Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric certified for FREE! Don't miss your chance! Learn more

Reply
abhisheks13
New Contributor

OneLake ADLS Gen2 API – Issuer Validation Failed After Previously Working

‎10-16-2025 08:02 AM

We have an automated process that uploads Parquet files to OneLake using the ADLS Gen2-compatible API (https://onelake.dfs.core.windows.net). It was working until recently, but now we get:

Issuer validation failed. Issuer did not match.

Details:

Code Snippet:

var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var token = await credential.GetTokenAsync(
    new TokenRequestContext(new[] { "https://storage.azure.com/.default" }));

using var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.Token);
httpClient.DefaultRequestHeaders.Add("x-ms-version", "2020-10-02");
httpClient.DefaultRequestHeaders.Add("x-ms-blob-type", "BlockBlob");

var baseUri = $"https://onelake.dfs.core.windows.net/{workspaceId}/{lakehouseId}/Files/{fileName}.parquet";
var createUri = $"{baseUri}?resource=file";
var createRequest = new HttpRequestMessage(HttpMethod.Put, createUri)
{
    Content = new ByteArrayContent(Array.Empty<byte>())
};
createRequest.Content.Headers.ContentLength = 0;

var createResponse = await httpClient.SendAsync(createRequest);
Console.WriteLine($"Status: {createResponse.StatusCode}");

Questions:

  1. Has Microsoft changed authentication requirements for OneLake ADLS Gen2 API?
  2. Is https://storage.azure.com/.default still supported, or should we switch to Fabric REST API?
  3. Are v2 tokens now mandatory for OneLake?

Any guidance or official update would be appreciated.

Labels:
Message 1 of 4
937 Views
0
1 ACCEPTED SOLUTION
v-dineshya
Honored Contributor III

‎10-17-2025 04:12 AM

Hi @abhisheks13 ,

Thank you for reaching out to the Microsoft Community Forum.

 

The error indicates a mismatch between the token issuer (iss) and what the OneLake service expects.

 

Please try below things to resolve the issuer validation.

 

1. Check v2 Token Usage, Use Azure.Identity with TokenCredentialOptions.

 

var options = new TokenCredentialOptions
{
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud
};
var credential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);

 

2. Check Token Details, Decode the token like using jwt.ms and confirm below

 

iss is https://login.microsoftonline.com/{tenantId}/v2.0
aud is https://storage.azure.com


3. Check Fabric Tenant Settings, Ensure “Allow service principals to use APIs” is enabled. Check the service principal has Contributor access to the workspace and lakehouse.

 

Note: OneLake is a SaaS abstraction over ADLS Gen2,It supports ADLS Gen2 APIs with some limitations, especially management operations. For open mirroring, ADLS Gen2 APIs are used for performance and compatibility.

 

Question 1: Has Microsoft changed authentication requirements for OneLake ADLS Gen2 API?

 

Solution: Yes, In recent changes in how OneLake validates tokens. OneLake now performs sissuer validation, and tokens issued by https://sts.windows.net/{tenantId}/ (v1 tokens) may no longer be accepted in some scenarios. Microsoft is moving towards v2 tokens issued by https://login.microsoftonline.com/{tenantId}/v2.0 for better security and compatibility.

 

Question 2: Is https://storage.azure.com/.default still supported for OneLake ADLS Gen2 API?

 

Solution: Yes, it is still supported, You must check the token is v2 and issued by the expected authority. The audience must match what OneLake expects, which is typically https://storage.azure.com. The issuer (iss) must be from the v2 endpoint (https://login.microsoftonline.com/{tenantId}/v2.0), not the legacy v1 endpoint.

 

Question 3: Are v2 tokens now mandatory for OneLake?

 

Solution: As of now, it is not officially declared as mandatory across all scenarios, v2 tokens are increasingly required for OneLake API access due to enhanced security and compatibility. If you are using ClientSecretCredential, check it's configured to request v2 tokens. You need to use below things.

 

1. TokenCredentialOptions to specify AuthorityHost as AzureAuthorityHosts.AzurePublicCloud.

2. Check your app registration is set to use v2 endpoints.

 

Question 4: Should we switch to Fabric REST API instead of ADLS Gen2 API?

 

Solution: Microsoft still supports ADLS Gen2 and Blob APIs for OneLake access, especially for data ingestion and retrieval. Fabric REST APIs are required for management operations like create or modify workspaces, lakehouses, or permissions. For data operations like uploading Parquet files, ADLS Gen2-compatible APIs remain valid, provided authentication is correctly configured.

 

Please refer below links.

How do I connect to OneLake? - Microsoft Fabric | Microsoft Learn

OneLake parity and integration - Microsoft Fabric | Microsoft Learn

Use Blob and ADLS APIs to mirror data into OneLake - Microsoft Fabric | Microsoft Learn

 

I hope this information helps. Please do let us know if you have any further queries.

 

Regards,

Dinesh

View solution in original post

Message 2 of 4
884 Views
3 REPLIES 3
v-dineshya
Honored Contributor III

‎10-17-2025 04:12 AM

Hi @abhisheks13 ,

Thank you for reaching out to the Microsoft Community Forum.

 

The error indicates a mismatch between the token issuer (iss) and what the OneLake service expects.

 

Please try below things to resolve the issuer validation.

 

1. Check v2 Token Usage, Use Azure.Identity with TokenCredentialOptions.

 

var options = new TokenCredentialOptions
{
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud
};
var credential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);

 

2. Check Token Details, Decode the token like using jwt.ms and confirm below

 

iss is https://login.microsoftonline.com/{tenantId}/v2.0
aud is https://storage.azure.com


3. Check Fabric Tenant Settings, Ensure “Allow service principals to use APIs” is enabled. Check the service principal has Contributor access to the workspace and lakehouse.

 

Note: OneLake is a SaaS abstraction over ADLS Gen2,It supports ADLS Gen2 APIs with some limitations, especially management operations. For open mirroring, ADLS Gen2 APIs are used for performance and compatibility.

 

Question 1: Has Microsoft changed authentication requirements for OneLake ADLS Gen2 API?

 

Solution: Yes, In recent changes in how OneLake validates tokens. OneLake now performs sissuer validation, and tokens issued by https://sts.windows.net/{tenantId}/ (v1 tokens) may no longer be accepted in some scenarios. Microsoft is moving towards v2 tokens issued by https://login.microsoftonline.com/{tenantId}/v2.0 for better security and compatibility.

 

Question 2: Is https://storage.azure.com/.default still supported for OneLake ADLS Gen2 API?

 

Solution: Yes, it is still supported, You must check the token is v2 and issued by the expected authority. The audience must match what OneLake expects, which is typically https://storage.azure.com. The issuer (iss) must be from the v2 endpoint (https://login.microsoftonline.com/{tenantId}/v2.0), not the legacy v1 endpoint.

 

Question 3: Are v2 tokens now mandatory for OneLake?

 

Solution: As of now, it is not officially declared as mandatory across all scenarios, v2 tokens are increasingly required for OneLake API access due to enhanced security and compatibility. If you are using ClientSecretCredential, check it's configured to request v2 tokens. You need to use below things.

 

1. TokenCredentialOptions to specify AuthorityHost as AzureAuthorityHosts.AzurePublicCloud.

2. Check your app registration is set to use v2 endpoints.

 

Question 4: Should we switch to Fabric REST API instead of ADLS Gen2 API?

 

Solution: Microsoft still supports ADLS Gen2 and Blob APIs for OneLake access, especially for data ingestion and retrieval. Fabric REST APIs are required for management operations like create or modify workspaces, lakehouses, or permissions. For data operations like uploading Parquet files, ADLS Gen2-compatible APIs remain valid, provided authentication is correctly configured.

 

Please refer below links.

How do I connect to OneLake? - Microsoft Fabric | Microsoft Learn

OneLake parity and integration - Microsoft Fabric | Microsoft Learn

Use Blob and ADLS APIs to mirror data into OneLake - Microsoft Fabric | Microsoft Learn

 

I hope this information helps. Please do let us know if you have any further queries.

 

Regards,

Dinesh

Message 2 of 4
885 Views
v-dineshya
Honored Contributor III
In response to v-dineshya

‎10-20-2025 06:25 AM

Hi @abhisheks13 ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. And, if you have any further query do let us know.

 

Regards,

Dinesh

Message 3 of 4
814 Views
0
v-dineshya
Honored Contributor III
In response to v-dineshya

‎10-23-2025 08:15 AM

Hi @abhisheks13 ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. And, if you have any further query do let us know.

 

Regards,

Dinesh

Message 4 of 4
686 Views
0

Helpful resources

Announcements
Sticker Challenge 2026 Carousel

Join our Community Sticker Challenge 2026

If you love stickers, then you will definitely want to check out our Community Sticker Challenge!

Free Fabric Certifications

Free Fabric Certifications

Get Fabric certified for free! Don't miss your chance.

January Fabric Update Carousel

Fabric Monthly Update - January 2026

Check out the January 2026 Fabric update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Users online (80)