Question

What are the steps to properly configure permissions for an application to access Microsoft Fabric services, and what common issues should I watch out for?

I am setting up an application to access Microsoft Fabric services and need to ensure the correct permissions are configured in Azure Active Directory (AAD). What are the necessary steps to grant the required API permissions, assign roles, and authenticate successfully? Additionally, what are some common issues (e.g., missing permissions, misconfigured service principals, or token-related errors) that I should be aware of during the setup process?

Answer 1

1. Register the Application in Azure AD

   • Go to Azure Portal → Azure Active Directory → App registrations → New registration.
   • Provide a name and set the supported account types (Single/Multi-tenant).
   • Note the Application (Client) ID and Directory (Tenant) ID for authentication.

2. Assign API Permissions

   • In the App registration, navigate to API permissions → Add a permission.
   • Select Microsoft Fabric (Power BI) and choose the required permissions (e.g., Dataset.ReadWrite.All, Report.Read.All).
   • If using application permissions, grant admin consent in Azure AD.

3. Create and Assign a Service Principal (For App Authentication)

   • Go to Power BI Admin Portal → Tenant settings.
   • Enable Allow service principals to use Power BI APIs and assign necessary workspaces.

4. Generate Authentication Credentials

   • Navigate to Certificates & secrets in Azure AD → New client secret.
   • Copy and securely store the generated client secret.

5. Authenticate the Application

   • Use OAuth 2.0 with the Microsoft Authentication Library (MSAL) to request a token.
   • Request a token for https://graph.microsoft.com/.default or https://analysis.windows.net/powerbi/api as the scope.

Common Issues & Fixes

• Missing Admin Consent: If API permissions require admin consent, an admin must approve them in Azure AD.
• Unauthorized Access Errors: Ensure the service principal has access to the necessary Power BI workspaces.
• Token Expiry Issues: Regularly refresh tokens and monitor expiry times for service principals.
• Incorrect API Scopes: Ensure the correct API endpoints and scopes are used in authentication requests.