Workspaces - List Networking Communication Policies
Returns network communication policy settings for list of workspaces enabled with either Inbound or Outbound Access Protection.
This API supports pagination With the continuation token provided in the response, you can get the next set of records.
Permissions
The caller must be a Fabric administrator or authenticate using a service principal.
Required Delegated Scopes
Tenant.Read.All or Tenant.ReadWrite.All
Microsoft Entra supported identities
This API supports the Microsoft identities listed in this section.
| Identity | Support | |
|---|---|---|
| User | Yes | |
| Service principal and Managed identities | Yes |
Interface
GET https://api.fabric.microsoft.com/v1/admin/workspaces/networking/communicationpoliciesGET https://api.fabric.microsoft.com/v1/admin/workspaces/networking/communicationpolicies?continuationToken={continuationToken}URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
continuation
|
query |
string |
A token for retrieving the next page of results. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
The operation was successful. |
|
| 429 Too Many Requests |
The service rate limit was exceeded. The server returns a Headers Retry-After: integer |
|
| Other Status Codes |
Common error codes:
|
Examples
Get network communication policy settings for list of workspaces enabled with either Inbound or Outbound Access Protection for example
Sample request
GET https://api.fabric.microsoft.com/v1/admin/workspaces/networking/communicationpolicies
Sample response
{
"value": [
{
"workspaceId": "fa9ad228-3e6b-44d4-b5f4-e275f337afa9",
"inbound": {
"publicAccessRules": {
"defaultAction": "Deny"
}
},
"outbound": {
"publicAccessRules": {
"defaultAction": "Deny"
},
"connections": {
"defaultAction": "Deny",
"rules": [
{
"connectionType": "SQL",
"defaultAction": "Deny",
"allowedEndpoints": [
{
"hostnamePattern": "*.microsoft.com"
}
]
},
{
"connectionType": "lakehouse",
"defaultAction": "Deny",
"allowedWorkspaces": [
{
"workspaceId": "91c5ae74-e82d-4dd3-bfeb-6b1814030123"
}
]
},
{
"connectionType": "Maria DB",
"defaultAction": "Allow"
}
]
},
"gateways": {
"defaultAction": "Deny",
"allowedGateways": [
{
"id": "17d8929d-ab32-46d1-858b-fdea74e93bf2"
}
]
},
"git": {
"defaultAction": "Deny"
}
}
}
],
"continuationUri": "https://api.fabric.microsoft.com/v1/admin/workspaces/networking/communicationpolicies?continuationToken=eyJMYXN0U2VlbkNvbm5lY3Rpb25JZCI6NX0=",
"continuationToken": "eyJMYXN0U2VlbkNvbm5lY3Rpb25JZCI6NX0="
}Definitions
| Name | Description |
|---|---|
|
Connection |
Defines the access control behavior for outbound connections. This enum is used for the field defaultAction to specify whether outbound communication should be allowed or denied by default. This type enables both global and connection-specific control over outbound access, helping enforce secure and predictable network communication policies. Additional connection access action types may be added over time. |
|
Connection |
Represents a single endpoint-level exception rule that allows outbound communication to a specific external domain or host. This object is used within the allowedEndpoints array of a connection rule to explicitly authorize outbound access to trusted endpoints for a given connectionType. This is applicable only to connection types that support endpoint-based filtering (e.g., SQL, MySQL, Web, etc.). |
|
Connection |
Represents a workspace-level exception rule that allows outbound communication to a specific workspace for a given connectionType. This object is used within the allowedWorkspaces array of a connection rule to explicitly authorize cross-workspace access. This is applicable only to connection types that support workspace-based filtering, such as Lakehouse, Warehouse, FabricSql, and PowerPlatformDataflows. |
|
Error |
The error related resource details object. |
|
Error |
The error response. |
|
Error |
The error response details. |
|
Gateway |
Defines the access control behavior for outbound gateways. This enum is used for the field defaultAction to specify whether outbound communication should be allowed or denied by default. This type enables both global and gateway-specific control over outbound access, helping enforce secure and predictable network communication policies. Additional gateway access action types may be added over time. |
|
Gateway |
Represents a gateway that is allowed for outbound communication. This object is used within the allowedGateways to explicitly authorize outbound access. |
|
Network |
Default policy for workspace access from public networks. |
|
Network |
Network communication policy settings for list of workspaces enabled with either Inbound or Outbound Access Protection. |
|
Network |
Represents the details of Network communication policy settings for each workspace. |
|
Network |
Represents the details of Network communication policy settings for each workspace. |
|
Network |
Represents the details of Network communication policy settings for each workspace. |
|
Network |
The policy defining access to/from a workspace to/from public networks. |
|
Outbound |
Defines an outbound access rule for a specific cloud connection. |
|
Workspace |
Represents the complete set of outbound access protection cloud connection rules configured for a workspace as part of its networking communication policy. This object defines the connection rules that govern which external endpoints and workspaces are permitted or denied for outbound communication |
|
Workspace |
Represents the complete set of gateway outbound access protection rules configured for a workspace as part of its networking communication policy. This object defines the gateway rules that govern outbound communication |
ConnectionAccessActionType
Defines the access control behavior for outbound connections. This enum is used for the field defaultAction to specify whether outbound communication should be allowed or denied by default. This type enables both global and connection-specific control over outbound access, helping enforce secure and predictable network communication policies. Additional connection access action types may be added over time.
| Value | Description |
|---|---|
| Allow |
Permits outbound connections. When used as a default action, all cloud connections are allowed. |
| Deny |
Blocks outbound connections. When used as a default action, all cloud connections are denied unless explicitly allowed. |
ConnectionRuleEndpointMetadata
Represents a single endpoint-level exception rule that allows outbound communication to a specific external domain or host. This object is used within the allowedEndpoints array of a connection rule to explicitly authorize outbound access to trusted endpoints for a given connectionType. This is applicable only to connection types that support endpoint-based filtering (e.g., SQL, MySQL, Web, etc.).
| Name | Type | Description |
|---|---|---|
| hostnamePattern |
string |
A wildcard-supported pattern that defines the allowed external endpoint. Examples include *.microsoft.com, api.contoso.com, or data.partner.org. |
ConnectionRuleWorkspaceMetadata
Represents a workspace-level exception rule that allows outbound communication to a specific workspace for a given connectionType. This object is used within the allowedWorkspaces array of a connection rule to explicitly authorize cross-workspace access. This is applicable only to connection types that support workspace-based filtering, such as Lakehouse, Warehouse, FabricSql, and PowerPlatformDataflows.
| Name | Type | Description |
|---|---|---|
| workspaceId |
string (uuid) |
The unique identifier (GUID) of the target workspace that is allowed to be connected from current workspace. |
ErrorRelatedResource
The error related resource details object.
| Name | Type | Description |
|---|---|---|
| resourceId |
string |
The resource ID that's involved in the error. |
| resourceType |
string |
The type of the resource that's involved in the error. |
ErrorResponse
The error response.
| Name | Type | Description |
|---|---|---|
| errorCode |
string |
A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users. |
| message |
string |
A human readable representation of the error. |
| moreDetails |
List of additional error details. |
|
| relatedResource |
The error related resource details. |
|
| requestId |
string (uuid) |
ID of the request associated with the error. |
ErrorResponseDetails
The error response details.
| Name | Type | Description |
|---|---|---|
| errorCode |
string |
A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users. |
| message |
string |
A human readable representation of the error. |
| relatedResource |
The error related resource details. |
GatewayAccessActionType
Defines the access control behavior for outbound gateways. This enum is used for the field defaultAction to specify whether outbound communication should be allowed or denied by default. This type enables both global and gateway-specific control over outbound access, helping enforce secure and predictable network communication policies. Additional gateway access action types may be added over time.
| Value | Description |
|---|---|
| Allow |
Permits outbound gateways. When used as a default action, all gateways are allowed. |
| Deny |
Blocks outbound gateways. When used as a default action, all gateways are denied unless explicitly allowed. |
GatewayAccessRuleMetadata
Represents a gateway that is allowed for outbound communication. This object is used within the allowedGateways to explicitly authorize outbound access.
| Name | Type | Description |
|---|---|---|
| id |
string (uuid) |
Gateway Id to be allowed. |
NetworkAccessRule
Default policy for workspace access from public networks.
| Value | Description |
|---|---|
| Allow |
Allow all connections. |
| Deny |
Deny all connections. |
NetworkCommunicationPolicies
Network communication policy settings for list of workspaces enabled with either Inbound or Outbound Access Protection.
| Name | Type | Description |
|---|---|---|
| continuationToken |
string |
The token for the next result set batch. If there are no more records, it's removed from the response. |
| continuationUri |
string |
The URI of the next result set batch. If there are no more records, it's removed from the response. |
| value |
Network communication policy settings for list of workspaces enabled with either Inbound or Outbound Access Protection. |
NetworkCommunicationPolicyDetails
Represents the details of Network communication policy settings for each workspace.
| Name | Type | Description |
|---|---|---|
| inbound |
Defines the Inbound access protection settings. |
|
| outbound |
Defines the Outbound access protection settings. |
|
| workspaceId |
string (uuid) |
The workspace ID. |
NetworkCommunicationPolicyInboundDetails
Represents the details of Network communication policy settings for each workspace.
| Name | Type | Description |
|---|---|---|
| publicAccessRules |
The policy for all inbound communications to a workspace |
NetworkCommunicationPolicyOutboundDetails
Represents the details of Network communication policy settings for each workspace.
| Name | Type | Description |
|---|---|---|
| connections |
Represents the complete set of outbound access protection cloud connection rules configured for a workspace as part of its networking communication policy. This object defines the connection rules that govern which external endpoints and workspaces are permitted or denied for outbound communication |
|
| gateways |
Represents the complete set of gateway outbound access protection rules configured for a workspace as part of its networking communication policy. This object defines the gateway rules that govern outbound communication |
|
| git |
Represents the Git Outbound policy for the specified as part of its networking communication policy. |
|
| publicAccessRules |
The policy for all outbound communications to a workspace |
NetworkRules
The policy defining access to/from a workspace to/from public networks.
| Name | Type | Description |
|---|---|---|
| defaultAction |
Default policy for workspace access from public networks. |
OutboundConnectionRule
Defines an outbound access rule for a specific cloud connection.
| Name | Type | Description |
|---|---|---|
| allowedEndpoints |
Defines a list of explicitly permitted external endpoints for the connectionType. Each entry in the array represents a hostname pattern that is allowed for outbound communication from the workspace. This field is applicable only to connection types that support endpoint-based filtering (e.g., SQL, MySQL, Web, etc.). If defaultAction is set to "Deny" for the connection type, only the endpoints listed here will be allowed; all others will be blocked. |
|
| allowedWorkspaces |
Specifies a list of workspace IDs that are explicitly permitted for outbound communication for the given fabric connectionType. This field is applicable only to fabric connection types that support workspace-based filtering, limited to Lakehouse, Warehouse, FabricSql, and PowerPlatformDataflows. When defaultAction is set to "Deny" for a connection type, only the workspaces listed in allowedWorkspaces will be allowed for outbound access; all others will be blocked. |
|
| connectionType |
string |
Specifies the cloud connection type to which the rule applies. The behavior and applicability of other rule properties (such as allowedEndpoints or allowedWorkspaces) may vary depending on the capabilities of connection type. |
| defaultAction |
Defines the default outbound access behavior for the connectionType. This field determines whether connections of this type are permitted or blocked by default, unless further refined by allowedEndpoints or allowedWorkspaces. If set to "Allow": All connections of this type are permitted unless explicitly denied by a more specific rule. This field provides fine-grained control over each connection type and complements the global fallback behavior defined by defaultAction. |
WorkspaceOutboundConnections
Represents the complete set of outbound access protection cloud connection rules configured for a workspace as part of its networking communication policy. This object defines the connection rules that govern which external endpoints and workspaces are permitted or denied for outbound communication
| Name | Type | Description |
|---|---|---|
| defaultAction |
Defines the default behavior for all cloud connection types that are not explicitly listed in the rules array. If set to "Allow", all unspecified connection types are permitted by default. If set to "Deny", all unspecified connection types are blocked by default unless explicitly allowed. This setting acts as a global fallback policy and is critical for enforcing a secure default posture in environments where only known and trusted connections should be permitted. |
|
| rules |
A list of rules that define outbound access behavior for specific cloud connection types. Each rule may include endpoint-based or workspace-based restrictions depending on supported connection types. |
WorkspaceOutboundGateways
Represents the complete set of gateway outbound access protection rules configured for a workspace as part of its networking communication policy. This object defines the gateway rules that govern outbound communication
| Name | Type | Description |
|---|---|---|
| allowedGateways |
A list of rules that define outbound access behavior for gateways. |
|
| defaultAction |
Defines the default behavior for all gateways that are not explicitly listed in the allowed list array. If set to "Allow", all unspecified gateways are permitted by default. If set to "Deny", all unspecified gateways are blocked. |