How Atlan connects to Microsoft Fabric
Atlan connects to Microsoft Fabric to extract metadata from your workspaces, reports, dashboards, and other Fabric assets while maintaining network security and compliance. You can choose between Direct connectivity for Fabric tenants reachable from the internet or Self-deployed runtime for environments that must remain behind your firewall.
Connect via direct network connection
Atlan's Microsoft Fabric workflow establishes a direct connection from the Atlan SaaS tenant to Microsoft Fabric APIs. This approach works when outbound access to Microsoft identity and Fabric endpoints from the internet is permitted in your organization.
- Atlan connects to Microsoft Fabric using the Microsoft Graph and Fabric APIs over HTTPS (port 443).
- You configure a service principal (tenant ID, client ID, client secret) when setting up the connector and use those credentials in the crawler workflow.
- The connector uses the service principal to authenticate with Microsoft identity and call Fabric APIs to discover and catalog metadata.
For details on how direct connectivity works, see Direct connectivity.
Connect via self-deployed runtime
A runtime deployed within your network acts as a secure bridge between Atlan Cloud and Microsoft Fabric. This approach works when your network policy requires all access to Microsoft Fabric to originate from inside your perimeter.
- The runtime maintains an outbound HTTPS connection to Atlan Cloud (port 443) and an outbound HTTPS connection to Microsoft identity and Fabric APIs (port 443).
- You store Microsoft Fabric credentials (tenant ID, client ID, client secret) in your enterprise-managed secret store; the runtime retrieves them when running the crawler and never sends them to Atlan Cloud.
- The runtime calls Fabric APIs to execute metadata extraction and returns the results to Atlan Cloud for processing and cataloging.
For details on how Self-Deployed Runtime works, see SDR connectivity.
Security
Atlan extracts only structural and governance metadata from Microsoft Fabric (workspaces, reports, dashboards, datasets, pipelines, dataflows, and their properties). It doesn't extract or store your business data from Fabric.
-
Read-only operations: The connector only reads metadata via Fabric APIs. It can't modify workspaces, delete assets, or change any Fabric configuration.
-
Credential encryption: Microsoft Fabric credentials are encrypted at rest and in transit. In Direct connectivity, Atlan encrypts credentials before storage. In Self-deployed runtime, credentials never leave your network perimeter; the runtime retrieves them from your secret vaults (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, or HashiCorp Vault) only when needed, and Atlan Cloud never receives or stores them.
-
Network isolation with Self-deployed runtime: When using the runtime, all calls to Microsoft Fabric originate from within your network. The runtime only makes outbound HTTPS connections to Atlan Cloud and to Microsoft endpoints, which your network team can control through firewall rules.
See also
- Direct connectivity: How Atlan connects directly to data sources
- SDR connectivity: How Self-Deployed Runtime connects to data sources
- Set up Microsoft Fabric: Configure authentication and connection settings
- Install Self-Deployed Runtime: Choose your deployment platform and install the runtime