Workspaces - Set Outbound Cloud Connection Rules
Sets the outbound access protection cloud connection rules for the workspace. This API enables workspace administrators to set of outbound network communication rules that control which cloud connection types and their external endpoints/workspaces where ever applicable are to be allowed from the workspace. This feature is currently in preview.
Note
This API is part of a Preview release and is provided for evaluation and development purposes only. It may change based on feedback and is not recommended for production use.
Note
Outbound access protection rules are only enforced if the workspace’s network communication policy has outbound.publicAccessRules.defaultAction set to Deny. If OAP is not enabled on workspace, API fails as outbound connections are not being restricted.
Note
This API uses the PUT method and will overwrite all outbound access connections for the workspace. Remaining policy will be set to default value if partial policy is provided in the request body. Always run Get first and provide full policy in the request body.
Permissions
The caller must have admin workspace role.
Required Delegated Scopes
Workspace.ReadWrite.All
Microsoft Entra supported identities
This API supports the Microsoft identities listed in this section.
| Identity | Support |
|---|---|
| User | Yes |
| Service principal and Managed identities | Yes |
Interface
PUT https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/networking/communicationPolicy/outbound/connectionsURI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
workspace
|
path | True |
string (uuid) |
Unique identifier of the workspace to update. |
Request Body
| Name | Type | Description |
|---|---|---|
| defaultAction |
Defines the default behavior for all cloud connection types that are not explicitly listed in the rules array. If set to "Allow", all unspecified connection types are permitted by default. If set to "Deny", all unspecified connection types are blocked by default unless explicitly allowed. This setting acts as a global fallback policy and is critical for enforcing a secure default posture in environments where only known and trusted connections should be permitted. |
|
| rules |
A list of rules that define outbound access behavior for specific cloud connection types. Each rule may include endpoint-based or workspace-based restrictions depending on supported connection types. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
Request completed successfully. Headers ETag: string |
|
| Other Status Codes |
Common error codes:
|
Examples
Set workspace outbound access protection cloud connection rule for example
Sample request
PUT https://api.fabric.microsoft.com/v1/workspaces/47482db6-4583-4672-86dd-999d0f8f4d7a/networking/communicationPolicy/outbound/connections
{
"defaultAction": "Deny",
"rules": [
{
"connectionType": "SQL",
"defaultAction": "Deny",
"allowedEndpoints": [
{
"hostNamePattern": "*.microsoft.com"
}
]
},
{
"connectionType": "LakeHouse",
"defaultAction": "Deny",
"allowedWorkspaces": [
{
"workspaceId": "91c5ae74-e82d-4dd3-bfeb-6b1814030123"
}
]
},
{
"connectionType": "Web",
"defaultAction": "Allow"
}
]
}
Sample response
ETag: 0f8fad5b-d9cb-469f-a165-70867728950eDefinitions
| Name | Description |
|---|---|
|
Connection |
Defines the access control behavior for outbound connections. This enum is used for the field defaultAction to specify whether outbound communication should be allowed or denied by default. This type enables both global and connection-specific control over outbound access, helping enforce secure and predictable network communication policies. Additional connection access action types may be added over time. |
|
Connection |
Represents a single endpoint-level exception rule that allows outbound communication to a specific external domain or host. This object is used within the allowedEndpoints array of a connection rule to explicitly authorize outbound access to trusted endpoints for a given connectionType. This is applicable only to connection types that support endpoint-based filtering (e.g., SQL, MySQL, Web, etc.). |
|
Connection |
Represents a workspace-level exception rule that allows outbound communication to a specific workspace for a given connectionType. This object is used within the allowedWorkspaces array of a connection rule to explicitly authorize cross-workspace access. This is applicable only to connection types that support workspace-based filtering, such as Lakehouse, Warehouse, FabricSql, and PowerPlatformDataflows. |
|
Error |
The error related resource details object. |
|
Error |
The error response. |
|
Error |
The error response details. |
|
Outbound |
Defines an outbound access rule for a specific cloud connection. |
|
Workspace |
Represents the complete set of outbound access protection cloud connection rules configured for a workspace as part of its networking communication policy. This object defines the connection rules that govern which external endpoints and workspaces are permitted or denied for outbound communication |
ConnectionAccessActionType
Defines the access control behavior for outbound connections. This enum is used for the field defaultAction to specify whether outbound communication should be allowed or denied by default. This type enables both global and connection-specific control over outbound access, helping enforce secure and predictable network communication policies. Additional connection access action types may be added over time.
| Value | Description |
|---|---|
| Allow |
Permits outbound connections. When used as a default action, all cloud connections are allowed. |
| Deny |
Blocks outbound connections. When used as a default action, all cloud connections are denied unless explicitly allowed. |
ConnectionRuleEndpointMetadata
Represents a single endpoint-level exception rule that allows outbound communication to a specific external domain or host. This object is used within the allowedEndpoints array of a connection rule to explicitly authorize outbound access to trusted endpoints for a given connectionType. This is applicable only to connection types that support endpoint-based filtering (e.g., SQL, MySQL, Web, etc.).
| Name | Type | Description |
|---|---|---|
| hostNamePattern |
string |
A wildcard-supported pattern that defines the allowed external endpoint. Examples include *.microsoft.com, api.contoso.com, or data.partner.org. |
ConnectionRuleWorkspaceMetadata
Represents a workspace-level exception rule that allows outbound communication to a specific workspace for a given connectionType. This object is used within the allowedWorkspaces array of a connection rule to explicitly authorize cross-workspace access. This is applicable only to connection types that support workspace-based filtering, such as Lakehouse, Warehouse, FabricSql, and PowerPlatformDataflows.
| Name | Type | Description |
|---|---|---|
| workspaceId |
string (uuid) |
The unique identifier (GUID) of the target workspace that is allowed to be connected from current workspace. |
ErrorRelatedResource
The error related resource details object.
| Name | Type | Description |
|---|---|---|
| resourceId |
string |
The resource ID that's involved in the error. |
| resourceType |
string |
The type of the resource that's involved in the error. |
ErrorResponse
The error response.
| Name | Type | Description |
|---|---|---|
| errorCode |
string |
A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users. |
| message |
string |
A human readable representation of the error. |
| moreDetails |
List of additional error details. |
|
| relatedResource |
The error related resource details. |
|
| requestId |
string |
ID of the request associated with the error. |
ErrorResponseDetails
The error response details.
| Name | Type | Description |
|---|---|---|
| errorCode |
string |
A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users. |
| message |
string |
A human readable representation of the error. |
| relatedResource |
The error related resource details. |
OutboundConnectionRule
Defines an outbound access rule for a specific cloud connection.
| Name | Type | Description |
|---|---|---|
| allowedEndpoints |
Defines a list of explicitly permitted external endpoints for the connectionType. Each entry in the array represents a hostname pattern that is allowed for outbound communication from the workspace. This field is applicable only to connection types that support endpoint-based filtering (e.g., SQL, MySQL, Web, etc.). If defaultAction is set to "Deny" for the connection type, only the endpoints listed here will be allowed; all others will be blocked. |
|
| allowedWorkspaces |
Specifies a list of workspace IDs that are explicitly permitted for outbound communication for the given fabric connectionType. This field is applicable only to fabric connection types that support workspace-based filtering, limited to Lakehouse, Warehouse, FabricSql, and PowerPlatformDataflows. When defaultAction is set to "Deny" for a connection type, only the workspaces listed in allowedWorkspaces will be allowed for outbound access; all others will be blocked. |
|
| connectionType |
string |
Specifies the cloud connection type to which the rule applies. The behavior and applicability of other rule properties (such as allowedEndpoints or allowedWorkspaces) may vary depending on the capabilities of connection type. |
| defaultAction |
Defines the default outbound access behavior for the connectionType. This field determines whether connections of this type are permitted or blocked by default, unless further refined by allowedEndpoints or allowedWorkspaces. If set to "Allow": All connections of this type are permitted unless explicitly denied by a more specific rule. This field provides fine-grained control over each connection type and complements the global fallback behavior defined by defaultAction. |
WorkspaceOutboundConnections
Represents the complete set of outbound access protection cloud connection rules configured for a workspace as part of its networking communication policy. This object defines the connection rules that govern which external endpoints and workspaces are permitted or denied for outbound communication
| Name | Type | Description |
|---|---|---|
| defaultAction |
Defines the default behavior for all cloud connection types that are not explicitly listed in the rules array. If set to "Allow", all unspecified connection types are permitted by default. If set to "Deny", all unspecified connection types are blocked by default unless explicitly allowed. This setting acts as a global fallback policy and is critical for enforcing a secure default posture in environments where only known and trusted connections should be permitted. |
|
| rules |
A list of rules that define outbound access behavior for specific cloud connection types. Each rule may include endpoint-based or workspace-based restrictions depending on supported connection types. |