Microsoft 365 Message Center Archive

MC1102778 - Microsoft Fabric: Removing default contributor access for Workspace Identity

Message ID

MC1102778

View in Message Center

Service

Power BI

Last Updated

Jul 23, 2025

Published Jun 25, 2025

Tag

Major change
Updated message
Feature update
User impact
Admin impact

Summary

Microsoft Fabric will remove default Contributor access from Workspace Identities starting late July 2025 to enhance security. Existing and new Workspace Identities will no longer have this access by default. Admins can manually assign roles via RBAC. No action is required before rollout, but review current configurations.

More information

Updated July 23, 2025: We have updated the timeline. Thank you for your patience.

To strengthen security and align with customer feedback, Microsoft Fabric is updating how Workspace Identity permissions are handled. This change removes default Contributor access from Workspace Identities, reducing the risk of unintended access or misuse. This change will be on by default.

When this will happen:

General Availability (Worldwide): We will begin rolling out late July 2025 (previously mid-July) and expect to complete by early August 2025.

How this will affect your organization:

After this rollout, new Workspace Identities will no longer be granted default Contributor permissions.

We will also remove the default Contributor access from existing Workspace Identities.

Important: Modifying the application associated with a Workspace Identity is not supported and may cause the identity to stop functioning.

You can still manually assign Workspace Identity service principals to any workspace role (such as Contributor, Member) using role-based access control (RBAC). However, be aware that anyone with access to the identity can assume it.

To access this change:

  1. Navigate to the Fabric Workspace where you want to add RBAC role.
  2. Select Manage Access.
  3. Select Add people or groups.
  4. Enter the name of the Workspace identity (same as Workspace Name).
  5. Assign roles as appropriate.

NOTE: After this rollout, admins can still add Workspace identity service principles to any workspace RBAC role if needed. Consider the implications if you plan on doing so, as any individual given access to the identity—example through workspace roles such as member or contributor—is allowed to assume the identity. Learn more: Workspace identity - Microsoft Fabric | Microsoft Learn

What you need to do to prepare:

This rollout will happen automatically by the specified dates with no admin action required before the rollout. Review your current Workspace Identity configurations and evaluate whether any existing workflows rely on default Contributor access. You may want to notify your admins and/or users about this change and update internal documentation.