Failed Connection Scanning Fabric Lakehouse Behind Private Endpoint into Purview via Managed VNet IR and Service Principal

Question

Failed Connection Scanning Fabric Lakehouse Behind Private Endpoint into Purview via Managed VNet IR and Service Principal

Abdelrahman Eid 40

Good day

We are setting up a POC and we are trying to scan Fabric Lakehouse metadata into Microsoft Purview.

Fabric is on the same tenant as Purview and is behind a private endpoint (Fabric is only accessible through jumpbox). Even though we followed each step in the deployment checklist (using Managed VNet IR + Service Principal), we are unable to make a successful connection: User's image

We even tried adding Purview's Managed Identity to the security group as the documentation suggested (even though we are using Service Principal as the authentication method), but that did not change the result.

Note that before setting Fabric to private, we were able to scan it successfully through the Managed VNet IR usign the same Service Principal so, the authentication is fine.

Since usually in such cases (i.e., trying to scan sources behind a private endpoint), we would set up a Managed Private Endpoint, we tried to create a Managed Private Endpoint (even though it's not mentioned any where in the deployment checklist). However, when creating a Managed Private Endpoint, there's no option for Fabric even though Managed VNet V2 should support Fabric as per the documentation.

We would appreciate any guidance as to how to accomplish this connection.

Thanks in advance!

Abdelrahman Eid 40 Reputation points

2025-04-28T17:59:18.4766667+00:00

Hi @J N S S Kasyap

Thanks for your answer.

That means this documentation is completely incorrect. Since it explicitly lists Managed VNet IR (and only Managed VNet IR) as the option to scan Fabric in the scenario of private Fabric.

I hope that the documentation pages are edited to reflect the actual requirements since we spent long time trying to make the setup works because we believed it is accurate.

Thanks again. We will try the SHIR method and hope it works.

Edit: We managed to scan the Fabric Lakehouse successfully using the Self-Hosted IR.
J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-04-29T16:25:28.1633333+00:00

@Abdelrahman Eid
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Abdelrahman Eid 40 Reputation points

2025-04-29T17:57:30.5366667+00:00

Hello @J N S S Kasyap

We have tried the Self-Hosted Integration Runtime and were able to successfully scan a Fabric Lakehouse that is behind a private endpoint.

Thank you for your help.

Accepted answer

0 additional answers

Your answer

Abdelrahman Eid 40 Reputation points

2025-04-28T17:59:18.4766667+00:00

Hi @J N S S Kasyap

Thanks for your answer.

That means this documentation is completely incorrect. Since it explicitly lists Managed VNet IR (and only Managed VNet IR) as the option to scan Fabric in the scenario of private Fabric.

I hope that the documentation pages are edited to reflect the actual requirements since we spent long time trying to make the setup works because we believed it is accurate.

Thanks again. We will try the SHIR method and hope it works.

Edit: We managed to scan the Fabric Lakehouse successfully using the Self-Hosted IR.
J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-04-29T16:25:28.1633333+00:00

@Abdelrahman Eid
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Abdelrahman Eid 40 Reputation points

2025-04-29T17:57:30.5366667+00:00

Hello @J N S S Kasyap

We have tried the Self-Hosted Integration Runtime and were able to successfully scan a Fabric Lakehouse that is behind a private endpoint.

Thank you for your help.

Answer 1

Hi @Abdelrahman Eid
To scan your Fabric Lakehouse behind a private endpoint into Microsoft Purview, you should use a Self-hosted Integration Runtime (IR) instead of the Managed VNet IR. Currently, Purview’s Managed VNet IR cannot reach Fabric resources secured behind private endpoints, and Fabric is not yet available as a target for creating Managed Private Endpoints.

Here’s the recommended approach:

Self-hosted Integration Runtime

Install and configure a Self-hosted IR on a VM or jumpbox within the same virtual network as Fabric.

Ensure the IR is updated to version 5.9.7885.3 or higher.

Network Configuration

Verify that the Self-hosted IR can resolve the Fabric Lakehouse’s private DNS name and connect to it.

Ensure firewall and NSG rules allow outbound traffic from the IR to necessary Purview endpoints.

Authentication (Service Principal)

Your Service Principal setup is correct, as it worked before the Fabric workspace was privatized.

Ensure the Service Principal continues to have necessary permissions on Fabric resources.

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Thank you.

J N S S Kasyap 1,715 Reputation points Microsoft External Staff

2025-04-29T18:08:46.22+00:00

@Abdelrahman Eid
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Failed Connection Scanning Fabric Lakehouse Behind Private Endpoint into Purview via Managed VNet IR and Service Principal

0 additional answers

Your answer