fix: Improve RBAC setup reliability using FabricWorkspaceId for OneLake indexing (BYO support & enhanced logging)#141
Merged
Roopan-Microsoft merged 5 commits intomicrosoft:devfrom Apr 28, 2026
Conversation
- Add scripts/validate-prerequisites.ps1 to check tool versions, git submodules, Azure auth, azd environment config, subscription alignment, and Fabric/Purview feature readiness before deployment - Add .env.example as a documented reference of all environment variables used by azd and infra/main.bicepparam (not auto-loaded by azd) - Add docs/local_development.md with step-by-step local setup guide, deployment instructions, troubleshooting, and recommended first-run config - Update .devcontainer/devcontainer.json with postCreateCommand to auto-init submodules and run prerequisite validation on container creation - Update README.md to reference the new local development guide Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The RBAC script resolved workspace name from desiredFabricWorkspaceName before FABRIC_WORKSPACE_NAME. In BYO mode these differ, causing the Fabric API lookup to fail silently and skip the Contributor role grant. The OneLake indexer then fails with 'access to the workspace was denied'. Changes: - 01_setup_rbac.ps1: Prefer FABRIC_WORKSPACE_NAME over desiredFabricWorkspaceName. Resolve FABRIC_WORKSPACE_ID and pass it. - setup_ai_services_rbac.ps1: Accept -FabricWorkspaceId parameter. Use it directly for role assignment, skip displayName lookup. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…elopment.md to origin/dev state Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Harmanpreet-Microsoft
requested review from
Avijit-Microsoft,
Prajwal-Microsoft,
Roopan-Microsoft,
Vinay-Microsoft,
aniaroramsft,
dgp10801 and
toherman-msft
as code owners
Harmanpreet-Microsoft
changed the title
Roopan-Microsoft
approved these changes
Apr 28, 2026
|
🎉 This PR is included in version 1.4.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
This pull request improves the reliability of RBAC (Role-Based Access Control) setup for OneLake indexing by supporting direct use of the Fabric workspace ID, which is especially important for "bring your own" (BYO) workspace scenarios where the display name may not be unique or reliable. The changes ensure that the workspace ID is preferred and passed through all relevant scripts, reducing the risk of misconfiguration due to display name mismatches. Additionally, the logging and error messages have been enhanced to provide better diagnostics.
Fabric workspace identification and RBAC setup improvements:
FabricWorkspaceId(if available) over the display name for RBAC assignment, supporting more robust and less error-prone workspace identification, especially in BYO scenarios. (01_setup_rbac.ps1,setup_ai_services_rbac.ps1) [1] [2] [3]FabricWorkspaceIdis passed as a parameter tosetup_ai_services_rbac.ps1and used directly for role assignment, bypassing the need for a potentially fragile display name lookup. (01_setup_rbac.ps1,setup_ai_services_rbac.ps1) [1] [2] [3]01_setup_rbac.ps1,setup_ai_services_rbac.ps1) [1] [2] [3]setup_ai_services_rbac.ps1) [1] [2]01_setup_rbac.ps1)These changes make the RBAC setup process more reliable and transparent, especially in complex or BYO workspace environments.
Does this introduce a breaking change?
Golden Path Validation
Deployment Validation
What to Check
Verify that the following are valid
Other Information