...
Version | Date | Description | Contributor |
V0.1 |
| Initial document | COLOMBANI Théo |
V0.2 |
| Added to the wiki | COLOMBANI Théo |
V0.3 |
| Added Shortcut specific guidelines (section 4) Added authentification part to be set up (section 5) | COLOMBANI Théo |
| Table of Contents | ||
|---|---|---|
|
...
- API-based approaches require:
- token management
- permission configuration (e.g. Sites.Read.All)
...
4. MATRIX(s)
Synthesis
Data type | Load target | Options |
Files | Files | Shortcut / API (Notebook or Pipeline) |
Files | Tables | Shortcut + transformation / API (Notebook or Pipeline) |
SharePoint Lists | Tables | Mirroring / API (Notebook or Pipeline) |
Criteria
Criteria | Shortcut (Files) | Shortcut + Transform (Tables) | Mirroring (Lists) | API via Notebook | API via Pipeline (Web / Copy) |
Data movement | No copy (virtual access) | No copy (virtual + projection) | Physical copy (replication) | Physical copy | Physical copy |
Latency / freshness | Near real-time (source-driven) | Near real-time | Near real-time sync (incremental) | Depends on orchestration | Depends on orchestration |
Transformation capabilities | None | Limited | Limited | Full (Spark / code) | Limited (mapping / chaining) |
Incremental / CDC logic | Not supported | Limited / implicit | Built-in incremental sync | Fully customizable | Manual implementation required |
Handling complex structures | Limited (folder-based only) | Limited | Not applicable (structured only) | Strong capability | Moderate (complex via chaining) |
Control over ingestion logic | None | Low | Low | Full | Medium |
Operational complexity | Very low | Low | Low | High | Medium |
Dependency on source availability | High | High | Low | Low (after ingestion) | Low (after ingestion) |
Schema control / evolution | None | Limited | Limited | Full control | Medium control |
Cost (compute / storage) | Low | Low | Free | Higher (compute + dev) | Medium (pipeline runs) |
Supported data types | Files only | Files (JSON, CSV, PARQUET, EXCEL) (structured) | SharePoint Lists only | All (files + lists) | All (files + lists via API) |
...
4. Technical solutions (
...
recommended - SharePoint Shortcuts)
- P1 : SharePoint Shortcuts,
- Triggers on OneLake Events ? -> Trigger Events not working for shortcuts.
- Directly to Silver Tables Lakehouse with auto transform in delta (see Référence) -> newly working for .xlsx to delta table (only csv is working)table
- or to files zone Lakehouse (csv shortcut) then transformation to silver tables
- Triggers on OneLake Events ? -> Trigger Events not working for shortcuts.
- Prerequisites : folder hierarchy for files & Service Principal (or Workspace Identity). One shortcut = one folder
- See also Limitations : https://learn.microsoft.com/en-us/fabric/onelake/create-onedrive-sharepoint-shortcut#limitations
- P2 : PowerQuery code through notebooks
- P3 : DataflowGen2 P4 : Pipelines via API (doable in Azure)
Limitations
The following limitations apply to SharePoint shortcuts:
OneLake doesn't support shortcuts to personal or OnPremise SharePoint sites. Shortcuts can only connect to enterprise SharePoint sites and OneDrive for Business.
Based on Azure ACS retirement, Service Principal authentication will not work for SharePoint tenants created after Nov 1st, 2024.
SharePoint and OneDrive Shortcuts are supported only at folder level and not at file levev
...
5. Security & Authentication Guide
SharePoint ↔ Microsoft Fabric (Shortcuts)
...
1. Authentication Overview
SharePoint / OneDrive shortcuts in Fabric support three authentication methods:
- Organizational account
- Workspace Identity
- Service Principal
This guide focuses on the two recommended enterprise patterns:
Workspace identity : To use workspace identity authentication for OneDrive or SharePoint shortcuts, you need to grant your workspace identity access to the OneDrive or SharePoint site.
Service Principal :To use service principal authentication, register an application in Microsoft Entra ID and create a client secret. Then, grant the service principal access to your SharePoint site using Microsoft Graph. The service principal needs at least read permission on the SharePoint site
...
2. Summary — Workspace Identity vs Service Principal
| Info |
|---|
| Criteria | Workspace Identity | Service Principal |
|---|---|---|
| Definition | Fabric-managed identity (auto-created service principal) | Entra ID application identity |
| Credential management | Fully managed (no secrets) | Requires secret or certificate |
| Setup complexity | Low | Medium |
| Governance control | Limited to Fabric scope | Full control via Entra ID |
| SharePoint authorization | Requires explicit site access | Requires explicit site access |
| Security risk | Low (no credential exposure) | Medium (secret lifecycle) |
| Cross-platform usage | Limited | Strong (usable across services) |
| Lifecycle | Tied to workspace | Independent lifecycle |
| Recommended usage | Simplicity / low ops | Enterprise governance / control |
...
3. Workspace Identity
3.1 Description
A Workspace Identity is a Fabric-managed service principal automatically created and maintained by the platform.
It allows Fabric to authenticate to external systems (including SharePoint) without managing credentials.
...
3.2 Configuration Steps (Shortcut context)
| Info |
|---|
- Create a Workspace Identity in Fabric
- Workspace settings → Workspace Identity
- Requires admin role
- Retrieve the identity in Entra ID
- Same name as workspace
- Copy Application ID
- Grant access to SharePoint site
- Add the identity to the site permissions
- Minimum: read access
- Create the Shortcut
- Select Workspace Identity as authentication method
...
3.3 Best Practices
- Use Workspace Identity when supported by the connector
- Restrict access to specific SharePoint sites (least privilege)
- Limit who can manage the workspace identity (admin role only)
- Monitor identity usage via Entra audit logs
...
3.4 Limitations (important for design)
- Not supported in all connectors or scenarios
- Not compatible with cross-tenant access
- Lifecycle tied to workspace (deletion = identity loss)
- Limited governance outside Fabric
- Must be excluded from certain Conditional Access policies to function properly
...
4. Service Principal
4.1 Description
A Service Principal is a non-interactive identity registered in Microsoft Entra ID, used for application-to-application authentication.
It provides full control over permissions and lifecycle, making it suitable for enterprise scenarios.
...
4.2 Configuration Steps (Shortcut context)
| Info |
|---|
- Create an App Registration in Entra ID
- Generate:
- Client ID
- Client Secret or Certificate
- Generate:
- Assign API permissions
- SharePoint / Graph permissions
- Prefer Sites.Selected
- Grant access to SharePoint site
- Explicitly authorize the Service Principal
- Required in addition to API permissions
- Configure authentication in Fabric
- Select Service Principal in Shortcut
- Provide credentials
...
4.3 Best Practices
- Use Sites.Selected instead of tenant-wide permissions
- Prefer certificate-based authentication over client secrets
- Store credentials in Azure Key Vault
- Rotate secrets regularly
- Use dedicated Service Principals per environment (Dev / Prod)
...
4.4 Limitations (important for design)
- Requires credential lifecycle management
- Higher setup complexity
- Risk of misconfiguration (permissions or secrets)
- Requires dual configuration:
- Entra ID permissions
- SharePoint site-level authorization
- SharePoint has its own authorization layer → API permission alone is not sufficient
...
5. Key Design Considerations
5.1 Authentication vs Authorization
- Authentication = identity (Workspace Identity / Service Principal)
- Authorization = access granted in SharePoint
Both must be configured correctly.
...
5.2 Choosing between Workspace Identity and Service Principal
Key decision drivers:
- Need for centralized governance → Service Principal
- Need for low operational overhead → Workspace Identity
- Need for cross-platform reuse → Service Principal
- Need for simplified setup → Workspace Identity