Microsoft Fabric - Send Assets to Lakehouse

Microsoft Fabric - Send Assets to Lakehouse uses Microsoft Fabric to send assets from Axonius to OneLake and from OneLake to Lakehouse for:

Assets returned by the selected query or assets selected on the relevant asset page.

See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.

Note:

Not all asset types are supported for all Enforcement Actions.
- See Actions supported for Activity Logs, Adapters Fetch History, and Asset Investigation modules.
- See Actions supported for Vulnerabilities.
- See Actions supported for Software.

Before You Begin

To successfully run the Enforcement Set, follow these steps first. Also refer to Required Permissions.

Create a Fabric Capacity in the Azure Portal.
Create a Workspace in the Fabric Capacity.
Under Workspace Settings > License Info, link it to Fabric capacity license.
Under Manage Access, add the name of the app used for the adapter (Microsoft Azure of Entra ID) in Axonius.
In the Microsoft Fabric Admin Portal, navigate to Tenant settings > Developer settings and enable the following option: Service principals can use Fabric APIs.
Define the region of the Fabric Capacity's resource group as one of regions listed in Fabric region availability.
In the Microsoft Fabric Admin Portal, navigate to Tenant settings > OneLake settings and enable the following option: Users can access data stored in OneLake with apps external to Fabric.

Required Permissions

The following permissions are required:

Power BI Permissions

Lakehouse.ReadWrite.All
OneLake.ReadWrite.All

OneLake Permissions

Storage.ReadWrite.All

Permissions1

Permissions2

Troubleshooting

If you get the following error message:

The resource principal named https://onelake.dfs.fabric.microsoft.com was not found in the tenant named <TENANT NAME>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

Follow these steps while trying to get the access token:

In Azure Portal, go to Azure AD Enterprise Applications.
Select All Applications.
In the search box, enter OneLake.
If OneLake does not appear, it is not registered in your tenant. This might be due to the tenant’s region.
If OneLake does appear, create an application with OneLake.

Required Fields

These fields must be configured to run the Enforcement Set.

Action name - The name of this Enforcement Action. The system sets a default name. You can change the name.
Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.

Azure Client ID, Azure Client Secret, and Azure Tenant ID - You can copy these parameters from the app registrations.
Workspace ID - The ID of the Fabric Capacity workspace. The ID can be found in the workspace's URL.
Lakehouse ID - The ID of the Lakehouse that you want to send the data to. The ID can be found in the Lakehouse's URL.
Table Name - The name ot the table to create or overwrite.
Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.

Additional Fields

These fields are optional.

Verify SSL (optional) - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.
Gateway Name - Select the Gateway through which to connect to perform the action.

APIs

Axonius uses the following APIs:
Tables - Load Table
Connecting to Microsoft OneLake

For more details about other Enforcement Actions available, see Action Library.