An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
Action required: Transition your Azure Synapse Analytics workspaces to private links before 1 August 2026
Hi Synapse Team,
We are currently using shared VNet workspaces and already filed exceptions. We would like to know if this transition will affect our workspaces? or it only affect managed VNet workspaces? Thanks.
Azure Synapse Analytics
-
Pilladi Padma Sai Manisha • 10,945 Reputation points • Microsoft External Staff • Moderator
2026-07-03T07:17:16.2133333+00:00 Hi @Yao Luo
Thank you for your question.
Based on the available documentation, the transition is related to the retirement of the trusted services firewall exception on 1 August 2026. If your current environment relies on this mechanism for Azure Synapse to access resources such as Azure Storage or Azure Key Vault, you'll need to transition to private connectivity to avoid any disruption after the retirement date.
However, the documentation does not explicitly state that all shared (customer-managed) VNet workspaces are affected, nor does it indicate that the change applies only to managed VNet workspaces. Therefore, based on the published guidance alone, we can't definitively determine whether your shared VNet workspaces will be impacted.
Since you've already filed an exception, the impact will depend on the scope and status of that approved exception.
To better understand your scenario, could you please confirm the following?
- Are you referring to Azure Synapse Analytics workspace networking in general, or are you using Azure Synapse Link for Dataverse?
- Does your workspace currently rely on the trusted services firewall exception to access Azure Storage or Azure Key Vault, or are you already using private endpoints?
- Does the exception you received explicitly cover these workspaces beyond the transition date?
Once we have these details, we can provide more targeted guidance.
For reference, please see the official Microsoft documentation on the transition:
- Azure Synapse Link transition FAQ: https://learn.microsoft.com/power-apps/maker/data-platform/azure-synapse-link-transition-faq
I hope this helps. We look forward to your update.Hi,
Thank you for your question.
Based on the available documentation, the transition is related to the retirement of the trusted services firewall exception on 1 August 2026. If your current environment relies on this mechanism for Azure Synapse to access resources such as Azure Storage or Azure Key Vault, you'll need to transition to private connectivity to avoid any disruption after the retirement date.
However, the documentation does not explicitly state that all shared (customer-managed) VNet workspaces are affected, nor does it indicate that the change applies only to managed VNet workspaces. Therefore, based on the published guidance alone, we can't definitively determine whether your shared VNet workspaces will be impacted.
Since you've already filed an exception, the impact will depend on the scope and status of that approved exception.
To better understand your scenario, could you please confirm the following?
- Are you referring to Azure Synapse Analytics workspace networking in general, or are you using Azure Synapse Link for Dataverse?
- Does your workspace currently rely on the trusted services firewall exception to access Azure Storage or Azure Key Vault, or are you already using private endpoints?
- Does the exception you received explicitly cover these workspaces beyond the transition date?
Once we have these details, we can provide more targeted guidance.
For reference, please see the official Microsoft documentation on the transition:
- Azure Synapse Link transition FAQ: https://learn.microsoft.com/power-apps/maker/data-platform/azure-synapse-link-transition-faq
I hope this helps. We look forward to your update.
-
Yao Luo • 0 Reputation points • Microsoft Employee
2026-07-03T07:53:13.07+00:00 Hi @Pilladi Padma Sai Manisha ,
Thanks for your reply!
Our current Synapse workspaces are not using Managed VNet. The associated storage account and key vaults have public network access enabled and are protected by NSP rules.
The exception is filed for SFI NS2.2.1, which requires to migrate shared VNet to managed VNet, disable public access and configure managed private endpoints - https://eng.ms/docs/cloud-ai-platform/azure-core/azure-networking/networking-control-plane-xinyanz/azure-virtual-network-manager/network-security-perimeters/articles/ns22tsg/ns221synapse
We would like to confirm whether the upcoming transition applies to our scenario and whether our current configuration would be impacted. Thanks.
-
Pilladi Padma Sai Manisha • 10,945 Reputation points • Microsoft External Staff • Moderator
2026-07-03T09:00:01.38+00:00 Thank you for providing the additional details and sharing your current configuration. We understand why you'd like to confirm whether the upcoming transition applies to your environment, especially since you've already filed an SFI NS2.2.1 exception.
Based on the information you've shared, your Synapse workspaces are not using Managed VNet, and your Azure Storage account and Azure Key Vault have public network access enabled while being protected by Network Security Perimeter (NSP) rules.
According to the published guidance, the upcoming transition is intended for scenarios where Azure Synapse accesses Azure Storage or Azure Key Vault using Managed Identity together with the "Allow trusted Microsoft services" firewall exception. In these scenarios, customers are expected to transition to Private Link/Private Endpoints before August 1, 2026.
If your environment is already using Private Link/Private Endpoints instead of the trusted Microsoft services firewall exception, the announced transition is generally not expected to require additional changes.
That said, we understand your concern regarding your current setup. Since your deployment uses a shared VNet, Network Security Perimeter (NSP), and an approved SFI NS2.2.1 exception, the current public documentation does not explicitly state whether this specific configuration falls within the scope of the announced transition. Based on the available guidance alone, we can't conclusively determine whether your workspaces will be impacted or whether any additional action will be required.
To help assess your environment, you may want to verify the following:
- Whether your Storage Account or Azure Key Vault is configured to use the "Allow trusted Microsoft services" firewall exception.
- Whether your Synapse workspace accesses these resources through the trusted-services mechanism or through Private Link/Private Endpoints.
For more information, please refer to the official Microsoft documentation:
I hope this helps clarify the current guidance. If you have any additional questions or can share more details about your networking configuration, we'd be happy to continue assisting.
-
Pilladi Padma Sai Manisha • 10,945 Reputation points • Microsoft External Staff • Moderator
2026-07-07T17:55:12.4533333+00:00 Hi @Yao Luo
I hope you had a chance to review the information shared earlier, and I hope this information has been helpful! If you still have questions, please let us know what is needed in the comments so the question can be answered.
Sign in to comment