Does the new workspace-level opt-in setting (default change 1 June 2027) supersede the 1 August 2026 trusted-services retirement?

Youness Kabbouch 0 Reputation points
2026-07-06T11:37:43.07+00:00

We previously received communications about the retirement of the "Allow trusted Microsoft services" firewall exception for Azure Synapse Analytics workspaces, with an effective date of 1 August 2026, requiring migration to Managed VNet + managed private endpoints for Storage/Key Vault access.

We've now received a follow-up notification (tracking id: ZQ53-8KZ) describing a new workspace-level setting under Workspace Settings > Security, with the following timeline:

  • The new setting becomes available before 1 March 2027
  • Starting 1 June 2027, the default for new and existing workspaces changes to network-scoped access
  • Administrators can still opt in to keep the current (trusted-services) token behavior if needed

This appears to conflict with, or supersede, the earlier 1 August 2026 deadline. Could you please clarify:

  1. Does this new communication supersede/replace the earlier 1 August 2026 retirement date for the trusted-services firewall exception? In other words, is the effective retirement date now 1 June 2027 (with an opt-in to defer further), rather than 1 August 2026?
  2. If a workspace takes no action, will it continue to function using the current trusted-services/token behavior until at least 1 June 2027, without disruption on 1 August 2026?
  3. Once the setting is available (before 1 March 2027), if we explicitly select "Opt-in enabled," is there any end date for that option, or can it be retained indefinitely subject to the security considerations shown in the portal?
  4. Does this change apply uniformly to all workspaces using managed identity + trusted-services firewall exception for Storage/Key Vault access, including workspaces with an active Azure Synapse Link for Dataverse/Dynamics 365 F&O connection?
Azure Synapse Analytics
Azure Synapse Analytics

An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.

0 comments No comments

1 answer

Sort by: Most helpful
  1. Jerald Felix 16,420 Reputation points Volunteer Moderator
    2026-07-06T13:51:57.55+00:00

    Hello Youness Kabbouch,

    Greetings!

    Thanks for the detailed timeline this is a good question, and I want to be upfront that the specifics of the follow-up notification you received (tracking ID ZQ53-8KZ) aren't something I can independently verify against public documentation, so treat the answer below as guidance rather than a confirmed answer:

    What's publicly documented: The retirement of the "Allow trusted Microsoft services" firewall exception for Azure Synapse workspaces accessing Storage/Key Vault via managed identity is confirmed for 1 August 2026 in Microsoft's public guidance (the Synapse Link transition FAQ). That guidance does not currently reference a workspace-level opt-in setting or a 1 June 2027 date.

    On your specific questions:

    Does the new communication supersede the 1 August 2026 date? This can't be confirmed from public documentation alone. Targeted notifications like the one you received (with a tracking ID) sometimes reflect a refined or staged rollout that hasn't yet been published to the general docs. I'd treat the 1 August 2026 date as still authoritative until you get explicit written confirmation otherwise.

    Will workspaces keep working past 1 August 2026 with no action taken? Based on the public guidance alone, no — the expectation is that trusted-services access stops working after 1 August 2026 unless you've migrated to Managed VNet + managed private endpoints. If your notification genuinely extends that, you'll want written confirmation this applies to your workspace specifically before relying on it.

    Is the opt-in retained indefinitely? No public information exists on this yet, since the setting itself isn't in public documentation.

    Does this apply uniformly, including to Synapse Link for Dataverse/D365 F&O? The general 1 August 2026 retirement does apply to any workspace using managed identity + trusted-services for Storage/Key Vault, which would include Synapse Link–connected workspaces. Whether the newer opt-in setting changes that for your scenario isn't confirmed.

    Recommended next step (highest priority): Since this notification appears to be account/subscription-specific rather than a general product announcement, I'd strongly recommend opening an Azure support ticket referencing tracking ID ZQ53-8KZ directly, and ask them to confirm in writing whether it supersedes the 1 August 2026 date for your workspace(s). You can also check the Message Center in the Azure Portal (Service Health) for the full text of that notification, since forum readers can't see anything beyond what you've quoted.

    In parallel, since the 1 August 2026 deadline is still the only publicly confirmed date, it's worth continuing migration planning to Managed VNet + managed private endpoints so you're not caught out if the newer setting turns out to be scoped more narrowly than it first appears.

    If this helps kindly accept the answer and support the community.

    Best Regards,

    Jerald Felix

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.