Azure Data Factory: Inquiry on New Undocumented Property 'trustModeClaimForMi'

Question

Azure Data Factory: Inquiry on New Undocumented Property 'trustModeClaimForMi'

Janne Kujanpää 256

It looks like PG added a new undocumented property on data factory resource properties:

"trustModeClaimForMi": {
            "value": "Enabled",
            "editable": true
}

Any ideas about this and any ETA when REST API spec is being updated if ever?

My guesses are that this might be related with upcoming trusted bypass changes and API SPEC ever updates.

1 answer

Your answer

Answer 1

Amira Bedhiafi 35,766 Volunteer Moderator

Hello Janne !

Thank you for posting on Microsoft Learn.

The trustModeClaimForMi property you've come across is likely related to security or identity management feature in ADF. Since it appears undocumented, I think it could be part of an upcoming update or feature related to managed identity (MI) trust or secure bypass configurations or simply it will be deprecated.

My guess it might be related to managed identity trust and it could be used to indicate whether a specific MI is trusted for certain operations, potentially bypassing traditional identity checks or allowing broader access for ADF resources.

As for the REST API spec update, it may take some time for Microsoft to update official documentation and API references for this property, especially if it's part of an experimental or gradual rollout. It might be available in upcoming preview versions of the ADF REST API, but without formal documentation, it's challenging to get a precise timeline.

In the meantime, I'd recommend keeping an eye on:

Azure Release Notes for new features related to security or identity management.

Azure SDK or ADF API documentation for any updates regarding this property.

Azure forums or Microsoft support for further clarification or possible insights from internal documentation.

Janne Kujanpää 256 Reputation points

2025-08-09T12:03:15.1866667+00:00
This might be related with retirement that was announced three days ago. Sadly only customer-specific health advisories are available.

I wonder if this setting can be used to turn off bypass trust (on SHIR) or could this be related with security perimeter.

sources to earlier discussions about trusted bypass issues:

https://learn.microsoft.com/en-us/answers/questions/1838277/data-factory-managed-identity-is-not-being-identif

comments: https://techcommunity.microsoft.com/blog/azuredatafactoryblog/data-factory-is-now-a-trusted-service-in-azure-storage-and-azure-key-vault-firew/964993

""""

You're receiving this notice because you're using one or more Azure products with a managed identity and firewall exception for trusted services.

As part of a security update, the trusted services function allowing Azure Data Factory to access Azure Storage accounts and Azure Key Vault using a managed identity and firewall exception will be retired on 6 August 2026.

As a result, you may be impacted if you're using one of the following options to access an Azure Storage account or Azure Key Vault:

Data Factory's self-hosted IR (SHIR) with a system-assigned managed identity to access a storage account (trusted bypass).

The Azure-SQL Server Integration Services (SSIS) IR via Azure Storage Connection Manager or Data Factory's SHIR as a proxy feature with a system-assigned managed identity and storage firewall exception.

A REST linked service with a system-assigned managed identity to access a storage account (trusted bypass).

A REST linked service with a system-assigned or user-assigned managed identity to access a key vault (trusted bypass).

If you're using one of the options above, you'll need to transition to IP allow-listing, a managed virtual network, or your own virtual network before 6 August 2026.

If none of the above apply, no further action is required.

Required action

To avoid service disruptions, update your IR and linked service configurations using one of the options below before 6 August 2026:

IP Allow-listing: This option enables you to add the IP address of your SHIR or Azure-SSIS IR to the firewall rules of your Azure Storage account and Azure Key Vault. For more information, refer to our guides for Azure Storage and Azure Key Vault.

Managed virtual network: This option enables you to access your Azure Storage account and Azure Key Vault using private endpoints from Azure IR. For more information, refer to our guide.

Customer-owned virtual network: This option allows you to access your Azure Storage account and Azure Key Vault that Azure-SSIS IR joins via a virtual network service endpoint or private endpoint. For more information, refer to our guide.

If you don't transition to one of these alternatives before 6 August 2026, you'll no longer be able to use Data Factory's SHIR, Azure-SSIS IR, and REST Linked Service to access an Azure Storage account or Azure Key Vault with a managed identity and firewall exception for trusted services.

You're receiving this notice because you're using one or more Azure products with a managed identity and firewall exception for trusted services.

As part of a security update, the trusted services function allowing Azure Data Factory to access Azure Storage accounts and Azure Key Vault using a managed identity and firewall exception will be retired on 6 August 2026.

As a result, you may be impacted if you're using one of the following options to access an Azure Storage account or Azure Key Vault:

Data Factory's self-hosted IR (SHIR) with a system-assigned managed identity to access a storage account (trusted bypass).

The Azure-SQL Server Integration Services (SSIS) IR via Azure Storage Connection Manager or Data Factory's SHIR as a proxy feature with a system-assigned managed identity and storage firewall exception.

A REST linked service with a system-assigned managed identity to access a storage account (trusted bypass).

A REST linked service with a system-assigned or user-assigned managed identity to access a key vault (trusted bypass).

If you're using one of the options above, you'll need to transition to IP allow-listing, a managed virtual network, or your own virtual network before 6 August 2026.

If none of the above apply, no further action is required.

Required action

To avoid service disruptions, update your IR and linked service configurations using one of the options below before 6 August 2026:

IP Allow-listing: This option enables you to add the IP address of your SHIR or Azure-SSIS IR to the firewall rules of your Azure Storage account and Azure Key Vault. For more information, refer to our guides for Azure Storage and Azure Key Vault.

Managed virtual network: This option enables you to access your Azure Storage account and Azure Key Vault using private endpoints from Azure IR. For more information, refer to our guide.

Customer-owned virtual network: This option allows you to access your Azure Storage account and Azure Key Vault that Azure-SSIS IR joins via a virtual network service endpoint or private endpoint. For more information, refer to our guide.

If you don't transition to one of these alternatives before 6 August 2026, you'll no longer be able to use Data Factory's SHIR, Azure-SSIS IR, and REST Linked Service to access an Azure Storage account or Azure Key Vault with a managed identity and firewall exception for trusted services.

"""
Venkat Reddy Navari 5,255 Reputation points Microsoft External Staff Moderator

2025-08-11T12:58:12.8166667+00:00

Hi Janne Kujanpää Thanks for raising this, really insightful observation. You're likely right that the trustModeClaimForMi property is connected to the recent announcement about the retirement of the trusted services access model, effective August 6, 2026. Although the property isn’t officially documented yet, it seems aligned with the broader shift toward stricter identity and network controls in Azure Data Factory.

At the moment, there’s no confirmed ETA for when this will be included in the REST API specs or public documentation. These kinds of properties often surface as part of a backend rollout or private preview before wider announcements.

If you're planning ahead for the deprecation of trusted bypass, recommend starting the transition to one of the supported alternatives such as IP allow-listing, managed virtual networks, or private endpoints rather than relying on undocumented settings. That will help ensure continuity and compliance once the change takes effect.

It’s worth keeping an eye on the Azure Data Factory release notes and the Azure REST API specs repo for updates.

Hope this helps. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Azure Data Factory: Inquiry on New Undocumented Property 'trustModeClaimForMi'

1 answer

Your answer