Microsoft 365 Message Center Archive

MC1102778 - Microsoft Fabric: Removing default contributor access for Workspace Identity

Message ID

MC1102778

View in Message Center

Service

Power BI

Published

Jun 25, 2025

Tag

Major change
Feature update
User impact
Admin impact

Summary

Microsoft Fabric is removing default Contributor access for Workspace Identities to enhance security. This change will be rolled out from mid-July to early August 2025. Admins can still manually assign roles using RBAC. Review and update your configurations and notify relevant personnel. Learn more [here](https://learn.microsoft.com/fabric/security/workspace-identity).

More information

To strengthen security and align with customer feedback, Microsoft Fabric is updating how Workspace Identity permissions are handled. This change removes default Contributor access from Workspace Identities, reducing the risk of unintended access or misuse. This change will be on by default.

When this will happen:

General Availability (Worldwide): We will begin rolling out mid-July 2025 and expect to complete by early August 2025.

How this will affect your organization:

After this rollout, new Workspace Identities will no longer be granted default Contributor permissions.

We will also remove the default Contributor access from existing Workspace Identities.

Important: Modifying the application associated with a Workspace Identity is not supported and may cause the identity to stop functioning.

You can still manually assign Workspace Identity service principals to any workspace role (such as Contributor, Member) using role-based access control (RBAC). However, be aware that anyone with access to the identity can assume it.

To access this change:

  1. Navigate to the Fabric Workspace where you want to add RBAC role.
  2. Select Manage Access.
  3. Select Add people or groups.
  4. Enter the name of the Workspace identity (same as Workspace Name).
  5. Assign roles as appropriate.

NOTE: After this rollout, admins can still add Workspace identity service principles to any workspace RBAC role if needed. Consider the implications if you plan on doing so, as any individual given access to the identity—example through workspace roles such as member or contributor—is allowed to assume the identity. Learn more: Workspace identity - Microsoft Fabric | Microsoft Learn

What you need to do to prepare:

This rollout will happen automatically by the specified dates with no admin action required before the rollout. Review your current Workspace Identity configurations and evaluate whether any existing workflows rely on default Contributor access. You may want to notify your admins and/or users about this change and update internal documentation.