Get workspace components git status through API ca...

amaaiia · ‎09-25-2025

Hi,

I'm trying to get workspace components git status calling GET https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/git/status (https://learn.microsoft.com/es-es/rest/api/fabric/core/git/get-status).

I use de "Try it" tab in the official page, and using my user token, it works. However, I need it to do with service principal authentication. Doc says Workspace.GitUpdate.All is enough:

I've added this API permission to my registered APP.

However, I call the API and I get a 400 bad request error:

If I change the token and I set my personal account token, it works. The issue is happening when I put registered APP token.

I get the token with:

{ "method": "POST", "headers": { "Content-Type": "application/x-www-form-urlencoded" }, "body": "grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&scope= https://analysis.windows.net/powerbi/api/.default " }

I've used this token also for other API calls such us:

https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/{element_type}

And it works, so I gess the token is correct for the scope of Fabric. I don't know why I'm getting a 400 bad request response.

Thanks.

Srisakthi

Hi @amaaiia ,

I have used the below code and im able to get the result with Service Principal.

function GetSecureTokenForServicePrincipal() {
$secureServicePrincipalSecret = ConvertTo-SecureString -String $client_secret -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $client_id, $secureServicePrincipalSecret

#Login to Azure using service principal
Connect-AzAccount -ServicePrincipal -TenantId $tenant_id -Subscription 'xxx-yyyy' -Credential $credential | Out-Null

# Get authentication
$secureFabricToken = (Get-AzAccessToken -AsSecureString -ResourceUrl $global:resourceUrl).Token

return $secureFabricToken
}
function ConvertSecureStringToPlainText($secureString) {
$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureString)
try {
$plainText = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)
} finally {
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
}
return $plainText
}

$secureFabricToken = GetSecureTokenForServicePrincipal
$fabricToken = ConvertSecureStringToPlainText($secureFabricToken)

$global:baseUrl = "https://api.fabric.microsoft.com/v1"
$global:resourceUrl = "https://api.fabric.microsoft.com"

$global:fabricHeaders = @{
'Content-Type' = "application/json"
'Authorization' = "Bearer $fabricToken"
}
$gitStatusUrl = "{0}/workspaces/{1}/git/status" -f $global:baseUrl, $workspace.Id
$gitStatusResponse = Invoke-RestMethod -Headers $global:fabricHeaders -Uri $gitStatusUrl -Method GET

Note: Service Principal is not supported for warehouse git sync. other items are getting sync from git to workspace except warehouse.

Regards,

Sri

KevinChant · ‎10-16-2025

I recommend testing this outside of your pipeline with something like Postman. Is this for CI/CD deployments?

v-sdhruv · ‎10-01-2025

Hi @amaaiia ,

I hope you were successfully able to raise the support ticket.
If you have any issues, please let us know.
Thank You

tayloramy · ‎09-25-2025

Hi @amaaiia,

Does the sersvicce principal have contributor or higher on the workspaces? These permissions are different from the delegated permissions in my experience.

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

amaaiia · ‎09-29-2025

Contributor role on the workspace

tayloramy · ‎09-29-2025

Hi @amaaiia,

Can you show me the exact POST request that you're sending? A 400 error usually means that your request is incorrect. Microsoft's APIs are particularly picky when it comes to the parameters and body.

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

amaaiia · ‎09-29-2025

The POST request should be ok because if I change the Bearer token with a token of my personal account, I get 200 OK:

If I use service principal token, then I get 400:

But the POST request is the same.

tayloramy · ‎09-29-2025

@amaaiia Thanks for the info, so something is up with the service principal.

How are you generating the bearer token?

Can toy also confirm what delegated permissions the service principal has?
Here's my function for generating the bearer token using the MSAL library

def get_access_token():
    app = ConfidentialClientApplication(
        CLIENT_ID,
        authority=AUTHORITY,
        client_credential=CLIENT_SECRET,
    )
    result = app.acquire_token_for_client(scopes=SCOPE)
    
    if 'access_token' in result:
        return result['access_token']
    else:
        error = result.get('error', 'No error information')
        error_description = result.get('error_description', 'No description')
        raise Exception(f"Could not obtain access token. Error: {error}. Description: {error_description}")

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

amaaiia · ‎09-30-2025

I get the token with: https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token

{ "method": "POST", "headers": { "Content-Type": "application/x-www-form-urlencoded" }, "body": "grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&scope= https://analysis.windows.net/powerbi/api/.default " }

And it works because I'm using it for other Fabric API calls such us: https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/{element_type}

These are API permissions, doc says GitUpdate is enough: