OneLake Shortcuts in Microsoft Fabric: Every Source, Every Permission, and How to Access Data Without Copying It

You have data in ADLS Gen2, Amazon S3, Google Cloud Storage, another Fabric workspace, and Dataverse. Traditionally, you would build pipelines to COPY all of that data into your data lake — duplicating storage, paying twice, and keeping copies in sync.

OneLake shortcuts eliminate all of that. A shortcut is a pointer to data that lives somewhere else. No data is copied. No pipelines needed. No storage duplication. You create a shortcut, and Fabric reads the remote data as if it were local — in your lakehouse, in your notebooks, in your SQL queries, in your Power BI reports.

Think of a shortcut like a library catalog card. The card does not contain the book — it tells you exactly where the book is. “Physics textbook, Building C, Room 301, Shelf B, Position 12.” When you need the book, the librarian (Fabric) goes to that exact location, retrieves it, and hands it to you. You did not buy a second copy of the book. You did not move it to your library. The catalog card (shortcut) is just a pointer.

But here is the important part: what if the catalog card points to a LOCKED room (private storage)? What if the book is in another country (cross-cloud)? What if someone deletes the card — does the book disappear? Understanding these nuances is what this post covers.

Table of Contents

• What Is a OneLake Shortcut?
• Why Shortcuts Exist (The Problem They Solve)
• Internal Shortcuts vs External Shortcuts
• All Supported Shortcut Sources
• ADLS Gen2 Shortcuts
• Amazon S3 Shortcuts
• Amazon S3 Compatible Shortcuts
• Google Cloud Storage Shortcuts
• Dataverse Shortcuts
• OneLake (Internal) Shortcuts
• On-Premises Shortcuts
• Apache Iceberg Table Shortcuts
• Authentication Methods per Source
• Creating a Shortcut (Step by Step)
• Where Shortcuts Can Be Created
• Read, Write, and Delete Behavior
• The Delete Trap: What Happens When You Delete
• Shortcut Security Model (Two-Layer Authorization)
• Shortcut Caching (Reduce Cross-Cloud Costs)
• Shortcut Limitations
• Chained Shortcuts
• Direct Lake with Shortcuts (Power BI)
• Trusted Workspace Access (Private ADLS)
• Real-World Shortcut Patterns
• Common Mistakes
• Interview Questions
• Wrapping Up

What Is a OneLake Shortcut?

A shortcut is a pointer within OneLake that references data stored in another location. The data stays where it is. Fabric reads it through the pointer. No data movement, no duplication.

Without Shortcuts:
  ADLS Gen2 (source) ──── ADF Copy Pipeline ────► OneLake (duplicate copy)
  Storage cost: 2x (paying for both copies)
  Freshness: Depends on pipeline schedule (could be stale)
  Maintenance: Pipeline to build, monitor, and fix when it breaks

With Shortcuts:
  ADLS Gen2 (source) ◄──── Shortcut (pointer) ──── OneLake (no data copied)
  Storage cost: 1x (data exists only in ADLS)
  Freshness: Always current (reads directly from source)
  Maintenance: Zero (no pipeline needed)

Real-life analogy: Without shortcuts, you photocopy every book you need from the city library and bring copies home — expensive, takes space, copies get outdated. With shortcuts, you just write down the book’s exact location — whenever you need it, you go directly to the shelf. Same book, zero copies, always the latest edition.

Why Shortcuts Exist (The Problem They Solve)

Problem 1: Data Duplication

Company has 50 TB in ADLS Gen2.
Team A copies 10 TB to their lakehouse for analytics.
Team B copies the same 10 TB to their lakehouse for ML.
Team C copies 5 TB of overlapping data for reporting.

Total storage: 50 + 10 + 10 + 5 = 75 TB
Actual unique data: 50 TB
Waste: 25 TB of duplicated data = ~$575/month wasted

With shortcuts: All three teams point to the same 50 TB. Total storage = 50 TB. Zero duplication.

Problem 2: Data Freshness

Copied data is only as fresh as the last pipeline run. If the pipeline runs daily at 2 AM, your data is up to 24 hours stale. Shortcuts always read the current data — zero staleness.

Problem 3: Multi-Cloud Data Access

Your company has data in Azure, AWS, and GCP. Building cross-cloud copy pipelines is complex and expensive. Shortcuts let Fabric read from S3 and GCS directly — no pipelines needed.

Internal Shortcuts vs External Shortcuts

Type	Points To	Data Location	Example
Internal	Another OneLake location (same or different workspace)	Inside Fabric	Lakehouse A → Lakehouse B’s customers table
External	Outside OneLake (ADLS, S3, GCS, Dataverse)	Outside Fabric	Lakehouse A → your ADLS Gen2 storage account

Internal Shortcut:
  Workspace: Sales ──► shortcut ──► Workspace: DataEng (both in OneLake)

External Shortcut:
  Workspace: Sales ──► shortcut ──► ADLS Gen2 (outside Fabric)
  Workspace: Sales ──► shortcut ──► Amazon S3 (outside Azure entirely)

All Supported Shortcut Sources

Source	Type	Read	Write	Delete	Auth Method
OneLake (other lakehouse)	Internal	✅	✅	✅	Fabric workspace permissions
ADLS Gen2	External	✅	✅	✅	Org account, Service Principal, SAS, Account Key, Workspace Identity
Amazon S3	External	✅	❌	❌	Access Key + Secret Key, or IAM Role
S3 Compatible (MinIO, R2, Wasabi)	External	✅	❌	❌	Access Key + Secret Key
Google Cloud Storage	External	✅	❌	❌	Service Account Key (JSON)
Dataverse	External	✅	❌	❌	Organizational account
On-Premises (via Gateway)	External	✅	❌	❌	On-premises data gateway
Apache Iceberg Tables	External	✅	❌	❌	Depends on source

Key observation: Only OneLake and ADLS Gen2 shortcuts support write and delete operations. All other external sources are read-only. This makes sense — Fabric can write to Azure storage it has permissions for, but writing to someone else’s S3 bucket through a shortcut would be risky.

ADLS Gen2 Shortcuts

The most common external shortcut. Points to a folder or container in your Azure Data Lake Storage Gen2 account.

Shortcut: /Tables/external_customers
  → Points to: abfss://raw-data@naveenadlsgen2de.dfs.core.windows.net/silver/customers/
  → Reads Delta table from ADLS Gen2 as if it were a local OneLake table

Requirements

• Storage account must have Hierarchical Namespace enabled (ADLS Gen2, not plain Blob)
• Authentication: Organizational account, Service Principal, SAS Token, Account Key, or Workspace Identity

Read/Write/Delete Behavior

• Read: ✅ Yes — Fabric reads files from ADLS directly
• Write: ✅ Yes — if your connection has write permissions, you can write through the shortcut
• Delete a file inside the shortcut: ✅ Yes — deletes the actual file in ADLS Gen2!
• Delete the shortcut itself: Only removes the pointer. ADLS data is untouched.

Real-life analogy: An ADLS shortcut is like a remote control for someone else’s TV. You can change channels (read), adjust the volume (write), and even turn it off (delete files). But if you throw away the remote (delete the shortcut), the TV is still there.

Amazon S3 Shortcuts

Access data in AWS S3 buckets from Fabric — true multi-cloud data access.

Shortcut: /Tables/aws_sales_data
  → Points to: s3://company-data-lake/sales/2026/
  → Fabric reads S3 Parquet files as a local table

Requirements

• S3 bucket and path
• Authentication: Access Key ID + Secret Access Key, or IAM Role

Read/Write/Delete Behavior

• Read: ✅ Yes
• Write: ❌ No — read-only
• Delete files: ❌ No — read-only
• Delete shortcut: Only removes the pointer. S3 data untouched.

Cross-Cloud Cost Warning

When Fabric reads from S3, AWS charges egress fees (data leaving AWS). For frequently accessed data, enable shortcut caching to store a local copy in OneLake after the first read.

Amazon S3 Compatible Shortcuts

Works with storage services that implement the S3 API:

Service	What It Is
MinIO	Open-source self-hosted object storage
Cloudflare R2	S3-compatible with zero egress fees
Wasabi	Low-cost S3-compatible storage
DigitalOcean Spaces	S3-compatible cloud storage

Same read-only behavior as S3 shortcuts.

Google Cloud Storage Shortcuts

Access data in GCS buckets from Fabric.

Shortcut: /Tables/gcp_analytics
  → Points to: gs://company-analytics-bucket/processed/

Requirements

• GCS bucket path
• Authentication: GCP Service Account key (JSON file)

Behavior

• Read: ✅ Yes
• Write: ❌ No
• Delete: ❌ No
• Caching: ✅ Supported (reduces GCP egress costs)

Dataverse Shortcuts

Access Dynamics 365 and Power Platform data directly in Fabric.

Shortcut: /Tables/dynamics_customers
  → Points to: Dataverse environment → Account table
  → Reads Dynamics 365 customer data as a Delta table in Fabric

Key Behavior

• Read: ✅ Yes
• Write: ❌ No — Dataverse shortcuts are strictly read-only
• Authentication: Organizational account (Azure AD)
• Auto-generated: When you use “Link to Fabric” in Dataverse, shortcuts are created automatically for all tables

Use case: Sales team uses Dynamics 365 CRM. Data engineers create Dataverse shortcuts to access customer, opportunity, and lead data in Fabric notebooks — no export, no pipeline, no copy.

OneLake (Internal) Shortcuts

Point to data in another lakehouse, warehouse, or KQL database within Fabric.

Workspace: Sales_Analytics
  Lakehouse: sales_lakehouse
    /Tables/shared_customers  ← Shortcut
      → Points to: Workspace: DataEng_Prod / bronze_lakehouse / Tables / customers

Why Internal Shortcuts?

• Cross-workspace data sharing without copying
• Medallion architecture: Gold lakehouse shortcuts to Silver tables
• Team isolation: Each team has their own workspace but shares data through shortcuts

Behavior

• Read: ✅ Yes
• Write: ✅ Yes (if user has write permissions on the target)
• Delete files: ✅ Yes (deletes in the target lakehouse!)
• Delete shortcut: Only removes the pointer. Target data untouched.

On-Premises Shortcuts

Access data behind your corporate firewall using the Fabric On-Premises Data Gateway (OPDG).

Shortcut: /Files/on_prem_reports
  → Points to: File share \server
eports\ (via gateway)
  → Fabric reads files from on-premises storage

Read-only. Requires installing and configuring the on-premises data gateway.

Apache Iceberg Table Shortcuts

Fabric can read Apache Iceberg tables through shortcuts and automatically exposes them as Delta tables.

Shortcut: /Tables/iceberg_events
  → Points to: Iceberg table in S3 or ADLS
  → Fabric reads Iceberg metadata and serves it as Delta Lake
  → All Fabric workloads (notebooks, SQL, Power BI) can query it

This means you can have an Iceberg-based data lake and access it in Fabric without converting to Delta.

Authentication Methods per Source

Source	Org Account	Service Principal	SAS Token	Account Key	Access Key	Workspace Identity
ADLS Gen2	✅	✅	✅	✅	—	✅
Amazon S3	—	—	—	—	✅	—
S3 Compatible	—	—	—	—	✅	—
Google Cloud Storage	—	✅ (GCP SA)	—	—	—	—
Dataverse	✅	—	—	—	—	—
OneLake	Workspace roles	—	—	—	—	—

Creating a Shortcut (Step by Step)

In Lakehouse UI

1. Open your Lakehouse in Fabric
2. In the left panel, right-click on Tables or Files
3. Click New shortcut
4. Choose the source type:
5. OneLake (internal)
6. Azure Data Lake Storage Gen2
7. Amazon S3
8. Google Cloud Storage
9. Dataverse
10. S3 Compatible
11. Configure the connection (enter URL, credentials)
12. Browse and select the target folder or table
13. Name the shortcut
14. Click Create

The shortcut appears in your lakehouse as if it were a local table or folder.

Via REST API

# Create a shortcut programmatically
import requests

url = "https://api.fabric.microsoft.com/v1/workspaces/{workspace_id}/items/{lakehouse_id}/shortcuts"
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}

payload = {
    "name": "external_customers",
    "path": "Tables",
    "target": {
        "adlsGen2": {
            "location": "https://naveenadlsgen2de.dfs.core.windows.net",
            "subpath": "/silver/customers",
            "connectionId": "connection-guid"
        }
    }
}

response = requests.post(url, headers=headers, json=payload)
print(response.json())

Where Shortcuts Can Be Created

Item	Under Tables	Under Files
Lakehouse	✅ Yes	✅ Yes
Warehouse	✅ Yes (read-only, SQL access)	—
KQL Database	✅ Yes	—

Shortcuts under Tables appear as queryable tables (SQL, PySpark). Shortcuts under Files appear as raw file paths.

Read, Write, and Delete Behavior

This is the most confusing part — and the most important to understand:

Reading Through a Shortcut

All shortcuts support reading. When you query a shortcut, Fabric goes to the source, reads the data, and returns it to you.

# This reads from ADLS Gen2 through the shortcut — no data copied
df = spark.read.format("delta").load("Tables/external_customers")
df.show()

Writing Through a Shortcut

Only OneLake internal and ADLS Gen2 shortcuts support writing:

# Writing through an ADLS shortcut — writes directly to ADLS Gen2!
df_new.write.format("delta").mode("append").save("Tables/external_customers")
# The data is physically written to your ADLS Gen2, NOT to OneLake

S3, GCS, and Dataverse shortcuts are read-only — write operations fail.

Deleting Through a Shortcut

This is the trap everyone needs to understand:

Deleting THE SHORTCUT:
  → Only removes the pointer in OneLake
  → Source data (ADLS, S3, OneLake) is UNTOUCHED
  → Safe operation

Deleting a FILE or FOLDER INSIDE a shortcut:
  → Deletes the actual data in the source!
  → ADLS Gen2: file is deleted from your storage account
  → OneLake internal: file is deleted from the target lakehouse
  → S3/GCS/Dataverse: operation fails (read-only)

Real-life analogy: Deleting the shortcut is like erasing a contact from your phone — the person still exists. Deleting a file INSIDE the shortcut is like calling the person and telling them to shred a document — the actual document is destroyed at the source.

The Delete Trap: What Happens When You Delete

Action	What Happens	Source Data
Delete the shortcut	Pointer removed from OneLake	Untouched
Delete a file inside an ADLS shortcut	File deleted in ADLS Gen2	Deleted!
Delete a file inside an OneLake shortcut	File deleted in target lakehouse	Deleted!
Delete a file inside an S3 shortcut	Operation fails (read-only)	Untouched
Delete a file inside a GCS shortcut	Operation fails (read-only)	Untouched
Delete a file inside a Dataverse shortcut	Operation fails (read-only)	Untouched

Critical warning: If you have an ADLS Gen2 shortcut with write permissions, and someone runs dbutils.fs.rm() on a path inside the shortcut, the files are permanently deleted from your ADLS storage account. This is not a OneLake delete — it is a real delete at the source.

Shortcut Security Model (Two-Layer Authorization)

Accessing data through an external shortcut requires passing TWO security checks:

Layer 1: Does the CONNECTION authorize access to the source?
  → The cloud connection (ADLS key, S3 credentials) must be valid
  → The connection creator's permissions determine what can be accessed

Layer 2: Does the USER have Fabric permissions to access the shortcut?
  → OneLake security roles control who can read the shortcut path
  → Workspace roles (Admin/Member/Contributor/Viewer) apply

Example:
  User1 creates an S3 shortcut using their AWS access key.
  User2 tries to read data through the shortcut.

  Check 1: Does User1's AWS key authorize access? → YES (User1 set it up correctly)
  Check 2: Does User2 have OneLake permissions on the shortcut path? → YES/NO

  If both YES → User2 can read the data
  If either NO → Access denied

Important: External shortcuts require Fabric Read permission on the item where the shortcut resides. This is an extra check beyond regular OneLake data access roles.

Workspace Role Access

Workspace Role	Create Shortcuts	Read via Shortcuts	Write via Shortcuts
Admin	✅	✅	✅
Member	✅	✅	✅
Contributor	✅	✅	✅
Viewer	❌	✅ (if granted via OneLake security roles)	❌

Shortcut Caching (Reduce Cross-Cloud Costs)

When Fabric reads from S3 or GCS, the cloud provider charges egress fees. Shortcut caching stores a local copy in OneLake after the first read:

First read:   Fabric → S3 (egress fee charged) → data returned + cached in OneLake
Second read:  Fabric → OneLake cache (no egress fee) → data returned instantly

Enable Caching

1. Open Workspace settings
2. Click the OneLake tab
3. Toggle Cache setting to On
4. Set the Retention Period (how long cached data is kept)

Caching Support

Source	Caching Supported
ADLS Gen2	Not needed (same cloud, no egress)
Amazon S3	✅ Yes
S3 Compatible	✅ Yes
Google Cloud Storage	✅ Yes
On-premises	✅ Yes
Dataverse	❌ No
OneLake (internal)	Not needed (already in OneLake)

Shortcut Limitations

Limitation	Detail
Max shortcuts per path	10 shortcuts in a single OneLake path
Max chained shortcuts	5 levels (shortcut → shortcut → shortcut → shortcut → shortcut)
Naming	Cannot contain %, +, ', " characters
ADLS requirement	Must have Hierarchical Namespace enabled
Cross-cloud writes	Only ADLS Gen2 and OneLake support writes. S3, GCS, Dataverse are read-only
Cascade delete	Deleting a shortcut does NOT delete source data. But deleting files INSIDE a writable shortcut DOES delete source data

Chained Shortcuts

A shortcut can point to another shortcut — but with limits:

Lakehouse A
  /Tables/customers  ← Shortcut to Lakehouse B

Lakehouse B
  /Tables/customers  ← Shortcut to Lakehouse C

Lakehouse C
  /Tables/customers  ← Actual Delta table (real data)

When Lakehouse A reads /Tables/customers:
  → Follows chain: A → B → C → reads actual data
  → Maximum 5 levels of chaining

Important: If the chain includes an external shortcut (ADLS, S3), the user must have Fabric Read permission on the item containing that external shortcut — even if they access it through an internal shortcut chain.

Direct Lake with Shortcuts (Power BI)

This is one of the most powerful shortcut use cases. Power BI Direct Lake mode can read data through shortcuts:

ADLS Gen2 (your existing data lake)
  /silver/customers/ (Delta table)
      ↑
  OneLake Shortcut (in lakehouse)
      ↑
  Power BI Semantic Model (Direct Lake mode)
      ↑
  Power BI Report (always fresh, near-instant)

No data copied. Power BI reads directly from your existing ADLS through the shortcut. The report is always current. No scheduled refresh. No import.

Trusted Workspace Access (Private ADLS)

If your ADLS Gen2 has a firewall (public access disabled), you can still create shortcuts using Trusted Workspace Access:

1. Create a Workspace Identity in Fabric workspace settings
2. Add the Workspace Identity as a trusted resource in the ADLS Gen2 firewall
3. Create the shortcut using the Workspace Identity as the authentication method

This allows Fabric to access private ADLS Gen2 without opening the firewall to the public internet.

Real-World Shortcut Patterns

Pattern 1: Multi-Team Data Sharing

Workspace: DataEng_Prod
  Lakehouse: silver_lakehouse
    /Tables/customers (actual data)
    /Tables/products (actual data)
    /Tables/orders (actual data)

Workspace: Sales_Analytics
  Lakehouse: sales_lakehouse
    /Tables/customers ← Internal shortcut to DataEng silver
    /Tables/orders ← Internal shortcut to DataEng silver

Workspace: Marketing_Analytics
  Lakehouse: marketing_lakehouse
    /Tables/customers ← Internal shortcut to DataEng silver

Three teams, one copy of data. Zero duplication.

Pattern 2: Migrate to Fabric Without Moving Data

Existing ADLS Gen2 (50 TB of data, years of investment)
  /bronze/...
  /silver/...
  /gold/...

Fabric Lakehouse (new)
  /Tables/customers ← ADLS shortcut to /silver/customers/
  /Tables/orders ← ADLS shortcut to /silver/orders/
  /Tables/products ← ADLS shortcut to /silver/products/

Start using Fabric immediately without migrating 50 TB of data. Query ADLS data through shortcuts while gradually migrating to OneLake native.

Pattern 3: Multi-Cloud Analytics

Fabric Lakehouse
  /Tables/azure_customers ← ADLS shortcut (Azure)
  /Tables/aws_events ← S3 shortcut (AWS)
  /Tables/gcp_analytics ← GCS shortcut (GCP)
  /Tables/crm_contacts ← Dataverse shortcut (Dynamics 365)

All data queryable from one notebook, one SQL endpoint, one Power BI report — regardless of where it physically lives.

Pattern 4: Direct Lake with Existing ADLS

Existing ADLS Gen2 → Shortcut in Lakehouse → Direct Lake Semantic Model → Power BI
                      (no data copied)        (no import needed)         (always fresh)

Common Mistakes

1. Deleting files inside a writable shortcut thinking only the shortcut is affected — if the shortcut points to ADLS with write permissions, deleting files inside the shortcut deletes the actual files in ADLS. This is permanent.

2. Not enabling caching for S3/GCS shortcuts — every read from S3/GCS incurs egress fees. Caching stores a local copy after the first read, eliminating repeated fees.

3. Chaining too many shortcuts — maximum 5 levels. Beyond that, operations fail. Keep chains simple.

4. Assuming all shortcuts support writes — only OneLake internal and ADLS Gen2 shortcuts support writing. S3, GCS, and Dataverse are read-only.

5. Creating shortcuts to ADLS without Hierarchical Namespace — shortcuts require ADLS Gen2 (HNS enabled). Plain Blob storage does not work.

6. Not granting Fabric Read permission for external shortcuts — even if OneLake security allows data access, external shortcuts additionally require Fabric Read permission on the containing item.

Interview Questions

Q: What is a OneLake shortcut in Microsoft Fabric? A: A pointer within OneLake that references data stored in another location — another Fabric workspace, ADLS Gen2, Amazon S3, Google Cloud Storage, or Dataverse. The data stays at the source. No copying occurs. Fabric reads through the pointer as if the data were local. Shortcuts eliminate data duplication, reduce storage costs, and ensure data is always current.

Q: What is the difference between internal and external shortcuts? A: Internal shortcuts point to data within OneLake (another lakehouse or workspace). External shortcuts point to data outside OneLake (ADLS Gen2, S3, GCS, Dataverse). Internal shortcuts support read, write, and delete. Most external shortcuts are read-only (except ADLS Gen2 which supports read, write, and delete).

Q: What happens when you delete a shortcut vs deleting a file inside a shortcut? A: Deleting the shortcut itself only removes the pointer — source data is untouched. Deleting a file INSIDE a writable shortcut (ADLS Gen2, OneLake internal) deletes the actual file at the source. This is permanent and affects the source storage. Read-only shortcuts (S3, GCS, Dataverse) do not allow file deletion.

Q: How does the security model work for external shortcuts? A: Two-layer authorization. Layer 1: the cloud connection must authorize access to the source (valid ADLS key, S3 credentials). Layer 2: the user must have OneLake permissions to access the shortcut path plus Fabric Read permission on the item containing the shortcut. Both layers must pass for access to succeed.

Q: What is shortcut caching and when should you use it? A: Caching stores a local copy of shortcut data in OneLake after the first read. Subsequent reads use the cached copy, eliminating repeated cross-cloud egress fees. Enable caching for S3, GCS, and on-premises shortcuts where egress costs are significant. Not needed for ADLS (same cloud) or OneLake internal shortcuts.

Wrapping Up

OneLake shortcuts are one of Fabric’s most powerful features — and one of the most misunderstood. They are not just “links to files.” They are governed, secured, multi-cloud data access points that eliminate duplication, reduce costs, and enable real-time data sharing across teams, workspaces, and even cloud providers.

The key things to remember: shortcuts do not copy data (they are pointers). Only ADLS and OneLake shortcuts support writes. Deleting the shortcut is safe (removes the pointer). Deleting files INSIDE a writable shortcut is dangerous (deletes the source). And always enable caching for cross-cloud shortcuts.

Master shortcuts, and you can build a Fabric lakehouse that queries data from Azure, AWS, GCP, Dynamics 365, and on-premises — all without moving a single byte.

Related posts: – Fabric Foundations: Capacity, Workspaces, Items – Microsoft Fabric Overview – ADLS Gen2 Guide – External Tables in Databricks – Azure Connections and Authentication

---

Naveen Vuppula is a Senior Data Engineering Consultant and app developer based in Ontario, Canada. He writes about Python, SQL, AWS, Azure, and everything data engineering at DriveDataScience.com.