Imagine you’re standing in front of a massive digital lake clear, calm, and endless. Beneath its surface lies every drop of your organization’s data — from structured tables and unstructured files to real-time streams. This lake is Microsoft Fabric’s OneLake, a unified data lake designed to bring all your data together in one place, accessible to everyone who needs it, securely and efficiently.
Now, imagine needing to give someone access to just a small section of this lake perhaps a folder, a dataset, or a single file — without handing over the keys to the entire lake. How do you do that safely?
That’s where a OneLake Shared Access Signature (SAS) comes in.
What is a OneLake Shared Access Signature (SAS)?
A Shared Access Signature (SAS) in OneLake is a secure, time-bound access token that grants limited access to specific data or resources stored in OneLake.
Think of it as a temporary digital pass that allows someone to fetch or upload certain data without needing full permissions to the entire workspace or tenant.
In other words, a OneLake SAS lets you share data safely and precisely — giving the right people the right access, at the right time, with the least amount of risk.
Why SAS is Important in OneLake
OneLake acts as the data foundation of Microsoft Fabric, integrating all data from Lakehouses, Warehouses, Real-Time Hubs, and more. While this centralized model simplifies governance and management, it also increases the need for controlled access mechanisms.
A SAS provides exactly that — controlled, auditable, and revocable access. Whether you’re enabling an external partner to analyze a dataset or letting a Power BI developer connect temporarily, SAS tokens give flexibility without compromising security.
How a OneLake SAS Works
When you create a OneLake SAS, you define:
The resource: e.g., a specific Lakehouse file, folder, or container path.
The permissions: read, write, list, delete, etc.
The time frame: start and expiry time for the token’s validity.
The access scope: whether the access applies to the entire container or just a subdirectory.
Once generated, the SAS token is appended to the OneLake URL, forming a link like:
https://onelake.dfs.fabric.microsoft.com/{workspace}/{lakehouse}?sv=2023-11-01&ss=bfqt&srt=sco&sp=rl&se=2025-11-07T12:00Z&sig=XYZ123...
Anyone with this URL can access the defined data within the allowed time and permissions — no extra login required.
Security and Governance Considerations
While SAS tokens offer convenience, they also come with responsibility.
A few best practices to keep in mind:
Use the shortest possible expiry time
The less time the token is active, the lower the exposure risk.
Grant minimal permissions
Only allow what’s needed — for example, read-only access instead of full control.
Revoke SAS if compromised
Administrators can revoke access at any time from the Fabric or Azure portal.
Monitor usage
Audit logs help track how and when SAS tokens are used.
Common Use Cases for OneLake SAS
External Data Sharing: Share specific data with vendors, partners, or consultants.
Data Integration: Allow external ETL tools or applications to read/write data directly into OneLake.
Ad-hoc Analysis: Let data scientists download datasets for temporary local analysis.
Automation and APIs: Grant service-based access to pipelines or scripts without hardcoding credentials.
Conclusion
OneLake Shared Access Signature (SAS) brings balance to data access flexibility without fragility, sharing without oversharing. It empowers organizations to collaborate and integrate across boundaries while keeping governance intact.