is in "Delegated Identity" and our newer is in "User's identity" mode and there's no option to change it today and the functionality that User's identity mode is supposed to bring just isn't there today so it's not any good.

I guess I'm just curious if anyone has the same issue or not, I don't see any discussions about this not working online and I'm wondering if we're the only ones using a lakehouse this way? Feels like Microsoft rolled this change out randomly multiple months before it was done...

Thanks!

1 comment