Fabric external data sharing
Fabric external data sharing
External data sharing
External data sharing in Fabric refers to sharing data across organizational boundaries (cross-tenant), or enabling internal users or systems to consume data without relying on Microsoft Entra-based authentication. Both approaches are designed to support secure, scalable, and flexible data exchange — whether across tenants or within environments that require non-interactive access.
Consume data without Entra authentication
Non-Entra-based authentication is often needed for systems that operate outside the interactive user model. These systems typically require credential-based or token-based access that can be embedded in scripts or automation pipelines. Using service principals or API keys allows secure, programmatic access.
Service Principals to get data from Lakehouse
Service Principals (SPNs) are used to facilitate data access for internal users who require non-Entra-based authentication, as well as for external applications or consumers. By using SPN credentials, authorised systems can programmatically access data from designated Lakehouses. Since this method bypasses interactive sign-in, it is well-suited for automation, third-party tools, and cross-tenant scenarios.
Setting up SPN — step by step
🔧 Step 1 — Register the Service Principal in Microsoft Entra ID
- Go to the Microsoft Entra admin centre (formerly Azure AD portal).
- Navigate to App registrations → New registration.
- Provide a name for the SPN (e.g., LakehouseDataConsumer-SPN).
- Set the Supported account type to "Accounts in this organisational directory only".
🔧 Step 2 — Use the credentials
A user or client tool can authenticate with a Lakehouse using a Service Principal by providing the client ID, tenant ID, and client secret. Once authenticated, data can be consumed programmatically. In Python, this is commonly done using the pyodbc library along with the appropriate ODBC driver for SQL Server.
SPNs used for external sharing
| SPN | Used for |
|---|---|
| Fabric Odoo Reader | Used by the service provider to get data from Lakehouse into Odoo. |
| Fabric AI Reader | Used for providing data for AI use cases internally. |
Additional levels of security
- No workspace access — SPNs do not have a workspace role. They cannot view items in the workspace.
- Access restricted to Lakehouse — SPN can access only shared_data_lh Lakehouse, which is dedicated for external sharing.
- Access restricted using security role — Security roles further restrict which schemas/objects the SPN can read.
API for GraphQL
The API for GraphQL in Microsoft Fabric is a native item type that lets us expose structured data from Fabric sources — Lakehouses, Warehouses, Mirrored Databases — through a GraphQL endpoint. It provides a flexible, schema-aware way to query only the fields needed, ideal for client applications.
How it works
In an API for GraphQL item, you configure which tables to expose — such as those from the shared_data_lh Lakehouse. These tables can then be queried using GraphQL syntax through the API's endpoint. To access the endpoint programmatically, the query must be authenticated using Service Principal (SPN) credentials.
Disadvantages of API for GraphQL
- Not for bulk extraction — GraphQL is designed for precision querying, not bulk extraction. Large result sets can lead to performance bottlenecks, timeouts, or throttling.
- Pagination is supported but inefficient for high-throughput data pipelines.
- Microsoft's GraphQL implementation does not yet offer the full GraphQL feature set used in other platforms.
API for GraphQL items in telefabric
| Item | Purpose |
|---|---|
| api_odoo_sharing | Provides data from the sdminvoice table to Odoo. |
| api_sharing_dev | Used for testing internally. Hosted in the Fabric_Dev workspace. |
Additional levels of security
- No Lakehouse access — SPNs do not have direct access to a Lakehouse.
- Access restricted to endpoint — SPN can access only the endpoint of the API for GraphQL item.
- Access restricted using security role — API-for-GraphQL items can be restricted to query from specific schemas and objects only.
Comparison: SPN vs. API for GraphQL
| Aspect | Service Principal (direct Lakehouse) | API for GraphQL |
|---|---|---|
| Access target | Full Lakehouse (Tables / SQL endpoint) | Single GraphQL endpoint |
| Authentication | SPN credentials + ODBC driver | SPN credentials via HTTP |
| Best for | Programmatic / bulk reads | Precision queries from client apps |
| Granularity | Schema- and table-level | Field-level via GraphQL schema |
| Drawback | Requires direct Lakehouse permission | Not suited for bulk extraction |
| Used in SPL by | Fabric Odoo Reader, Fabric AI Reader | api_odoo_sharing, api_sharing_dev |
flowchart LR
EXT[External system
Odoo / AI consumer]
SPN[Service Principal
SPN credentials]
EXT -->|"Approach A:
SPN + ODBC"| LH[(shared_data_lh
Lakehouse)]
EXT -->|"Approach B:
GraphQL endpoint"| GQL[API for GraphQL]
GQL -.->|"reads from"| LH
SPN -.->|grants access| LH
SPN -.->|grants access| GQL
classDef ext fill:#e3f2fd,stroke:#1976d2,stroke-width:1px
classDef spn fill:#fff3cd,stroke:#b85c00,stroke-width:1px
classDef lh fill:#f4a261,stroke:#b85c00,stroke-width:1px,color:#000
classDef gql fill:#c8e6c9,stroke:#2e7d32,stroke-width:1px
class EXT ext
class SPN spn
class LH lh
class GQL gql
Related pages
- Fabric (Hub)
- Fabric security for admins
- Fabric Gold Lakehouse — no shortcuts; tighter access control
Verwandte Themen
Automatisch vorgeschlagen über gemeinsame Tags (fabric, anleitung):
- Fabric Data Pipelines
- Fabric Dataflows
- Fabric Excel Ingestion
- FAQ
- List of notebooks in use
- Fabric Notebooks
Status: Migriert — Team-Review ausstehend · Owner: (festlegen) · Letzter Review: 2026-06-11